Are privacy threats to the healthcare industry increasing?

Digital transformation has revolutionised the aged care sector, allowing facilities to enhance their quality of care, efficiency, and patient experience.

It enables often overworked and under-staffed facilities to streamline records and medication management, respond quicker to medical needs, improve resource allocation, personalise care, and boost communication among staff, residents and families.

Ultimately, though, the greatest benefit is how it allows caregivers to spend more time providing expert, effective and compassionate care to their residents.

However, it has also presented a new and growing threat – privacy breaches.

According to the Australian Cyber Security Centre (ACSC), over 76,000 cybercrime reports were received during the 2021-22 financial year; one every seven minutes and a 13 per cent year-over-year increase.

Every business – irrespective of industry and size – is at risk. Breaches to the likes of Optus, Telstra, and Medibank are evidence of that.

Given the highly confidential nature of the data collected and stored by aged care facilities, a privacy breach could be considered more damaging – financially and reputationally – than in any other sector.

Many smaller organisations and facilities often wrongly assume they’re not at risk, but they are.

Small businesses in the healthcare sector account for 37 per cent of total GDP, making it the sixth biggest industry for small business share.

Zoho research, which sought to understand privacy awareness and protections amongst small businesses – many of which were in the healthcare sector – found that hundreds of thousands would struggle to survive the financial or reputational damage caused by a breach.

But what did the research reveal? Are threats increasing? And what considerations should aged care businesses make?

A growing threat

In the last year, many large Australian businesses – including Medibank, operating within the sector – have fallen victim to significant privacy breaches.

They have brought the issue of what data is collected, why and where it is stored, into focus.

For aged care, handling personal information appropriately underpins the trust in a provider-patient relationship.

Families will be reluctant to entrust the care of a loved one to a place that has been the victim of a breach.

Reactions to those high-profile breaches have been mixed.

According to research by Zoho, they’ve resulted in increased awareness amongst Australian organisations, with 45.4 per cent of respondents, many in the health sector, ranking data privacy as a top priority, while a further 30 per cent said it was important.

However, despite their heightened awareness and priority, the research also revealed that many had done nothing in response, while a quarter would not survive a breach financially or reputationally.

Increased legislation

The Aged Care Quality and Safety Commission is bound by strict privacy and protected information laws that limit when and how it collects, uses and shares personal information with people or organisations
outside of the Commission.

These laws are contained in the Aged Care Quality and Safety Commission Act 2018 and the Privacy Act 1988 – the Government’s legislation concerning the collection, use, storage and disclosure of personal information.

Organisations face steep fines and penalties for infringements or failure to comply.

Concerningly, Zoho's research found that only half of businesses (51.8 per cent) understand their requirements in accordance with the legislation, while 22.9 per cent say outright that they do not.

Turning their growing awareness of privacy risks into actual action and understanding is essential.

Taking action

Whether it’s a retailer or an aged care facility, the vast majority of businesses and institutions collect customer data, using it to understand, manage and serve their audience – whether they’re patients, shoppers or clients.

All aged care facilities must understand their legal obligations and communicate effectively with their patients.

While they cannot entirely immunise themselves from a privacy breach, there are many ways to reduce
the risk or respond.

For example, creating a well-defined, documented and applied privacy policy that is communicated to their patients and followed by their staff.

An effective policy not only helps implement best practices and follow procedures to minimise the risk proactively but also helps them understand the steps required if they are targeted.

Small to medium enterprises must also invest in third-party technology vendors that prioritise data privacy, promote best practices, and regularly audit their performance and privacy policy.

Aged care facilities are experts in care, not data privacy, and cannot be expected to become such.

So policymakers and technology vendors have an obligation to educate and support about risks, requirements and best practices.

Aged care providers can take action immediately, for example, by updating their data privacy policy, or running their entire organisation through it, in an effort to increase awareness and best practices.

There is no ambiguity – cyber threats are increasing, and will continue to do so.

Eliminating them altogether is not possible, but increasing awareness, education, action, and support can drastically reduce the threats – enabling aged care institutes to focus on the patients in their care, not the threats to their institution.

Vijay Sundaram is the chief strategy officer at Zoho, a global technology company

Get the news delivered straight to your inbox

Receive the top stories in our weekly newsletter Sign up now