I came across a recent article that highlights a distressing incident, shedding light on the vulnerable state of our healthcare systems and the critical need for better data protection. The article titled " Patients told to contact NT Health following privacy breach of identifiable medical records" emphasises the urgency of addressing these issues and the impact they have on individuals.
The breach of identifiable medical records at a hospital is not only a breach of privacy, but also poses significant risks to the affected individuals. Personal health information (PHI) is sensitive, and its exposure can have severe consequences, ranging from identity theft to potential discrimination. It is disheartening to witness such incidents, where individuals are left responsible for determining whether their information has been compromised. We cannot find in the Privacy Act or the Mandatory Data Breach Notification (MDBN) where it says an individual has to find out for themselves if they have been breached.
“It is the duty of the organisation who is breached to notify the victims of the breach”.
This situation underscores the urgent need for robust cybersecurity measures and stringent data protection protocols within healthcare organisations. It is imperative for hospitals, clinics, and healthcare providers to invest in better cyber security practices than just implement product on top of product thinking that this will solve the issue.
“These systems are becoming like a big game of Jenga”.
Moreover, transparency and accountability play a crucial role in rebuilding trust and ensuring individuals are promptly informed about any breaches that may have affected them. Healthcare organisations must adopt comprehensive breach response plans, including clear communication channels, support services, and guidance for affected individuals.
As professionals in the field, it is our collective responsibility to advocate for stronger data protection measures and demand accountability from healthcare providers. We don’t need any more taskforces or committees, paying people to spend significant amounts of time deciding on the fate of everyone’s information privacy. Additionally, governments and regulatory bodies need to prioritise the development and enforcement of robust data protection laws and regulations in the healthcare sector. Not just increase fines with aimless legislation.
“Consistency is key”.
The first solution is a consistent approach to cyber security in Australia. We have too many standards and too many opinions on how cyber security should be done. All standards are developed by humans and have faults in them. We also have a sheer tendency to start working with standards right away instead of performing risk and threat modelling exercise to really understand what we have to lose and who is going to compromise the organisation.