Changes to legislation around medical data breaches are set to a create a lot more havoc than the government, and many doctors running practices, currently suspect
Changes to legislation around medical data breaches, with fines of up to $340,000 for a single GP and up to $1.7 million for a practice, are set to a create a lot more havoc than the government, and many doctors running practices, currently suspect.
From Thursday this week, GPs and GP practices will be required by changes to the Privacy Act 1988 to notify individuals likely to be at risk of serious harm because of data breach, and to notify the office of the Australian Privacy Commissioner.
Until now, breaches did not have a mandatory reporting requirement.
Not surprisingly, there have not been a lot of breaches reported by any GP practices since the legislation introducing heavy fines for allowing breaches came into effect nearly four years ago. If you have had a breach, how likely are you to want anyone to know about it? So you do all you can do to fix it and move on. That can’t happen anymore.
Of the few breaches that have made the books of the privacy commissioner involving GP practices, they all had been pro-actively investigated by the Privacy Commission following accidental alerts, usually involving other investigations.
We have seen some spectacular and very public breaches by big organisations, though. The Red Cross posted nearly 1.3 million donor records, including details such as HIV status, on a publicly accessible server last year.
Medicare’s breach last year, where individual records were available for sale for nearly a year by a dark web vendor for up to $30 each, seemed to demonstrate that no amount of security was enough to avoid a breach.
At this week’s HealthEd medical education seminar at the International Convention Centre in Sydney, more than 1300 GPs, and another 400 healthcare professionals heard from Avant’s Senior Risk Manager, Dr Peter Walker, on the key issues associated with this week’s change.
He said that something as simple as a GP losing their mobile phone with some patient data on it, or them misplacing a USB stick, which they might be taking home to do some work on, would constitute a potentially serious and reportable breach now, requiring quite a bit of remedial action and reporting, including, notification of the breach to any patients involved.
Dr Walker told The Medical Republic, that although the fines for a breach of these new rules were huge, the privacy commissioner so far had taken a very pragmatic attitude as it is understood that many organisations have a lot of catching up to do.
So far, no GP-based organisations have actually had a fine for a data breach.
But what is going to happen now that reporting is mandatory?
Firstly, we can expect a lot more reported breaches. We will soon be getting a lot more comparative data on who has been breached and why. And who is taking the right steps to prevent a breach, and who is not taking this legislation seriously enough? How long before we do start seeing fines levelled at GP-based organisations or individual GPs?
Dr Walker still thinks there will be a settling in period and doesn’t think GPs should be worried, initially, about fines.
But he concedes that eventually, if the legislation has been there long enough, and there are enough examples emerging of breaches resulting from poor practice or foreseeable circumstances, the fines will eventually start.
“We will see a period of time in which the commissioner will slap some people on the knuckles and makes some publicity so it will be in the media,” Dr Walker told TMR. But he does think things have now changed fundamentally from the previous regime.
“It [these new changes] gives the privacy commissioner a lot more scope because this regime now requires you to be reporting when you breach,” he said.
But what of GPs and practices that do not report a breach when this legislation requires mandatory reporting?
Dr Walker would not comment on such a circumstances, but it seems entirely obvious that actively “hiding” a breach under this new legislation is likely to attract the ire of the Privacy Commissioner, and early on, we are likely to see someone, or group, being made an example of.
Any accredited practice will already have a data privacy policy instituted in their practice, and such a policy should have both prevention measures and policy, as well as what to do in the case of a breach. Dr Walker says such practices will need to update their policies to include a data breacha ction plan as a part of that policy.
“They will probably also want to tighten policies around the use of electronic devices and transfer of information and think about what can go wrong with them,” he said.
But there is a huge and largely hidden issue facing general practice in the matter of potential data breaches now that reporting has become mandatory: practices which have been subject to a ransomware attack. Until this week, such an attack did not need to be reported if the practice managed to navigate their way through their attack.
You have two choices if you find that your medical records have been locked up by a ransomware attack: pay up and hope they get unlocked, or, get expert help to get your files restored.
Dr Walker says that any practice that does experience an attack should contact their MDO immediately for the right advice on managing the event.
But he and Avant, never recommend paying the blackmailer. This is generally the advice of the federal police and other government organisations tracking such foreign attacks as well. The reason is that once an organisation knows you have paid once, you will always be subsequently targeted, and usually by more sophisticated attacks.
The sleeper issue for the GP profession, which is about to exposed by this legislation, is just how many GP practices have been attacked in the previous years, what is the frequency of attacks, and is the problem getting worse?
If no-one reports a breach, how do we know how many ransomware attacks are taking place each week on GP practices in Australia?
One clue to the frequency comes from talking to cryptocurrency exchanges and traders. Nearly all ransomware attacks require the blackmailer to be paid in some form of cryptocurrency.
So how much business do the cryptocurrency traders see from doctors and doctor practices?
The answer is a shocking amount.
One respected exchange that The Medical Republic spoke to, and which wishes to remain anonymous, said that in 2017, the average inquiry from a medical practice for buying cryptocurrency was once per week. This was just one major exchange and trader.
The Australian Digital Commerce Association (ADCA) lists more than 12 major traders as being part of its association.
Multiply that number again by less well known and scrupulous traders. And what do we have in terms of what is really going on around the country in terms of GP practices being hacked and blackmailed for the release of their data?
We are in strange territory, because no one wants to talk about this publicly.
If one major trader reports more than 50 inquiries a year, but we can’t get them to confirm exactly how many actually bought bitcoin or another cryptocurrency because of privacy concerns, and there exist at least another dozen large and respectable cryptocurrency traders out there that any practice can contact on the sly, just how many GP practices are being compromised each week?
My guess is that we have quite a significant, and until now at least, hidden issue in general practice. And it’s hard to see how the issue can quietly be solved by GPs and practices managers on the side.
The variability in security of GP practices is massive.
Says Dr Walker: “I’ve seen practices without firewalls and no antivirus protection. And even if you have whiz-bang patient management system software with high levels of encryption the weak link is the wetware” i.e. how practices handle passwords and usernames.
This is the flaw in our most secure of systems.
Remember the Hawaii nuclear missile crisis a few months back? In one picture of the operations room taken after the event, you can see a yellow post-it note stuck to one of the computers in the foreground. When you zoom in what you see is someone’s username and password. Scary.
Having been the subject once of a denial of service attack on a company I ran, where 60% of the revenue of our company was dependent on our digital media assets being fully operational, I can sympathise a lot with a GP or practice manager who finds themselves locked out of their medical records by a ransomware attack.
Your business is literally on the line and it is very hard to know who to turn to for advice and help. If you don’t get your data back you can’t operate. And you hope that your data is only locked, not stolen. Often, with the right forensics you can quickly determine if your data was just locked, or indeed breached.
But now, no matter what happens, you are most likely going to have to report the issue. What happens then to your patient base, your brand and your reputations?
This is a much bigger issue than the government or any of the major GP colleges have likely contemplated.
The new legislation pretty much mandates that GP practices now have to own up. If they don’t, and it’s subsequently found that they had a ransomware attack they didn’t report it, what happens?
And what if there was damage done to a patient as a result of that breach?
That’s about the time I’d say we are going to see the privacy commissioner finally reach for the fines sledgehammer and whack some poor GP or practice manager as an example for everyone to take note of.