Healthcare is as technologically advanced as any industry in the world. From personalised medicines and state-of-the-art equipment to telehealth and digitised medical records, it’s an industry at the cutting edge of digital innovation.
Collectively, technology enables healthcare professionals and institutions to drastically improve the quality of care they can administer to their patients.
However, healthcare is not immune to today’s great digital threat: privacy breaches. Australian hospitals and healthcare institutions must adhere to multiple data privacy and security regulations, from The Privacy Act 1988 and My Health Records Act 2012, to Health Practitioner Regulation National Law, The Health Records and Information Privacy Act and more. The level of regulation is not only an ode to the sanctity of the data the industry holds, but because threats are increasing.
The Australian Cyber Security Centre (ACSC) received over 76,000 cybercrime reports in the 2021-22 financial year. That’s a 13% YoY increase, representing one report every seven minutes. Industry and size is irrelevant; every business, organisation or institute can be susceptible to a breach. Given the highly confidential nature of the data collected and stored by healthcare institutions, it can be argued that a privacy breach would be more damaging than in any other sector.
Breaches don’t discriminate, but many smaller organisations and institutions wrongly believe they’re low-risk. Small organisations in the healthcare sector account for 37% of total GDP, making it the sixth biggest industry for small business share. Zoho recently researched small organisations – many of whom were in the healthcare sector – to understand their privacy awareness, protections and policies.
Is awareness growing as threats do?
Not only are breaches increasing in severity and regularity, they’re increasing in profile too. Attacks on the likes of Optus, Telstra and Medibank – some of the most established names in corporate Australia – made headline news. The collection of data in the healthcare industry is more necessary than in others, like retail, hospitality and telecommunications. For healthcare institutes, appropriate and safe handling of personal information underpins the trust in a provider-patient relationship. A breach not only damages that trust, but can cause severe financial and reputational damage.
What has the reaction to those high-profile breaches been? According to Zoho’s research, there’s been an increase in awareness amongst certain organisations. Almost half (45.4%) of respondents, many in the health sector, rank data privacy as a top priority, while a further 30% said it was important. However, despite their heightened awareness, action hasn’t always followed, with the research also revealing that many have
done nothing to mitigate their risk. The most telling finding was that a quarter of organisations would not survive a breach, whether financially or reputationally.
Understanding legislation
Few, if any, industries operate under stricter and safer privacy laws – at both a federal and state level – than healthcare. The industry is bound by strict privacy and protected information laws that limit when and how institutions collect, use and share personal information. One of the central pieces of legislation is the Privacy Act 1988 – federal legislation concerning the collection, use, storage and disclosure of personal information. Institutions face steep fines and penalties for failure to comply.
Despite the importance of legislation and the breadth of industry and organisations it covers, only half (51.8%) understand their requirements in accordance with the legislation, while 22.9% say outright that they do not. So while awareness is important, fostering that and turning it into action is essential.
Awareness into action
Whether it’s a restauranteur, telco or healthcare provider, the vast majority of businesses and institutions collect data. They use it to understand, manage and serve their audience – whether they’re patients, guests, shoppers or clients. By many estimates, data has surpassed oil in value, which is why so many unscrupulous hackers are determined to access it. So all healthcare institutions, from top to bottom, must understand their legal obligations and communicate effectively with their patients.
Becoming entirely immune to a breach is impossible, especially as attacks are becoming more and more sophisticated, but there are many ways to reduce the risk or respond. For example, from a metro hospital to a regional doctor, creating a well-defined, documented and applied privacy policy that is communicated to patients and followed by staff is imperative. An effective policy not only helps implement best practices and procedures to minimise the risk proactively, but also lays out the steps required if they are targeted.
When implementing or using third-party technology, healthcare professionals must prioritise vendors that make data privacy a foundation of their technology, not an add-on, and that adhere to the highest industry guidelines and expectations. Healthcare institutes are experts in care, not data privacy. That’s why policymakers and technology vendors have an obligation to educate and support about risks, requirements and best practice.
For healthcare providers – and indeed, for any business – privacy threats are increasing, and are showing little sign of slowing. In an industry where records are more personal and sacred, the stakes are higher, but through awareness, education, action and support healthcare providers can provide the care their patients need, with peace of mind that their records are under care behind the scenes.
Vijay Sundaram is the Chief Strategy Officer at global technology platform Zoho. With 45+ apps in nearly every major business category, including sales, marketing, customer support, accounting and back office operations, and an array of productivity and collaboration tools, Zoho Corporation is one of the world's most prolific software companies.
