IronKey by Imation: Could you pass a privacy audit - Healthcare and Australia’s privacy regulations

---

Last year the Australian Federal Government ushered in a new set of Australian Privacy Principles (APPs) and in the process, dramatically overhauled the obligations of organisations regarding the collection, use, storage and security of personal data. The changes were expected to have a big impact on data handling within the healthcare industry, as the regulations particularly targeted all Australian Government agencies, businesses with a turnover of more than $3 million or that trade in personal information, and private health service providers.

---

Twelve months on, it’s timely to consider how well your organisation has responded to the new requirements, and to ask yourself: Would your organisation pass a privacy audit if one was held tomorrow?
The basics
One of the first changes that should have been introduced by every facility or institution is an updated, accessible privacy policy that advises individuals of your obligations, the kind of personal information collected, how it is collected, the purpose for collection, how an individual can access that information, and how they can make a complaint about any breaches of the APPs.
Following on from this, every organisation should also now have an internal guide to privacy compliance. The aim of this is to ensure staff understand the legal requirements when dealing with personal data. It should also articulate the organisation’s own rules and processes relating to collection and storage of data.
The problem of security
One of the most critical obligations under the APPs is security. The eleventh privacy principle states:
“If an APP entity holds personal information, the entity must take such steps as are reasonable in the circumstances to protect the information:
(a) from misuse, interference and loss; and
(b) from unauthorised access, modification or disclosure.”
And it’s here that even today, many healthcare organisations find their privacy efforts fall short, because keeping data safe from accidental loss or malicious activity such as viruses, worms and hackers isn’t always straightforward or easy.
While most organisations have measures in place to secure data on the network, the main area of vulnerability is mobile data. When a clinician carries patient data on their laptop from their consulting rooms to the hospital, what happens if the laptop is stolen? Or when a USB stick is used to send information from one facility to another, what is the outcome if the USB is dropped and lost?
No matter whether confidential information is breached due to theft, malware, spyware, or just a simple accidental loss, there are serious consequences. Since 2014, failure to comply with Australia’s new privacy laws can leave an organisation liable for a fine of up to $1.7 million.
Doing away with mobility is not the answer. The efficiencies and improvements to health outcomes arising from a more mobile health force are too great to ignore. Therefore, it’s clear healthcare facilities have to find a way to keep mobile data safe.
A two-pronged response
The solution is to adopt a two-pronged approach to mobile data security by only using drives that offer encryption supported by data management.
Encryption involves coding data on the drive so it remains unreadable to anyone who doesn’t have the right “key”. If the USB or hard drive is lost or stolen, the contents remain obscured and inaccessible. One of the most appealing aspects of encryption is there are no technology barriers to its adoption, and compared to the cost of a data breach, the investment required is relatively insignificant.
The second part of the approach is a management capability that brings control to the data on the device. For example, at some stage an employee will forget their password, rendering them unable to access the corporate network. With the right management capabilities, IT can not only reset the password but when the user logs on, they can cross-reference the IP address of their machine against a map in order to ascertain if the person is indeed who they say they are. If IT has any suspicions, they can remotely wipe the hardware device that the employee is working from and kill all encrypted data. Management functions also enable IT to force a device to be in read-only mode, remotely make password changes and re-commission devices that are no longer in use
Together, encryption and management ensure confidential and private information on USB and external drives remains protected, even if the drive is lost or stolen and lands in someone else’s hands.
[caption id="attachment_11999" align="alignright" width="300"] IronKey S1000 USB3.0 Secure Storage[/caption]
The 2014 changes to Australia’s privacy regulations have put the data management practices of Australia’s government agencies and private sector organisations under the spotlight. For the healthcare industry, securing confidential patient data has never been more important with the increasing amount of records being transferred to electronic records . Achieving the necessary degree of security requires more than good intentions. It demands a comprehensive mobile security solution built around strong encryption, robust identity management, and policy-based data management.
For more information contact Elizabeth Parsons at apacsecuritysales@imation.com or visit www.ironkey.com