Get in touch with vault
Why increased data regulation is a good thing for Australian healthcare providers
Reading Time: 5 minutes
Healthcare organisations – both within Australia and across the world – have traditionally been fairly slow-moving when it comes to the adoption of innovative digital services. This is especially true in the realm of cybersecurity and data privacy, with a lack of hard-and-fast regulatory guidelines resulting in a patchwork of data privacy and compliance standards.
The number of data breaches and attacks on the sector is continually growing. According to the Office of the Australian Information Commissioner (OAIC), the health sector reported the most breaches under the Notifiable Data Breach scheme, making up 23 per cent of all breaches from July to December last year.
As discussed in our recently published whitepaper Balancing Innovation, Security and Compliance in the Health Sector, the absence of a unified, federally mandated set of compliance standards breeds confusion. Often healthcare providers don’t know where they are lacking or how to start bolstering their cybersecurity practices. However, change might now be on the horizon, as the federal government has introduced new legislation that could have a profound impact on the healthcare sector.
Issues with the current healthcare compliance landscape
As you might expect with any sector where lives are on the line, healthcare and life-sciences is generally deeply regulated in most facets. This translates somewhat to the realm of data privacy and security, although the way this has been orchestrated has been problematic.
As healthcare becomes more digitised and integrated, difficulties have arisen over data governance laws in relation to jurisdiction. In the case of data storage, legislative requirements can vary state by state.
As part of TRA research with 120 senior technology decision-makers (commissioned by Vault Cloud), a respondent from a national private health group gave some insight into this issue.
“Legislative requirements (for data storage) vary state by state. e.g. in Victoria a paediatric patient’s data must be kept for 25 years from when that patient turns 18, while in NSW it’s 20 years,” The respondent said.
“The challenge is that currently the intelligence does not reside in the systems to determine the appropriate period for which data must be retained and where it should be held. The cost of changing systems to more appropriately handle, tag and retain data outweighs the [benefits].”
While states do outline certain privacy and information security standards, many are limited to information storage practices that only apply to the public sector. This is true of the Victorian Protective Data Security Standards or New South Wales’ Privacy and Personal Information Protection Act.
What changes are incoming?
Late last year, the federal government revealed its cyber security framework following a string of state-sponsored attacks including the proposal of important changes to the Security of National Infrastructure act. The legislation expands the scope of critical infrastructure for regulatory purposes to include several other sectors, including healthcare. This is likely to include hospitals, healthcare providers and life sciences organisations.
Under the federal cyber security framework, regulators would be able to issue notices and directives to critical infrastructure providers found lacking in their mitigation of threats that could “significantly impact Australia’s economy, security or sovereignty.”
This essentially provides the government with a higher degree of power over healthcare providers in enforcing compliance standards. It may mean providers need to respond to orders requiring adherence to sector-specific baselines, while demonstrating compliance in annual reports. The government may also be able to step in and address vulnerabilities, which might be good news to some but not so much for others.
Overall, there is likely to be renewed scrutiny over where patient data and other critical information is held.
Why is this a good thing for healthcare?
While it might seem like an avalanche of new regulatory obligations and red tape might be on the horizon, the new legislation offers an exciting opportunity for healthcare organisations.
Breaches don’t even need to be cyber-attacks to seriously disrupt organisations, as Woolworths’ 2015 customer leak evidence highlights – human error can be equally as disastrous, which is especially concerning considering the health sector has reported the most human-error related data breaches to the OAIC in the last year, by far.
In some cases, cyber breaches can even put a patient’s life in danger. As reported by the Associated Press, a misdirected cyber-attack took out the IT systems of Germany’s Duesseldorf University Hospital, causing the death of a patient that could not be admitted.
Legislation to hold healthcare institutions to a federal compliance standard would create a more unified, easy to understand framework. It allows healthcare firms to elevate the issue of cybersecurity within their organisations, reinforcing the position of CIOs, IT managers and other technology professionals.
This is crucial as these staff members are often struggling to attain budget or get board approval for the projects they need to get done. Compliance laws make it much more difficult for financial decision-makers to de-prioritise cybersecurity and data protection investment, given what’s at stake if these investments aren’t made.
Vault Cloud recently launched an extended whitepaper Balancing Innovation, Security and Compliance in the Health Sector exploring how healthcare organisations can innovate and thrive whilst remaining compliant to all upcoming regulatory hurdles.
Interested in learning more about how Vault Cloud can help drive secure innovation at your organisation? Get in touch with one of our consultants today at hello@vaultcloud.com.au