Despite debates about data privacy, three million Australians downloaded the new tracing app, COVIDSafe, within 72 hours of its launch by the Federal Government in April to help track the spread of coronavirus.
This rapid take-up suggests that many of us have become comfortable living with data “in the cloud” as we navigate our way around the web. We expect that our data will be protected, whilst we happily say ‘yes’ to cookies, do our banking online, and allow apps such as Twitter, Facebook and Skype to track our movements.
Governments have been playing catch up with legislation to protect online data. The European Union introduced its General Data Protection Regulation (GDPR) laws in 2016. Australia introduced its Notifiable Data Breach Scheme (NDBS) and mandatory reporting of data breaches in 2018.
Based on the significant increase in our daily on-line activity as a result of COVID-19, the Office of the Australian Information Commissioner (OAIC) has dedicated this years Privacy Awareness Week (4-10 May) to rebooting your privacy. There are some great tips and tricks on how and Fred is proud to be an official supporter.
Arguably, pharmacy is “ahead of the curve” on privacy because we live and breathe life-saving health data. The protection of our customers’ data – and our own data – is second nature. But the NDBS has two key implications for pharmacies:
- Because of the sensitivity of our health data, pharmacies are covered by the NDBS. This means pharmacies are expected to take steps to protect our customers’ data and our own.
- While the NDBS excludes businesses with a turnover less than AU$3 million, it explicitly states that private sector health service providers, that is pharmacies, are included.
- We need to report all breaches where the result is a likelihood of serious harm. This means letting individuals know if their data has been breached AND reporting to the Office of the Australian Information Commissioner (OAIC).
The idea of losing data is stressful at any time (let alone in the middle of a public health crisis). Imagine if your customer databases were breached. Under the NDBS, you are required to notify every person who is potentially affected. This could mean contacting every patient you have dispensed or sold to – potentially thousands of customers. The reputational damage is immense. Additionally, there are fines for up to $460K for civil offences and $2.1M for corporate offences for not reporting breaches as required.
Am I at risk of a data breach?
In Australia, February figures (1) show that 537 breaches were notified in the last six months of 2019. Of these, health was the highest reporting sector, with 22% of all breaches. Most breaches came from malicious or criminal attacks (64%), whilst human error contributed 32%, and system faults 4%.
Sadly, health data is often sought after due to its value on the dark web, making pharmacies and other health service providers a target for criminals.
What constitutes a data breach?
A data breach occurs when personal information that you hold is subject to unauthorised access or disclosure, or is lost.
Personal information is defined as data that is reasonably identifiable. Sometimes data that seems harmless, when combined with other data, may become identifiable and therefore potentially harmful if accessed by an unauthorised person.
Data breaches can be malicious (by someone within or outside the pharmacy), a result of human error, or a failure in information handling or security systems.
Data breaches can occur in the physical world as well as the virtual world.
Examples of data breaches include:
- Loss or theft of physical devices (such as laptops and storage devices) or paper records that contain personal information – e.g. prescriptions
- Unauthorised access to personal information by an employee
- Inadvertent disclosure of personal information due to ‘human error’, for example an email or prescription sent to the wrong person
- Disclosure of an individual’s personal information to a scammer, as a result of inadequate identity verification procedures (such as falling victim to a phishing email).
How do I protect against a data breach?
The key to protecting data is in ensuring only authorised people can access it. Thinking in context of the three causes of a data breach will help you understand the risks and threats and subsequent actions to take. For the purpose of this article and the cyber security theme we will focus on the virtual world.
Malicious or criminal attack
- You need to secure all your IT systems
- Your PCs are running the latest and most secure operating system i.e. Windows 10 and it is patched and up to date
- You have cyber security tools in place e.g. anti-virus, intrusion protection and detection, firewall, network monitoring
- You and your team are aware of common attack types such as phishing emails and texts and know not to click on links in emails
- If you do use remote access tools, use complex passwords and multi-factor authentication
- Invest in cyber security training
- Double check details before sending information online or via email (e.g. Is the address correct? Is the right document attached?)
- Have clear and documented steps on how your team handle all personal information
- Admittedly this is difficult to combat but the same rules apply in keeping all hardware and software patched and up to date
What happens if you think there has been a data breach?
You have 30 days to report the breach, which gives you time to make a proper assessment as to whether there has in fact been a breach and if it is notifiable.
In many instances a cyber security incident does not necessarily mean a data breach. In the example of a ransomware attack, while your PC and data has been encrypted, the data may not have left your network and may not have been viewed by an unauthorised person. While it can be difficult to tell even for IT professionals, they are best placed to assist in giving you an informed, expert opinion of what has happened and importantly take the required actions to ensure the incident or breach is not ongoing, i.e. that your data is not still being accessed.
If there is evidence that data has been accessed the next step is to identify if it is personal information that could result in serious harm to the individual. Examples of serious harm include:
- Financial fraud including unauthorised credit card transactions or credit fraud
- Identity theft causing financial loss or emotional and psychological harm
- Family violence
- Physical harm or intimidation
This will help inform you if the breach is notifiable and if so, you are mandated to report the data breach to the individual(s) who are potentially affected and the OAIC.
Use the 30 days to complete a thorough investigation and call on your IT provider so you can be certain as to the right course of action to take.
Navigating a potential notifiable data breach is complex, can be confusing, and is stressful. Please call on your IT providers to assist and refer to the OAIC website for further information.