This appeared last
week and carries a rather ominous warning…
Data breach law: 60% of businesses 'unaware of basics'
-
20 February 2018
-
Written by Sam Varghese
Nearly 60% of
Australian businesses are not aware of the details of the data breach
law that takes effect on Thursday, a survey by GfK Australia for
imaging solutions provider Canon claims.
Additionally, the
survey, named the Business Readiness Index, found that small
businesses, in particular, were seen to be least concerned about data
security, stemming from a lack of awareness where only one in five
(19%) were conscious of, and prepared for, the new regulations.
The survey was
conducted in January and gathered insights from 400 key
decision-makers from the business and IT communities. It aimed to
gauge Australian businesses' existing information security practices,
and determine their preparedness and ability to comply with the Data
Breach Notification obligations.
“Third-party
suppliers present a cyber security blind spot for many businesses. A
business’ security posture doesn’t solely depend on its own
efforts," said Gavin Gomes, director of Canon Business Services.
Internally, a
business could be a fortress, but the walls could come crashing down
if a supplier’s security measures aren’t as robust – this
should be number one on every boardroom’s agenda at the moment."
Gomes pointed out
that small businesses were seen as the engines of Australia’s
economy.
"The fact
that one in two are only ‘slightly’ or ‘not at all’ concerned
about potential upcoming breaches is in itself a red flag," he
said.
"In the short
run, this makes them the ideal backdoor entry point for cyber
criminals angling for prized data and revenue from larger
enterprises. Longer term, the implications can include missed
opportunities worth millions – be it lost contracts or irreversible
reputational damage."
Other key findings
of the survey:
-
Across the board, technology was seen as the biggest vulnerability, with 44% of risk attributed. Larger businesses had a more balanced view of their risks, but small businesses attributed 53% of the risk to technology, and only 25% to people and 22% to policies and processes.
-
Only 40% of the businesses surveyed had implemented six or more of the Australian Signals Directorate Essential 8 and just 18% reported implementing all of these steps. Twelve percent of small businesses had no strategies in place.
-
Average days that organisations took to detect a data breach was 24.7.
-
Daily back-up of important data was the most widely implemented cyber-risk mitigation strategy, but print security was often neglected.
-
The top five security incidences that occurred in Australia in the last 12 months were: viruses, spam, malware/spyware, phishing, ransomware.
-
Where there’s room for improvement:
-
Only 56% have been assessed for security risk management;
-
Only 40% have their printers secured;
-
Only 56% have a cyber security policy; and
-
Only 55% invest in security training.
-
-
Half thought their data security spend would increase once the new legislation took effect.
"When it
comes to ovrall security, ignorance is no longer bliss. According to
the Index, it reportedly takes nearly a month (24.7 days) on average
for a security breach to even be detected – whether it’s
seemingly innocuous spam, or insidious ransomware," said Sop
Chen, general manager of Managed IT and Security Services at Harbour
IT, a Canon Group company.
More here:
All
individuals who handle health information, no matter what their size,
fall under the legislation.
There
is a primer here:
Data breach preparation and response
19 Feb 2018
Description
Strong data
management is integral to the operation of businesses and government
agencies worldwide. Digital platforms and technologies that utilise
user data to provide personalised products or services have
proliferated across communities and industries. At the same time,
data analysis has been widely recognised for its value as fuel for
innovation that can benefit the community in unprecedented ways,
including identifying gaps in services, revealing needs for new or
different products, and enabling better-informed policy-making.
In this
environment, the success of an organisation that handles personal
information or a project that involves personal information depends
on trust. People have to trust that their privacy is protected, and
be confident that personal information will be handled in line with
their expectations.
As we’ve found
in our long-running national community attitudes to privacy survey,
if an organisation does not demonstrate a commitment to privacy,
people will look for alternative suppliers, products, and services.
One of the biggest
risks organisations face in this context is a data breach. A data
breach involving personal information can put affected individuals at
risk of serious harm and consequently damage an organisation’s
reputation as a data custodian.
However, it is
important to recognise that consumer and community trust is not
necessarily extinguished immediately after a data breach occurs.
After all, history has shown us that even organisations with great
information security can fall victim to a data breach, due to the
rapid evolution of data security threats and the difficulty of
removing the risk of human error in large and complex organisations.
When a data breach
occurs, a quick and effective response can have a positive impact on
people’s perceptions of an organisation’s trustworthiness. That
is why being prepared for a data breach is important for all
organisations that handle personal information.
