In this Q&A, we (IA) speak with Anne Cornish, CEO of Records and Information Management Professionals Australasia (RIMPA), about the risks associated with cyber-security and what aged care providers need to factor into business plans for this area
Anne: The aged care industry, like many other industries, is becoming increasingly reliant on digital technology. This includes the use of electronic health records, online communication platforms, and other digital systems that contain sensitive personal and financial information.
If a cyber breach occurs in the aged care industry, it could have serious consequences. Not only could personal and financial information be compromised, but the ability to provide care to vulnerable elderly people could also be impacted. This is why it is crucial for the industry to take steps to protect against cyber threats and to have effective response plans in place in case a breach does occur.
IA: How exactly has the “digital by default” rush impacted the aged care sector during the pandemic?
The “digital by default” rush has both benefits and challenges for the aged care sector. While it has enabled care providers to continue delivering services in a challenging environment, it has also created new risks that must be managed carefully.
Increased cybersecurity risks: As the use of digital technology has increased, so have the risks of cyber attacks. Aged care providers must be vigilant about protecting their systems and data from hackers and other cyber threats.
IA: What are some of the concerns related to compliance and regulation for records management and disposal in the aged care industry?
Anne: The aged care industry is subject to numerous compliance and regulatory requirements related to records management and disposal. Some of the concerns related to compliance and regulation in this area include:
- Aged care providers must comply with strict regulations governing the collection, use, storage, and disposal of personal and sensitive data, such as medical records and financial information. This includes complying with privacy laws and regulations, such as the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).
- Aged care providers must also comply with retention and disposal requirements, which dictate how long different types of records must be kept and when they can be disposed of. This includes compliance with the Australian Government’s Records Authority 2019/00000446 – Aged Care Records, which sets out the requirements for the management of records in the aged care sector.
- Aged care providers must comply with a range of industry standards and codes of practice related to records management and disposal. This includes compliance with the Australian Aged Care Quality Standards, which includes a requirement to maintain accurate and complete records.
- Aged care providers must establish and maintain robust information governance practices to ensure compliance with all regulatory and legal requirements related to records management and disposal. This includes having policies and procedures in place for managing and disposing of records, and ensuring that staff are appropriately trained and equipped to comply with these requirements.
Failure to comply with these requirements can result in significant financial penalties and reputational damage. Therefore, it is crucial for aged care providers to have strong compliance and regulatory frameworks in place to ensure that they are meeting all relevant requirements related to records management and disposal.
IA: What do you think are the potential consequences of not implementing a minimum standards framework for handling and disposing of private information in aged care facilities?
Anne: Failing to implement a minimum standards framework for handling and disposing of private information in aged care facilities can have serious consequences for both the individuals whose information is being handled and the aged care facility itself. Here are some potential consequences:
- Without appropriate standards for handling and disposing of private information, there is a greater risk of privacy breaches. This can result in sensitive personal and medical information being accessed, used or disclosed without authorization. This can lead to significant emotional distress for individuals and their families, and can also result in reputational damage for the aged care facility.
- Aged care facilities have a legal obligation to protect the privacy of their residents and patients. If they fail to do so, they may be liable for legal action, including fines, damages, and regulatory penalties.
- Privacy breaches and other failures in the handling and disposal of private information can erode the trust that residents and patients have in aged care facilities. This can make it difficult for aged care providers to attract and retain clients and can lead to a loss of revenue and a damaged reputation.
- Aged care facilities are increasingly reliant on digital systems for the management of private information. Without appropriate standards for cybersecurity and data protection, these systems are at risk of cyber attacks, which can result in the theft or loss of sensitive data.
Implementing a minimum standards framework for handling and disposing of private information is crucial for protecting the privacy and security of individuals in aged care facilities, and for ensuring that aged care facilities are meeting their legal and ethical obligations.
IA: In your opinion, how long should aged care facilities hold on to the private information of their clients, and why?
