How to be smart and protect your data

Should you be concerned?

If you have a business, you are a target. Cyber criminals are attacking more Australian businesses, intent on stealing data for profit. Think about it: how much of your day to day business is reliant on data? Financial and medical records, client contact details, email, etc. If you lost your data, what would you pay to get it back?

You are legally responsible

The Office of the Australian Information Commissioner (OAIC) has been given broader powers to enforce privacy and freedom of information laws and protect personal information of Australians in the digital era. The Privacy Amendment (Enhancing Privacy Protection) Bill 2012 will take effect as of March 2014 and applies to all health service providers.

New legislation mandating reporting of business data breaches is expected to be introduced this year. The Australian Privacy Commissioner, Timothy Pilgrim, has stated his commitment to enforcing the new laws and exacting penalties on agencies and businesses who fail to adequately protect their client base.

Now is the time to speak with your solicitors to ensure your practice has or develops an effective Privacy Policy that complies with the new laws. It is also time to talk with your IT provider to ensure your data storage (medical records, personal information, email, etc) and security complies with the new laws.

Sadly, because of perceived costs of setting up a secure and effective IT system, many practices have ignored their duty of care to patients. However, the cost of being compliant is nothing compared to the costs your practice will bear in fines, reputation and ongoing monitoring of credit agencies to ensure stolen/encrypted client information is not being used should your data be breached or a complaint lodged with the OAIC.

Data security and your IT

The new laws have major implications on how you store and back up personal information and medical records. For example, under the new Act personal information should only be opened by the intended recipient.

Consider this: if you are sending sensitive information using a standard email environment, such as Microsoft Exchange, your IT administrator can access every email that goes through your server, which means your practice is not compliant with the new laws.

Take the time to talk with your IT provider to ensure your systems fulfill your duty of care to your clients. Key aspects you need to manage include:

  • having a properly configured firewall in place, which rules out limited, ‘out of the box’ configurations as their security protocols are too lax to meet your legal obligations;
  • understanding the security and redundancy measures of any cloud provider your practice subscribes to, knowing where they store your data, and what data you store there;
  • having correct permissions (security) in place for file and email access; and
  • understanding what remote access you have into your network and what steps have been taken to secure remote access, such as multi-factor authentication.

Nathan Warnecke
Director itro
itro is a Microsoft Gold-Certified Partner that specialises in IT and Internet-based systems for small to medium businesses using Microsoft products. Based locally in Cremorne, Melbourne (5 minutes from Melbourne’s central city district) itro can manage every aspect of your IT and communication security, onsite or remotely.