Despite debates about data privacy, three million Australians downloaded the new tracing app, COVIDSafe, within 72 hours of its launch by the Federal Government last month to help track the spread of coronavirus.
This rapid take-up suggests that many of us have become comfortable living with data “in the cloud” as we navigate our way around the web. We expect that our data will be protected, whilst we happily say ‘yes’ to cookies, do our banking online, and allow apps such as Twitter, Facebook and Skype to track our movements.
Governments have been playing catch up with legislation to protect online data. The European Union introduced its General Data Protection Regulation (GDPR) laws in 2016. Australia introduced the Notifiable Data Breach Scheme (NDBS) and mandatory reporting of data breaches in 2018.
Arguably, pharmacy is “ahead of the curve” on this because we live and breathe life-saving health data. The protection of our customers’ data – and our own data – is second nature. But the NDBS has two key implications for pharmacies:
- Because of the sensitivity of our health data, pharmacies are covered by the NDBS. This means pharmacies are expected to take steps to protect our customers’ data and our own
- We need to report all breaches. This means letting individuals know if their data has been breached AND reporting to the Office of the Australian Information Commissioner (OAIC).
The idea of losing data is stressful at any time (let alone in the middle of a public health crisis). Imagine if your customer databases were breached. Under the NDBS, you are required to notify every person who is potentially affected. This could mean contacting every patient you have dispensed or sold to – potentially thousands of customers. The reputational damage is immense. Additionally, there are fines for up to $460K for civil offences and $2.1M for corporate offences for not reporting breaches as required.
Am I at risk?
In Australia, February figures1 show that 537 breaches were notified in the last six months of 2019. Of these, health was the highest reporting sector, with 22% of all breaches. Most breaches came from malicious or criminal attacks (64%), whilst human error contributed 32%, and system faults 4%.
How do I protect against a data breach?
The key to protecting data in both physical and virtual worlds is to protect access so that only authorised people can access data. The main steps are:
- Understanding risks and threats
- Protecting against phishing emails and texts
- If you do use remote access tools, use complex passwords and multi-factor authentication
- Keep software patched and up to date
- Ensure your team has cyber security training
- Double check details before sending information online or via email (eg, Is the address correct? Is the right document attached?)
- Have cyber security tools in place
What happens if I think there has been a data breach?
You have 30 days to report the breach, which gives you time to make a proper assessment.
- The first step is to stop the breach
- Determine if the breach is notifiable i.e. you are legally bound to inform affected individuals and the OAIC
- Given the complexity and uncertainty with data breaches resulting from cyber-attack, seek expert advice at this stage
- Refer to the NDBS and contact your IT provider as soon as possible.
Andrew McManus is General Manager, Managed Services at Fred IT Group.
1 Office of the Australian Information Commissioner https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/notifiable-data-breaches-report-july-december-2019/