Avant Mutual outlines key steps to prevent human data breach in health sector
Avant Mutual outlines key steps to prevent human data breach in health sector | Insurance Business Australia
Cyber
Avant Mutual outlines key steps to prevent human data breach in health sector
Human error accounted for 30% of notifiable breaches from July to December 2023, according to OAIC
Cyber
By
Roxanne Libatique
Kate Gillman, BA LLB, head of medico-legal advisory service at Avant Mutual, has provided insights on preventing human data breaches, referencing the latest findings from the Notifiable Data Breaches Report.
Verify before sending
The OAIC report revealed that errors from sending private information to incorrect recipients made up 33% of human error breaches.
Gillman (pictured) suggests double-checking email or text recipients to prevent these mistakes.
“This was high on our list of reasons for calls – and the source of considerable angst. It is an easy error to make if you are emailing or texting patients,” she said.
Double-check mailing addresses
Mistakes in mailing information to the wrong addresses or combining multiple recipients in one envelope were frequent.
“We had a number of calls where information was posted to incorrect addresses or information such as recall letters intended for several recipients was included in one envelope,” Gillman said. “While many practices are cautious about sending sensitive information electronically, it is important also to check you have robust procedures in place for posting information.”
Watch out for autocorrect
Autocorrect features in email programs and word processing software can mistakenly select recently or frequently used addresses, leading to misdirected information.
“Another emerging theme was the perils of auto text. This can be a problem in both email programs and word processing software, which may default to including recently or frequently used addresses,” Gillman said. “This can contribute to the problem of information being sent to the incorrect address. It could also lead to patient information in reports or referral letters being sent to the wrong provider.”
Protect patient data
Instances of lost or stolen devices containing patient information were significant.
Gillman said implementing protocols for taking patient information out of the practice, using password protection, encryption, and locking devices are essential.
“While it is not possible to completely guard against theft, precautions such as having protocols for when and how patient information can be taken out of the practice, password protection and encrypting files, and locking devices can help,” she said. “Protocols for ensuring devices can be remotely located or wiped and ensuring regular and secure back-ups not linked to your system will mean you can wipe devices without loss of data.
“Where the loss or theft involved physical files, these were often found discarded, so it is also important to report a loss.”
Secure unattended devices
Unlocked phones and unattended computers are vulnerable to breaches. Strong security settings and controls on devices accessing patient information are necessary.
“Phones left unlocked or with no password protection and computers left logged on and unattended were another source of data breach,” Gillman said. “Check the security settings on office computers and have appropriate controls on any devices that have access to patient information files.”
Close unused digital windows
Having multiple open windows can lead to errors, such as incorrect medication orders or wrong patient information in referrals.
“Having multiple windows open and flicking through them might be convenient. However, there have been reported cases where this practice has led to medication errors. It has also resulted in the wrong patient information being inserted into referrals or pathology requests,” Gillman said.
Prepare for breaches
Data breaches can cause patient harm, regulatory action, and reputational damage. The OAIC’s focus has been on education, but enforcement may increase following the 2023 Privacy Act Review. Proactive measures are better than managing breaches.
Gillman advises healthcare professionals to review and update privacy procedures, ensuring all staff, including temporary workers and contractors, understand their roles.
“You need a data breach response plan. Whether or not you end up having to report a data breach to the OAIC, you will need to be able to respond promptly and document what steps you have taken,” she said. “Even the most secure systems can be vulnerable to human error. Remind staff about the need for secure passwords and the dangers of phishing and other scams to gain access to your systems. If you are not sure who is asking for information, always check.”
Related Stories
Keep up with the latest news and events
Join our mailing list, it’s free!