While cyber risks may not be front of mind in day-to-day practice, it’s important to be aware that they exist, especially in the healthcare industry.

In the most recent report by the Australian Cyber Security Centre, the healthcare and social assistance sectors were found to have the highest number of cybersecurity incidents (after government sectors) in Australia between 2021 and 2022.

What are the risks?

Imagine that a physiotherapist arrives at their practice one morning, only to discover that they can’t access their online systems.

They can no longer see their patients’ health information or the details of upcoming appointments.

Suddenly they don’t have the information required to perform their work.

How could this affect their patients? Their business? Their reputation?

If a cyber incident results in a security or privacy breach, it could cause patient harm.

This poses the risk of potential claims and/ or complaints from current or previous patients who have been affected.

According to the Australian Digital Health Agency, personal health information is an attractive target to cybercriminals.

Individual health data is considered to be more valuable than other types of data.

Additional risks may include the following:

•  financial loss
• disruption to business operations
• potential damage to a practice’s reputation.

What are physiotherapists’ legal obligations? 

When handling health information, health service providers in Australia are required to:

• take reasonable steps to protect personal information (including health information) they hold from misuse, interference and loss as well as unauthorised access, modification or disclosure
• take active measures to ensure the security of personal information they hold and actively consider whether they are permitted to retain personal information
• advise patients why their health information is being collected as well as how the health information will be stored and protected
• advise patients if there are any other parties their health information may be disclosed to
  maintain a privacy policy that includes a summary of how the health service provider handles health information.

How should practitioners respond to a cyber incident?

If a cyber incident occurs at a practice, the owners and/or managers of the business need to take any action required to minimise the risk of harm.

They may also wish to consider:

• advising the patient that the confidentiality of their health information may have been compromised due to the cyber incident (this is required if the cyber incident is considered a Notifiable Data Breach under the Notifiable Data Breaches scheme)
• seeking expert IT assistance as well as legal advice if necessary
• notifying the Office of the Australian Information Commissioner, which is required if the cyber incident qualifies as an eligible data breach pursuant to the Notifiable Data Breaches scheme
• contacting the Australian Cyber Security Hotline for guidance.

How can BMS help?

BMS offers cyber liability insurance for APA members. Contact BMS on 1800 931 068 or at apa@bmsgroup.com for more information.

>>This article was written by BMS, with legal obligations covered by Ashlee Sherman and Scott Shelly of Barry Nilsson Lawyers. The above data is from the Australian Cyber Security Centre’s Annual Cyber Threat Report, July 2021 to June 2022 and the Australian Digital Health Agency’s guide for healthcare providers and guide on managing cybersecurity threats.

>>Disclaimer: Barry Nilsson Lawyers communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication.
In arranging this insurance for our members, the Australian Physiotherapy Association (APA) is acting as a distributor of BMS Risk Solutions Pty Ltd (BMS) AFSL 461594, ABN 45161187980. The insurance is issued by BMS under binder with Certain Underwriters at Lloyds. When acting under a binder BMS acts as agent for the insurer and not as your agent. This is general advice only and BMS has not considered whether it was suitable for your personal objectives, needs or financial situation. Please read the Policy Wording and BMS Terms of Engagement which contains the Financial Services Guide before making any decision about purchasing this policy. APA may receive a percentage of the commission paid to BMS by the insurer and/or a fee per policy.