The Australian Privacy Principles, and the recently passed (by the Australian Parliament) Mandatory Breach Notification bills provide various guidelines, which should be adhered to by anyone who handles any electronic medical data. Basically, the principles stipulate that all medical practices must ensure that all necessary measures are in place while saving, accessing and sharing any electronic medical data to keep patient data secure. Lack of compliance to the security standards could lead to large fines for both companies and individuals. Several steps can be followed by medical practices to ensure compliance to privacy standards. These steps include:
Run a complete risk assessment of the practice
Many medical practices adopted electronic health recording systems before there were clear guidelines on what these systems should contain. This means that a practice could be using electronic systems which are not compliant with current standards. To ensure compliance, a risk assessment should be done on the current systems to highlight areas in which compliance is not enforced, and to expose areas in which changes are needed. Ensure the latest version is being used, including any security patches from the vendor.
Prepare for disaster before it occurs
All data handled by a medical practice should be safe both from loss and corruption. One of the main ways of ensuring that data is not lost in case of any mishaps is backing up of medical data daily. Data should be backed up in an offsite location to ensure that in case of incidents such as natural, or man-made, disasters the data backup is not destroyed, as well. Antivirus programs should also be installed on all computers to ensure that data is not corrupted or destroyed by computer viruses, or held to ransom by cyber criminals.
Implement an ongoing employee training programme
Any system is only as strong as its weakest link, and in some cases poorly trained employees, or temporary staff, are the entry point for hackers into medical practices. It is also these staff who are more likely to have an “oops” moment and accidentally release confidential information. A medical practice could have excellent processes and systems, but if the employees don’t use their passwords to securely access records and files the system security is rendered useless, and anyone can gain access to these records. Medical practices should continually train their staff on how to follow the right security protocols, to ensure data integrity and security.
Purchase medical products with security compliance, and compatibility in mind
New equipment bought for a medical practice should be compatible with existing systems and should offer enough security features. With the advent of connected devices, the Internet of Things, it is critical that devices are secure, and kept up to date. Before making any major purchases enough review of the product should be done to ensure both security and compatibility.
Collaborate with affected parties
Changes which need to be made to bring about cyber security and privacy compliance affect many people in the practice. Affected groups should be offered training and management must ensure that staff understand the importance of compliance to everyone involved in the practice. Also, ensure that key staff are trained on what to do in the event of a breach. A comprehensive disaster plan is essential, and must be practiced regularly.
Thanks Paul! He does add, if you would like to discuss a risk assessment of your practice, please visit Cyber Health International to arrange a time that suits you to receive a call. Remember though, a lot of General Practices are small businesses, and a lot of You are the Key People in those businesses. Look after yourselves, see Your GP, get a great workplace, and Good Luck!