By an ‘effective’
response to a data breach, I mean a response that successfully
reduces or removes the risk of harm to individuals, and which aligns
with legislative requirements and community expectations.
This guide aims to
assist you in developing and implementing an effective data breach
response. It outlines the requirements relating to data breaches in
the Privacy Act 1988 (Cth) (Privacy Act), including
personal information security requirements and the mandatory data
breach reporting obligations of the Notifiable Data Breaches (NDB)
scheme. The guide also covers other key considerations in developing
a robust data breach response strategy, including the key steps to
take when a breach occurs, the capabilities of staff, and governance
processes.
While this guide
is primarily for Australian Government agencies and private sector
organisations with obligations under the Privacy Act, the information
provided is useful to any organisation operating in Australia. Taken
holistically, the information provided in this guide provides a
framework for meeting expectations for accountability and
transparency in data breach prevention and management, which is key
to maintaining and building consumer and community trust.
Publication
Details
Copyright: Office
of the Australian Information Commissioner (OAIC) 2018
Language: English
License Type: CC
BY
Subtitle: A
guide to managing data breaches in accordance with the Privacy Act
1988 (Cth)
Published year
only: 2018
Here
is the link:
Here
is a GP orientated immediate action plan.
There's been a data breach — here are your next four steps
21 February 2018
SMART PRACTICE
Mandatory data
breach notification is finally here. All private sector organisations
holding health information, regardless of their size, will be
affected by these changes to the privacy legislation that come into
force on 22 February.
Maintaining the
privacy of health information has always been central to the
relationship of trust and confidence between doctor and patient. In
addition, there can be significant penalties for breach, as well as
the potential for negative publicity and damage to a person’s
reputation. Unfortunately, as the Australian Red Cross Blood Service
discovered in 2016, data breaches can still happen in the best
organisations and despite your best efforts, you may experience a
breach.
While it is hoped
you will never find your patients’ details on a public website,
even a single breach of patient privacy has the potential to cause
serious harm and may be notifiable. You do need to think about how
you would respond if, for example, you discovered patient details had
accidentally been disclosed; results had been sent to the wrong
person; or a staff member had inappropriately accessed patient
records.
Responding to a
data breach involves four steps, which do not necessarily occur in
order. You need to:
-
Contain the breach and make a preliminary assessment
-
Evaluate the risks and likelihood of harm
-
Notify as necessary
-
Prevent future breaches
The
details are here:
You
have been warned!
David.
Has the OAIC been funded adequately to effectively handle as many cases as this?
ReplyDeleteIt is quite apparent they have not. Notifications will be lost in the pile. Canberra has become focused on themselves not the job they are trust with to do.
ReplyDeleteI note in Pulse this morning Timmy is touting a September conscription. Advertising will take place. That is if Turnbull can hold thing together that long
In Pulse "And contrary to some erroneous media reports, there will be a paid advertising campaign to support the initiative, backed by a communications strategy aimed at healthcare providers."
ReplyDeleteThe media reports were probably quite correct - there was no intention to have a paid advertising campaign. There will now, because of the reaction.
I haevn't read any more - I don't pay to read that website.
Opt-out by 1 Sept?
ReplyDeleteThat's assuming there's anyone left in ADHA.
March02, 2018 9:31AM. It would be interesting to see if staff levels, turn-over and capabilities are included in a Board level risk. In an open and transparent ADHA these would be visible as would efforts to manage and mitigate. The turn over of staff would be a useful performance indicator for this apparent focus the CEO has on the ADHA culture. It might also be a useful tool to determine if the ADHA is able to attract and retain the right skills in important specialists roles. Is the ADHA able to compete for this skills against the Jurisdictions and private sector?
ReplyDeleteThe board would do well to look into it and determine what areas if any have high turnover of staff and what or who might be the root cause.
After all the consequences of a stuff up are considerable to citizens conscripted into the MyHR. The last thing we need is to end up having to rely on an HR manager running a complex high profile IT project let alone the MyHR optout
That 8:20 PM is a very reasonable request. I would be very interested in the ADHA ability to support the move to opt out and operate the system. I think that is the least we can expect as finders and users.
ReplyDeleteMy GP ordered blood and heine tests for my 6 monthly diabetes review. I have a My Health Record. I was amazed to see the following instruction printed on the pathology request form "Do not send results to My Health Record".
ReplyDelete9:19 AM .... the following instruction printed on the pathology request form "Do not send results to My Health Record".
ReplyDeleteCorrect. If your dr didn't tick the box the results would be sent if you have a MYHR. However, if you ticked the box when you had your blood taken he results would not be sent.
