Rise in data breaches as compliance deadlines change

Private health services including aged care providers have again reported the highest number of data breaches, according to the latest report from the Office of Australian Information Commissioner.

Between October and December 2018, 54 of the 262 data breaches reported occurred in health organisations, up from 49 breaches between April – June 2018.

The leading cause of notifiable data breaches in the December quarter was malicious or criminal attack (168 notifications), followed by human error (85 notifications) and system error (9 notifications).

Most data breaches resulting from a malicious or criminal attack involved cyber incidents stemming from compromised credentials (usernames and passwords), such as phishing and brute-force attacks.

The Department of Human Services’ (DHS) stringent Secure Cloud Strategy compliance deadline looms for Australian software companies that connect with its services.

Its mandatory compliance policy applies to third-parties using cloud services who connect with the Department to deliver services such as Medicare, PBS, DVA, NDIS, MyHealthRecord, Aged Care and Child Care.

While companies were previously going to have comply from April 2019,  it will now be tied to individual product accreditation renewals.

This means software vendors may be caught unprepared, non-compliant and as a result unable to connect specific products to DHS online services, says Phil Wallace, Head of Customer Experience at Macquarie Cloud Services.

“The fact the compliance deadline has moved from a fixed date in April to become tied to individual product accreditation renewals means many software developers may be caught unprepared, non-compliant and as a result unable to connect specific products to DHS online services.

“The accreditation and compliance process takes several months so every Australian healthcare software company should be documenting its specific product renewal dates and factoring in a 3-6 month accreditation timeline tracking backwards from that date,” Mr Wallace said.  

Mandatory DHS accreditation includes Australian Signals Directorate CCSL Certification and Data Sovereignty stating all data must remain onshore within Australian jurisdiction.

Highly desirable is physical separation of server infrastructure and security clearances being limited to citizens holding NV1 clearance.

Macquarie Cloud Services launched its dedicated healthcare private cloud, Launch™ Health Cloud, that meets these stringent requirements in June 2018. It was designed from the ground up to meet the most rigorous security requirements.

“In essence, when we couldn’t find the perfect cloud solution for the Australian healthcare industry, we went ahead and built it from the ground up,” said Mr Wallace.

The company is now working with the Medical Software Industry Association (MSIA) to proactively educate the industry on policy and mandatory accreditation requirements.

It’s first education session will be held in Sydney on March 21 and will include speakers from DHS, MSIA and learnings from Mike Smith, CEO of Greenlight ITC as one of the earliest partners to achieve compliance.

Meanwhile, Australian Information Commissioner and Privacy Commissioner Angelene Falk reinforced the need for organisations and individuals to secure personal information by safeguarding credentials.

“Preventing data breaches and improving cyber security must be a primary concern for any organisation entrusted with people’s personal information,” Ms Falk said.

“Employees need to be made aware of the common tricks used by cyber criminals to steal usernames and passwords.

“If a data breach occurs, early notification can help anyone who is affected take action to prevent harm.”

The OAIC has produced a Data breach preparation and response guide for agencies and private sector organisations with obligations under the Privacy Act.


Please enter your comment!
Please enter your name here