Health sector and cyber risk

Privacy Act 1988 regulation impose obligations on health practices for safekeeping and privacy of health records which include sensitive personal information of patients and their medical condition

The Australian government introduced the notifiable data breach scheme on 22nd February, 2018. As per this scheme, health practices can be penalised by the Privacy Commissioner for negligence in protecting sensitive information held by the medical practice. They must now notify individual’s whose data has been compromised.

Combined with regulatory risk, the threat of malicious activity or human error in relation with IT systems can cause security events which can cause of loss of critical data, system glitches and interruption to business operations and result in loss of profit.

Investment in cyber security

Health practices must maintain security postures and demonstrate investment security initiatives firewalls, anti- virus, encryption, patch management and staff training. Cyber risk calls for risk management through a combination of elimination, mitigation and transfer mechanisms. Similarly, the increase in social engineering attacks puts at risk operational continuity of a health practice because of which patient could find it hard to access the right treatment when required.

Cyber insurance

  • Cyber insurance offsets operational, regulatory and financial costs associated with security incidents.
  • Cyber insurance offsets cost of notification
  • Cyber insurance provides incident response.

Cyber insurance – Coverage

  • Notification Costs/ PR Expenses – Expenses for notifying individuals and use of Public Relation firms and their fees
  • Regulatory Fines – payment for fines imposed by the Privacy Commissioner
  •  Restoration costs related to data and system – cost of restoring data and systems if they are made inaccessible after an incident
  • Cyber Response Team – Clients are provided with a Panel when they make a claim – this panel consists of a PR firm, Legal firm and Forensic firm, this panel is made available within 24 hours after an incident . The cost of this panel is borne by the Insurance company 

IT considerations before acquiring Cyber insurance

  • The clinic must ensure it can demonstrate both financial and operational investment into cyber security tools such as firewalls, backups, processes and privacy policies
  • Consult your IT provider and request a comprehensive cyber security risk assessment
  • Ensure your staff are aware of what cyber security is and that they can demonstrate awareness of the risks associated with cyber crime
  • Consult your IT provider to ensure that your practice is compliant with the cyber insurance IT requirements

Disclaimer:. “The information provided is general advice only and does not take account of your personal circumstances or needs. Please refer to our financial services guide which contains details of our services and how we are remunerated.”