The only way govt can ensure results ARE SENT to your MYHR is to legislate to make it an offense not to send them or financially penalise drs (w\through ePIPs) if they don't send them although that would be nigh on impossible to monitor and enforce.
This looks like another example of not thinking through the problem to be solved.
"This looks like another example of not thinking through the problem to be solved."
ReplyDeleteThat's the default for myhr.
Which is why it will not be widely adopted - it doesn't solve any problem it just creates more problems e.g. GP's would have to manage two health record system, one, myhr, not designed to do anything for the GP putting the data in. In fact, if lots of data were put in, it would make it easier for a patient to move to another GP.
Why would a GP make it easier for a patient to move?
By default the box "Do not send results to MyEHR" must be unticked by default. Thats the ADHA rules. I pity their new doctor being faced with hundreds of pdfs when a patient moves as most of it will be rubbish and take a long time to view.
ReplyDeleteI assume that as I will opt out any reports of mine sent to the MyHR will receive a bounce back? How do you check that your record has not been created and a library of identifiable information is not being collected and access to that information remains outside my control?
ReplyDeleteSeem to me the only way is either to sign up to check (which would opt me in) or ask the checkout person at some random pharmacy to confirm
The simple answer Anon 7:56 AM is you won’t know. There are conflicting statements on whether a record is created and is simply not visable to you but is their in case you change your mind. The MyHR is the placebo of our time.
ReplyDeleteA view from inside the Sydney office is that the ADHA is headed for a meltdown. One executive is leaving and rumour has it she is not alone. Our staff turnover is quite high, especially in key operational areas. This maybe simply a natural occurance but the ADHA is loosing a lot of experienced people and an ability to understand all the moving parts in digital health.
ReplyDeleteThe sooner MHR is handed over to DHS to operate the better for all.
@9:10 AM There is absolutely nothing to be gained from handing over management and control of a poorly architected failed system to the DHS which has more than enough problems of its own managing and redeveloping Centrelink and other IT systems. BTW DOH and DHS divested themselves of the MyHR and ADHA mess and have no inclination to get embroiled again. Vale MyHR, ADHA, Tim Kelsey.
ReplyDelete"The sooner MHR is handed over to DHS to operate the better for all."
ReplyDeleteMy experience of DHS is that they are pretty good at what they do. They refused to go along with the whole of government outsourcing debacle in the late 1990s and were eventually shown to be justified when the initiative was unceremoniously dumped.
I'd be surprised if they bought into something that smells so badly as myhr. They are already trying to work out how to get off the Model 204, a not insignificant and highly risky project.
David, Bernard and other commentators on this blogspot I am beginning to wonder, not whether anything can be done or even what can be done to rectify the deep seated problems that are now so clearly embedded in the ADHA and the MyHR, but rather how can something be done?
ReplyDeleteThat lead me to wonder whether those who have been so critical of the ADHA and the MyHR (including ANON commenters) would be prepared to put their names on a carefully constructed and objective letter to the Health Minister / Prime Minister?
If so the first step I suggest might be to send your name confidentially to David to collate as a first step in order to determine whether such a letter would likely be given serious and genuine consideration.
@9:53 PM great idea and very timely. What email address should I use?
ReplyDeleteIan, can I suggest there are three options:
ReplyDeleteExpress our concerns to:
1. The health minister/PM
2. RACGP, AMA etc
3. Both.
If anyone is interested and wants to stay anonymous, co-ordinate via
vivien@vivienharte.com
I would be happy to contribute. It is not that the idea of secure sharing of information is the problem, it is more the concept of MHR no longer fits with current and emerging models. I am concerned that as a tax payer The Government is being entrenched in an expensive and constrained technology that will suck the life and money out of National eHealth. The MHR I believe will also constrain policy setting further preventing innovation limiting software developers
ReplyDeleteI would also suggest sending a copy to Tony Abbott as when he was health minister he could smell a rat. Not sure his fix worked, well it didn't, but he is less likely to think everything is fine...
ReplyDeleteI am still not reassured that this project is being brought back on track in terms of patient and professional confidence. A delay without a radical rethink and significant reassurance that well founded concerns have been listened to and robust protection measures implemented is for nought unless used to adjust confidence.
ReplyDeleteI know that I’m not alone in believing there still remains a road crash crisis of confidence in the MyHR. On the one hand we are being told that the aim of the project is to contribute to the care of patients but it is the management of the sensitivities surrounding the handling of sensitive data that significantly risks the project’s implementation and realisation of those laudable aims.
