How to deal with cyber incidents

 
The image is of hands against a dark background, holding a neon warning sign of a triangle with an exclamation mark inside.

How to deal with cyber incidents

 
The image is of hands against a dark background, holding a neon warning sign of a triangle with an exclamation mark inside.

RISK MANAGEMENT Cyber incidents are a growing threat to healthcare practices. Ashlee Sherman and Scott Shelly of Barry Nilsson and the APA’s insurance partner BMS explore what this means for physiotherapists.

While cyber risks may not be front of mind in day-to-day practice, it’s important to be aware that they exist, especially in the healthcare industry.

In the most recent report by the Australian Cyber Security Centre, the healthcare and social assistance sectors were found to have the highest number of cybersecurity incidents (after government sectors) in Australia between 2021 and 2022.

What are the risks?

Imagine that a physiotherapist arrives at their practice one morning, only to discover that they can’t access their online systems.

They can no longer see their patients’ health information or the details of upcoming appointments.

Suddenly they don’t have the information required to perform their work.

How could this affect their patients? Their business? Their reputation?

If a cyber incident results in a security or privacy breach, it could cause patient harm.

This poses the risk of potential claims and/ or complaints from current or previous patients who have been affected.

According to the Australian Digital Health Agency, personal health information is an attractive target to cybercriminals.

Individual health data is considered to be more valuable than other types of data.

Additional risks may include the following:

  •  financial loss
  • disruption to business operations
  • potential damage to a practice’s reputation.

What are physiotherapists’ legal obligations? 

When handling health information, health service providers in Australia are required to:

  • take reasonable steps to protect personal information (including health information) they hold from misuse, interference and loss as well as unauthorised access, modification or disclosure
  • take active measures to ensure the security of personal information they hold and actively consider whether they are permitted to retain personal information
  • advise patients why their health information is being collected as well as how the health information will be stored and protected
  • advise patients if there are any other parties their health information may be disclosed to
    maintain a privacy policy that includes a summary of how the health service provider handles health information.

How should practitioners respond to a cyber incident?

If a cyber incident occurs at a practice, the owners and/or managers of the business need to take any action required to minimise the risk of harm.

They may also wish to consider:

  • advising the patient that the confidentiality of their health information may have been compromised due to the cyber incident (this is required if the cyber incident is considered a Notifiable Data Breach under the Notifiable Data Breaches scheme)
  • seeking expert IT assistance as well as legal advice if necessary
  • notifying the Office of the Australian Information Commissioner, which is required if the cyber incident qualifies as an eligible data breach pursuant to the Notifiable Data Breaches scheme
  • contacting the Australian Cyber Security Hotline for guidance.

How can BMS help?

BMS offers cyber liability insurance for APA members. Contact BMS on 1800 931 068 or at apa@bmsgroup.com for more information.

>>This article was written by BMS, with legal obligations covered by Ashlee Sherman and Scott Shelly of Barry Nilsson. The above data is from the Australian Cyber Security Centre’s Annual Cyber Threat Report, July 2021 to June 2022 and the Australian Digital Health Agency’s guide for healthcare providers and guide on managing cybersecurity threats.

Disclaimer: Barry Nilsson communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication.
You must be a current APA member to be eligible for the APA member insurance program. You must be part of the APA member insurance program in order to access additional cover. If your membership ceases you will not be offered renewal when your policy expires. In arranging this insurance for our members, APA is acting as a distributor of BMS Risk Solutions Pty Ltd (BMS) AFSL 461594, ABN 45161187980. This insurance is issued by BMS under a binder with Certain Underwriters at Lloyd’s. When acting under a binder BMS is acting as agent for the insurer and not as your agent. This is general advice only and BMS has not considered whether it is suitable for your particular objectives, needs or financial situation. Please read the Policy Wording and the BMS Terms of Engagement, which contains the Financial Services Guide, before making a decision about purchasing this policy. APA may receive a percentage of the commission paid to BMS by the insurer and/or a fee per policy. 
 
 

© Copyright 2024 by Australian Physiotherapy Association. All rights reserved.