Anne: The retention period for private information in aged care facilities can vary depending on several factors, including the type of information, the jurisdiction, and any legal requirements or industry standards. Factors to consider:
- Aged care facilities must comply with various laws and regulations governing the handling and retention of private information, such as privacy laws and health information legislation. The retention period for private information may be mandated by these laws and regulations.
- The aged care industry has its own set of industry standards and codes of practice related to the management of private information. These standards may recommend a retention period for certain types of information.
Very importantly, aged care providers must assess the purpose for which the information was collected as this is a factor in determining the retention period. For example, medical records may need to be kept for a longer period than financial records. Aged care facilities may also need to consider the potential future use of the information, such as if it may be needed for legal or regulatory purposes.
In general, aged care facilities should keep private information for as long as necessary to meet legal and regulatory requirements and the purpose for which it was collected. Once the retention period has expired, the information should be securely disposed of to prevent any unauthorised access or use.
IA: Can you discuss any potential solutions or strategies that the aged care industry could implement to address these concerns around records management and cybersecurity?
Anne: There are several solutions and strategies that the aged care industry could implement to address concerns around records management and cybersecurity.
- Implement robust information governance frameworks: Aged care providers should establish and maintain comprehensive information governance frameworks that cover all aspects of records management and cybersecurity. This includes having policies and procedures in place for managing and disposing of records, and ensuring that staff are appropriately trained and equipped to comply with these requirements.
- Conduct regular cybersecurity risk assessments: Aged care providers should conduct regular cybersecurity risk assessments to identify potential vulnerabilities in their systems and processes. This can help them to take proactive steps to prevent cyber attacks, such as implementing appropriate security controls and training staff on cybersecurity best practices.
- Encrypt sensitive data: Aged care providers should ensure that sensitive data, such as medical records and financial information, is encrypted both when it is stored and when it is transmitted. This can help to protect against unauthorized access and use of this data.
- Keep software and systems up-to-date: Aged care providers should ensure that their software and systems are kept up-to-date with the latest security patches and updates. This can help to address any known vulnerabilities and reduce the risk of cyber attacks.
- Implement regular training and awareness programs: Aged care providers should implement regular training and awareness programs to educate staff on best practices for records management and cybersecurity. This can help to reduce the risk of human error, such as accidental disclosure of sensitive information.
Overall, implementing a combination of these strategies will help aged care providers to effectively manage their records and protect against cybersecurity risks. By taking a proactive approach to information governance and cybersecurity, aged care providers can ensure that they are meeting all relevant compliance and regulatory requirements, and protecting the privacy and security of their client’s information.
IA: Lastly, what steps can individuals and organisations take to stay informed about cybersecurity risks and prevent data breaches?
Anne: There are several steps that individuals and organisations can take to stay informed about cybersecurity risks and prevent data breaches.
Stay up-to-date with the latest news and trends: Individuals and organisations should stay informed about the latest cybersecurity news and trends by following relevant sources, such as industry publications and cybersecurity blogs.
Attend training and awareness programs: Organisations should provide regular cybersecurity training and awareness programs to staff to ensure they are aware of the latest risks and best practices. Individuals should also attend training programs or webinars that teach them how to protect their personal information online.
Implement cybersecurity best practices: Both individuals and organisations should implement best practices for cybersecurity, such as using strong passwords, encrypting sensitive data, and keeping software and systems up-to-date.
Conduct regular cybersecurity risk assessments: Organisations should conduct regular cybersecurity risk assessments to identify potential vulnerabilities in their systems and processes. This can help them take proactive steps to prevent cyber attacks, such as implementing appropriate security controls and training staff on cybersecurity best practices.
Follow compliance and regulatory requirements: Organisations should follow compliance and regulatory requirements related to data protection, such as privacy laws and health information legislation. Individuals should also stay informed about their rights related to their personal information.
Engage cybersecurity experts: Organisations can engage cybersecurity experts, such as consultants or managed security service providers, to help them manage their cybersecurity risks.
IA: Thank you