Will loosely anonymised data capable of being used to help triangulate patient identity continue to be sold to industry for example? Being reassured that the data is secure from hackers when data sets are being provided willy-nilly to industry is not at all reassuring. I know what sort of Commonwealth entity I want to work in and it isn’t one that can’t anticipate the issues and handle sensitive projects from the outset with the sensitivity that is deserved otherwise we end up in the very place we are with an important project critically bruised by a never ending set of botched implementations.
Also, of more concern, is contracts and money being spent of close links and self-indulgences with no transparency at all, which is why I wonder why some are in the position of both promoting transparency and knowing that this is happening right now? Where do these peoples loyalties lie?
There is also the atmosphere in which we have to suffer uncomfortable situations. On one hand we receive emails explaining how great everything is and how yet another culture initiative promoting values and re-education survey is heading our way, while on the other hand we have one and a coupe of cohorts stomp about creating a workplace of fear and uncertainty. Either the Executives are aware or they are promoting this unsettling behaviour.
@8:40 PM accept the facts show the project has failed and is unsalvageable and stop fretting about bringing it back on track.
Delete8:40 PM that is pretty insightful especially as I get a sense you work in close proximity. As for transparency the ADHA seems all but transparent. I can find scant information and data of what is really going on. Am I suppose to believe the narrative for a CEO and a few obviously scripted stories for random people and organisations under a compact?
ReplyDeleteThere is obviously a culture at the ADHA that sees people (employees and citizens) as little more than expendable pawns there to be used and abused for personal gain.
The opt out and MyHR rollout will happen, the ADHA will further distract everyone with this framework for action (or a framework for Timmy talking tour). What everyone should be more concerned with is the drafting of the secondary use. There seems to be some indication that secondary use might be opt out. This is a very worrying development and one that is seemingly being left out of public view.
ReplyDeleteThe framework for action - https://frameworkforaction.digitalhealth.gov.au/assets/pdf/FFA-Consultation-Draft-v9-050318.pdf
ReplyDeleteLooks a lot like NEHTA, I guess it was only a matter of time before we came full circle and realised it is about standards and conformance. Shame they killed off a lot of highly skilled people in the process.
If this is a sample of thing to come we are in for a period of death by power point and lots of speaking void of any real understanding.
I am sure the will bully everyone into conforming to their standards, bully the public into mandatory secondary use participation. Seem Tim likes a bullying organisation so it would make sense he would extend that out to dealing with the community.
ReplyDeleteI did enjoy the ‘My Health Record is an unpredicted platform for innovation. Maybe it should have been a predicted platform for invitation to steal identifiable information.
Someone please tell me this "framework for action" is a joke. The one thing it certainly isn't is a robust plan or even proposal for government action.
ReplyDeleteThere is no discussion on funding or anything on how it will be paid for by cost reduction or some other mechanism.
No serious government proposal should exist without a cost/benefit analysis and explanation/justification for spending government money. From day one, the myhr initiative has been missing this crucial component. Either there isn't one or the real justification for myhr isn't about improving health care it is something else they don't want us to know about.
The ADHA strategy talks about "Enhancing models of care, changing prescription processes and medicines information, and improving interoperability are some priority areas that will require changes in policy and funding structures"
yet funding is not identified as an issue, never mind how it is to be addressed.
myhr has cost well over $1.7b and counting. It will incur extra costs in GP time. It is not a simple matter of pressing a button and uploading a SHS.
The myhealthrecord.gov.au website says:
"When creating the SHS, the nominated healthcare provider needs to ensure that all aspects of it have been completed and verify the accuracy of the information it contains. In assessing its content, the nominated healthcare provider should take into account other relevant information on the patient’s My Health Record."
Who is paying for this? The patient, when their GP spends time doing this and less time attending to health needs? The government by paying more to GPs so they can extend consultation times?
It's all a big mystery, like a lot of things about myhr.
And I find section 1.2 "Enable the safe and secure use of My Health Record system data" gob smacking.
myhr has been live since July 2012 and there is no "...framework to govern the safe and secure use of My Health Record system data"?
Are these guys for real? This document isn't, it's a fantasy.
Further to my rant on a lack of attention to the issue of funding, there is another glaring omission.
ReplyDeleteAnyone who has done even the smallest amount of research (and I hope someone at ADHA has done some) will know that the future of the health care system lies with a patient centric approach.
The framework document doesn't even mention patient centric or patient centred.
