Security of Electronic Records | Defence Update

Prevention

While no security measures are foolproof, it is essential that preventative action is taken by practices to minimise the risk of data loss and intrusion. Private sector organisations are required to take reasonable steps to protect the personal information they hold from misuse, loss or unauthorised access.³  Significant civil penalties may apply.⁴

New mandatory data breach notification obligations come into effect in February 2018. This means that practices must take steps to notify affected persons and the Information Commissioner where the entity believes an eligible data breach has occurred or when directed to do so by the Commissioner. For further information regarding eligible data breaches see https://defenceupdate.mdanational.com.au/Articles/privacy-new-obligations  

The Royal Australian College of General Practitioners (RACGP) Computer and Information Security Standards (CISS) provide a helpful guide⁵ including:

• the need to maintain appropriate security measures (including firewall / antivirus software)
• having an adequate backup system
• seeking appropriate technical support
• formulating a disaster recovery/business continuity plan (in a worst case scenario, what will you do to ensure you are able to maintain continuity of care and recover your lost data and records).

Adequate, reliable and timely database backup is critical. The interval period between backups will dictate the minimum amount of data that cannot be recovered in the event of data loss. Backups need to be rotated, securely stored off-site (thus not accessible to network intrusion) and periodically tested for integrity. Your computer system and configuration should also be backed up (although less frequently).

Recovery

In the event of data loss it is critical to know where your most recent backup is located. Loss of documents cover is provided under the MDA National Practice Indemnity Policy and Professional Indemnity Insurance Policy⁶ and includes indemnification for reasonable costs and expenses incurred in replacing or restoring certain lost or damaged documents, subject to the terms and conditions of the Policies.

If your records and backups are damaged, third party technical assistance may be required to try and rebuild the records. This is expensive and time consuming and it may only be possible to partially recover the lost data, requiring manual re-entry of the data.

Privacy breach

In the event of a third party intrusion into your practice software, there may also be a privacy breach if the records can be accessed by the intruder. In a situation involving the theft of a practice database, this may include the breach of a substantial number of confidential and sensitive medical records.

The Office of the Australian Information Commissioner (OAIC) has a helpful guide to the handling of personal information security breaches. The guide notes that when responding to a privacy breach, there are four steps to consider⁷:

1. containment and assessment
2. evaluation of risks associated with the breach
3. notification
4. prevention.

Computer intrusion, data loss and privacy breaches are serious matters that can cause significant disruption to practices and result in claims, complaints and investigations. Members can seek advice from our Medico-legal Advisory Service on 1800 011 255.

Julian Walter, Medico-legal Adviser, MDA National.

1. abc.net.au/local/stories/2012/12/10/3651098.htm.
   
2. goldcoast.com.au/article/2012/12/10/443366_gold-coast-news.html.
   
3. Australian Privacy Principle 11 
   
4. Federal Court proceedings brought by the Privacy Commissioner can award civil penalties of up to $340,000 for serious or repeated breaches of the Privacy Act. These changes will commence on 12 March 2014 following changes to the Privacy Act 1988 (Cth) by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth).
   
5. https://www.racgp.org.au/your-practice/standards/computer-and-information-security-standards/
   
6. Disclosure Documents and Policy Wording 
   
7. oaic.gov.au/privacy/privacy-resources/privacy-guides/data-breach-notification-a-guide-to-handling-personal-information-security-breaches