Protecting personal information is an essential function of businesses, especially in sensitive sectors like health.
According to the World Economic Forum, cyber risk has been recognised as “the most immediate and financially material sustainability risk that organisations face today”. A somewhat stark statement.
The Australian Securities and Investment Commission (ASIC) has recently warned directors that a failure to adequately address cyber security risk or comply with relevant disclosure and reporting requirements may be a breach of their directors’ duties. This inevitably impacts medical and health practice owners and managers who will be expected to remain proactive about cybersecurity and ensure their systems and processes can appropriately deal with and respond to a cyber-attack.
Why the heightened interest?
There are a number of factors at play here. Cyber security attacks are becoming more sophisticated with high profile cybersecurity incidents taking place. There has also been a recent Federal Court of Australia decision in which a business and its directors in the financial services sector was found to have breached their obligations after failing to adequately manage its cybersecurity risks. The business was ordered to pay $750,000 towards ASIC’s costs. You can have a closer look at ASIC’s article here: Be prepared | ASIC – Australian Securities and Investments Commission.
As you can see, it’s a clear message from the corporate regulator– “Be prepared”.
Ensuring compliance, preventing a breach
According to ASIC, no business is too small for a cyber security strategy.
Medical practices are routinely collecting, storing, utilising and disclosing personal information. In light of the heightened attention and elaborate cyber-attacks, globally, it would be a very good time to look at your systems and processes and ask yourself:
- Do you have appropriate cyber security risk management systems in place, and do they give you enough visibility of cyber risks so you can comply with your disclosure obligations?
- Is there a way of testing and verifying the effectiveness of those risk management systems?
- Are your current cyber security and IT systems adequate to store information securely and protect against third party infiltration?
- Could you promptly identify any data breaches (actual or potential) and satisfy your reporting requirements?
- Do your contracts with IT vendors protect your business by addressing and managing potential security breaches?
- Do you have appropriate practice medical indemnity insurance cover in place to cover the legal costs of defending your practice and employees against unintentional breaches of privacy and confidentiality?
Hopefully you are confident the answer to each of these questions is ‘yes’.
Cyber risk is, however, an area that continues to evolve, and all businesses and their directors will need to be on a journey of continuous improvement when it comes to cyber security.
Cyber resilience toolkit
ASIC have published resources on Cyber resilience good practices to “enable organisations to operate highly adaptive and responsive cyber resilience good practices” that would need to be tailored to the company with the assistance of technically-expert, internal or external guidance. To access, click here.
Protection against the impacts of a cyber incident
Avant Cyber Insurance has been designed to help protect medical practices against many of the common losses caused by a cyber incident. Cover is complimentary when you hold an Avant Practice Medical Indemnity Policy with no additional premium payable.
Call us on 1800 128 268 or email us at memberservices@avant.org.au to find out more about our cybersecurity coverage for medical practices.
Prevent, manage, respond
Avant Law can help Medical Practices understand current privacy principles, obligations and appropriate processes and procedures.
Call 1800 867 113 or click here to organise a meeting with one of our expert lawyers at a time that suits you.
The information in this article does not constitute legal advice or other professional advice and should not be relied upon as such. It is intended only to provide a summary and general overview on matters of interest and it is not intended to be comprehensive. You should seek legal or other professional advice before acting or relying on any of its content.
Avant Practice Medical Indemnity Insurance is issued by Avant Insurance Limited ABN 82 003 707 471, AFSL 238 765.The policy wording is available at www.avant.org.au or by contacting us on 1800 128 268. Practices need to consider other forms of insurance including directors’ and officers’ liability, public and products liability, property and business interruption insurance, and workers compensation.
The information in this article is current to 17 October 2022.
