Recent legislation has put the onus on aged care providers to review their privacy management procedures and ensure the client data they keep is secure, writes Stephen Cavey.
The security of client information is a fundamental concern for health and aged care providers, and is at the heart of the relationships of trust held between consumers and service providers.
In every privacy debate in Australia for the past 30 years, concerns about the integrity and security of client data has been the number one issue. Therefore, the health and aged care sectors understand very well the importance of protecting client data. As an industry, healthcare providers and government agencies are considered leaders among security professionals given the critical nature of the data they protect.
However, the broader technology landscape has shifted dramatically and ubiquitous connectivity has given rise to a broad spectrum of online services, such as cloud computing, or the universal adoption of smartphones, which has changed the way we all do business and the way that customers interact with businesses.
These developments in computing and network infrastructure have fundamentally changed the way security issues are dealt with. This is as true for the aged and health sectors as it is for any other.
Recent government legislation related to privacy in Australia is forcing health and aged care providers to conduct a detailed review of how personal information is being stored. The Australian Privacy Commissioner has been granted significant new powers to punish companies that “leak” personal information.
This is particularly important to small healthcare practices, because the issue of ‘personal information’ extends well beyond the details of ‘client information’ and even beyond a client’s ‘financial information’ such as credit card numbers and bank details.
In an age where identity theft and other fraud-related cybercrime is increasingly a problem, personal information also includes all potential identifiers – names, addresses, birth dates, driver’s licence numbers or other identity documents. Most companies whether they are in the health and aged care sector or in the broader business community are not aware of just how much exposed personal data they retain on their corporate IT systems.
If there is one trend I urge all aged care providers and chief information officers to understand, it is the concept of ‘data centric’ security. Traditionally, IT systems have been protected by creating a secure barrier around your companies’ data to keep unauthorised users out. That is the basic philosophy of perimeter security, and it refers to the firewalls and basic authentication systems that accompany them.
Inside the perimeter
However, more evolved security organisations know that you can’t just focus on the strength of the perimeter. Increasingly, security experts are looking at what happens inside the perimeter. Anyone who follows security issues knows that there is no such thing as an impenetrable barrier for hackers – the sophistication of cyber-threats and the sheer volume of attacks means that this is no longer a healthy assumption to make. Just ask eBay, which recently suffered a data breach involving passwords, login details and other personal data of 145 million users to criminals.
Under this improved model, perimeter security makes up one element of a more comprehensive security strategy, which includes data discovery, data encryption, intrusion detection, real-time alerting and more.
At its core, data-centric security models relate to having a clear understanding of exactly what data is held on a company’s computer systems, knowing where it is located, and implementing appropriate security measures based on the threat profile related to that data. A folder containing mundane marketing brochures is not going to need the same kind of security profile as a folder containing names, address and bank details of clients.
This sounds simple and straightforward, but most instances where such personal details have been illegally accessed and stolen were found in unsecured parts of a company’s network. The simple truth is that the vast majority of companies do not know where all of this data is held.
The best way to secure personal data is to continuously audit your systems to find out precisely what personal data is stored and where it is held, because this kind of data accumulates quickly – whether it is the personal details held in resumes of job applicants, or the bank details of a client held in a poorly protected email backup within the finance department.
In Australia, personal information has suddenly been given a heightened security profile because of the powers granted to the Privacy Commissioner to levy fines of up to $1.7 million and impose onerous requirements including privacy audits upon companies that do not adequately protect customer data.
Business technology has never been more affordable or more accessible, and the current wave of disruptive technology presents enormous opportunity for cost savings and efficiencies for providers.
However, this new technology has also meant changes to accepted security practices and aged care providers need to understand these changes to keep one step ahead of attackers.
Stephen Cavey is an Australian security professional and co-founder of corporate development at Singapore-based security multinational Ground Labs.