I've never seen anything from the Department of Health, NEHTA or ADHA that suggests they have any idea what patient centric might mean.
Patient centric is not "Digital Health" or just drawing a picture with a patient in the middles showing lots of lovely data being stored in one place. It is much more fundamental than that.
The only mention of anything remotely connected with patient centric is this phrase "a collaborative approach to deliver a consumer-centric integrated healthcare ecosystem." in the context of national infrastructure. Now there's a sign it's all about marketing and nothing about reality.
ADHA and its strategy are stuck in the past, trying to automate old practices (and largely failing to achieve even that), although there are some worthy initiatives that would deliver better health outcomes, even if they do not lead to patient centric health care. There is no evidence that ADHA understands what even these worthy initiatives are.
It's like watching children at play.
The absence of intelligent insightful investigative journalism has enabled Health Ministers to turn a blind eye, bureaucrats to avoid being accountable and the ADHA to say and do whatever they want. Where have the quality investigative health IT journalists gone?
ReplyDeleteAnonymousMarch 08, 2018 9:16 AM
ReplyDeleteThe issue is not that the ADHA HR unit does not have the ability or skill set to mediate, it is that the core issue owns HR, you dare not raise anything especially not regarding the the bullying, harassment and nepotism being conducted nor the very visible abuse of power and delegation of authority. I doubt the HR team could do much even if they wanted to, they it seems get the same treatment. Although not the case in all aspects of ADHA, under that manager, respect and support is never afforded to employees. It is a sad day when the norm is to performance manage the more junior officer, but that sadly seems to be the ADHA way, they have ignored basic APS rules and guidelines and conflicts of interest now prevent change. Without basic communication skills and respect there will never be reconciliation only disharmony. Sadly the bullying and harassment towards by a mid level manager affects many people and creates a broad discomfort across the ADHA. Why incompetence and blatant abuse of power is seemingly endorsed by the CEO and executive is beyond me, perhaps they share in the fear of reprisal.
Sounds as though ADHA has a lot in common with the White house - an incumbent with no knowledge or experience of running the sort of organisation they are now in charge of - and possibly with a similar personality - malignant narcissist.
ReplyDeleteAnd they both seem to have the same problem with staff turnover.
The same observation can be made of both - they're unsustainable.
Maybe Tim should get that overseas job he's been looking for. That recent meeting of the Global Digital Health Network in Sydney was a golden opportunity for the ambitious. It may well have had a hidden agenda all along. I wonder if Greg Hunt knew what he was really endorsing. So many questions.
Health has become a $164 billion drag on the economy in the past year alone, dwarfing the potential benefits from the Turnbull government's proposed company tax cuts.
ReplyDeleteSMH
https://www.smh.com.au/politics/federal/unprecedented-health-costs-the-australian-economy-40-billion-per-quarter-20180308-p4z3e3.html
I wonder if myhr has helped hindered or been totally irrelevant in all this.
It should be a simple matter for ADHA or DHS to analyse the data in myhr and give some sort of perspective.
All they have to do is add up all the Medicare claims and PBS costs (on a weekly or monthly basis) for the 5.5million people who have been registered for a myhr (we all know that being registered doesn't mean they have a current, accurate, useful myhr, but let's leave that aside for a moment).
Then calculate the expenditure rate (i.e. divide the weekly/monthly number by the number of registrations) and graph them.
First look for a trend.
Then go to Medicare who have the data for the other 20million or so people who are not registered and make a comparison.
I would expect ADHA to be shouting out the results if they were in the slightest bit favourable. I'm not holding my breath.
In reality, only about 4% of the 5,5million have anything like a useful SHS so drawing any sort of conclusion one way or the other is likely to be problematic.
Or to put it another way - there is probably no evidence myhr has had any impact one way or another since it went live in July 2012. Not bad for $1.7billion.
The promise of myhr and Digital Health is just that - a promise.
And until the Framework for Action is costed and funded, it will remain a promise.
Statistics- you might find this a fun read - https://www.theguardian.com/politics/2017/jan/19/crisis-of-statistics-big-data-democracy
ReplyDeleteAs for ADHA comparison - Tim certainly seems to have some vulnerable parts in the organisation he is trusted to run. Perhaps with MyHR opt out looming he has not the backbone to make change, perhaps it is safer to keep loosing troops than sack a sergeant in the field. Certainly does not look like the corporate plan around organisational excellent sand values is being achieved. Wonder if the Board has a KPI on this for the CEO?
Tim has never run a government agency. Has he ever sacked anyone? That sorts the men from the boys.
ReplyDelete