Home' News Bulletin : ADA News Bulletin April 2016 Contents PRACTICE
Negligence and unintentional mistakes by employees can classify
as 'data breach incidents' without them knowing they are causing
a data breach. A negligent employee or contractor poses as much
risk of causing data breach incidents as a malicious hacker. This is
confirmed by the Ponemon Institute's study titled '2015 Cost of Data
Breach: Global Analysis' which states that human error is responsible
for 25% of all data breach incidents.
Common patterns in human error also applicable to data breaches
in health practice settings include:
• Accidental loss of a device containing personal information that
falls into the hands of a third party. Lost or stolen computing
devices account for 49% of unintentional data breaches and
can be solely attributed to employee carelessness. Laptops,
USB devices or mobile phones are easy to lose. Any person
in possession of your lost data can attempt to blackmail your
business, for example, by threatening to post information about
your patients on public websites.
• Disclosure of information to the incorrect recipient via the
accidental use of an incorrect email address, mail merge or labels
is a common mistake. Clients can hold your business liable for
such mistakes by claiming you have failed to ensure the privacy of
their data; an obligation all businesses hold under the Privacy Act.
Health practice staff who send out sensitive medical information
to patients need to have processes in place to ensure that
patients' addresses on these documents are correct otherwise
they may cause a breach of privacy.
• Leaving laptops or portable computers unattended outside the
workplace is perhaps the last worry on anyone's mind. However,
cases of data theft by visitors or colleagues are becoming more
common. Staff may be accused of allowing others access to view
patients' personal information and therefore cause a privacy breach.
• Employees are prone to social engineering or phishing attacks
when they open an unsafe URL or attachment received in an email
-- and unintentionally reveal confidential information about the
health practice. Social engineering involves scammers manipulating
people to get confidential information from others. Examples of
social engineering can be in the form of scammers claiming they
are an authority figure from law enforcement, a private health
insurer or high level officer in a company. Phishing scams send
emails containing malicious attachments that can cause malware to
be downloaded onto the user's computing device.
The risks of data breaches in a health practice can be mitigated if
health practices emphasise the importance of having a culture of
privacy in the organisation supported by procedures and controls.
This should be supported by creating the role of a privacy officer to
safeguard all data and privacy of patients' information.
Breaches of patients' data privacy
UNAUTHORISED ACCESS TO INFORMATION
There is confusion around authorised versus unauthorised access
to information. An employee in a health practice responsible for
data entry of customer information has authorised access to the
customer database. However, the employee is only authorised to
enter information and any other manipulation, use, distortion or
access to customer information by the same employee may be
viewed as unauthorised. An example of using authorised access for
unauthorised use is where employees look up details of relatives
on a system. Imposing controls and scrutiny of such activities can
be costly for a small business although it is possible to keep logs to
carry out regular audits in order to determine usage of all kinds.
COST OF HUMAN ERROR
Human beings are prone to error which can be a costly proposition.
In 2015, human error cost businesses $137 per record. The average
cost per record to resolve an attack facilitated by human error
can be as high as $170. Data breaches caused by human error
take an average of 158 days to identify thus the potential damage
can be ongoing. These figures are from the same Ponemon study
mentioned earlier and while the average cost of data breaches may
differ across industries it still highlights the implications of data
breaches that can affect businesses of all sizes.
Cyber insurance can help to offset the cost of a data breach.
• Cost of restoring data after data theft;
• The costs of detecting and eliminating malware due to phishing
or a social engineering attack;
• Fines and penalties resulting from human error caused data
breach plus the cost of notification itself;
• Costs of resolving the public relations disaster; and
• Many other costs associated with a data breach.
Cyber Risk, Intellectual Property and Data Privacy
10 | ADA NEWS BULLETIN | APRIL 2016
Links Archive ADA News Bulletin March 2016 ADA News Bulletin May 2016 Navigation Previous Page Next Page