Follow us:
    • Did You Know 2022

    Did You Know That Pharmacies Have Cyber Security Legal Obligations?

    Authored by David Carroll and Tim Patterson

    A Regulated Industry 

    The health care industry is tightly regulated, with national and state legislation mandating and stipulating rules and regulations for many different practice areas. 

    –  The National Health Act 1953 (Act) is legislation that governs the Pharmaceutical Benefits Scheme (PBS) and how you dispense and the records you are required to keep.  

    –  The My Health Records Act 2012 (Act) is legislation covering the My Health Record system, which is aimed at making health information about a healthcare recipient available to provide healthcare to the recipient.  

    In providing health advice or filling prescriptions, pharmacists have a duty of care to their patients. The pharmacist must know the patient’s medical history and personal health information to provide relevant and accurate advice and avoid drug contraindications. Most pharmacies will store patients’ information electronically to ensure timely access to patients’ data. Here, the pharmacist’s duty of care crosses into the cyber security realm.  

    Protecting Patient Data 

    All healthcare providers in Australia have professional and legal obligations to protect their patient’s health information. Establishing and maintaining information security practices is an essential professional and legal requirement when using digital health systems to deliver healthcare services. 

    There are two critical articles of legislation that directly impact cyber security in the Pharmacy: 

    Dyk Cyber Legal 1

    The Australian Privacy Act (Privacy Act)

    The Privacy Act 1988 contains 13 Australian Privacy Principles (APPs) that Australian Government agencies and most private sector organisations (collectively called ‘APP entities’) must follow when they handle personal information. Personal information is defined in the Privacy Act as information or an opinion that identifies or could identify, an individual. Name, address, telephone number, date of birth, medical records, bank account details, and opinions are some examples.

    APP 11

    A key Australian Privacy Principal (APP) from the Privacy Act 1988 is APP 11 — Security of personal information. APP 11 requires that an “entity must take reasonable steps to protect the personal information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure.” The Office of the Australian Information Commissioner (OAIC) has issued guidance on how organisations should meet this requirement, including taking steps to implement the following:

    –  Physical security, such as locks, alarm systems and access limitations.

    –  Computer and network security, such as user passwords and auditing procedures.

    – Communications controls, such as encryption of data.

    – Personnel security, such as staff training programs.

    Dyk Cyber Legal 2

    Data Destruction – Data Retention

    APP 11 also requires that when that data is no longer required, the data is disposed of or de-identified. Adding complexity to this requirement is some state legislation (NSW, VIC, ACT) that requires health medical information, including health identifiers, to be kept for years since the last “occasion” on which the health service was provided.

    Dyk Cyber Legal 3

    Mandatory Data Breach Notification Legislation

    The mandatory Data Breach Notification scheme, which came into force on February 22nd, 2018, requires organisations to notify OAIC and affected individuals “as soon as practicable” if it becomes aware that there are “reasonable grounds” to believe that an eligible data privacy breach has occurred. A data privacy breach is when personally identifiable information is lost, stolen, suspected, or stolen.

    The NDB scheme applies to organisations with obligations to secure personal information under the Privacy Act. Most small businesses with a turnover of $3 million a year or less do not have to report a breach.

    The Act outlines a few exceptions to the $3 million a year exclusion, which means some organisations have mandatory data breach reporting requirements, regardless of their size or business value. The exceptions include health service providers (including, for example, private hospitals, day surgeries, medical practitioners, pharmacists, allied health professionals, gyms and weight loss clinics, childcare centres, and private schools)

    The OAIC may impose penalties for non-compliance. These penalties range from less severe sanctions, such as public apologies (which could damage your reputation), to compensation payments and civil penalties for “serious or repeated non-compliance.” Failure to comply with the regime can incur fines of up to $360,000 for individuals and $1.8 million for organisations.

    Dyk Cyber Legal 4

    In Summary

    There are significant financial and reputational risks for not managing and protecting your patient data within the Pharmacy.

    You must protect your patient data with strong physical and technical security controls. Just having an anti-virus is not enough, and you will not be compliant with the legislation. You must ensure that you have a plan to respond to a cyber incident or other data breach and be prepared to inform your customers, the OAIC.

    If you are worried about the security of your pharmacy systems and want to know you implement strong backup in your pharmacy and protect yourself from ransomware, data breaches, or improve your pharmacy’s cyber security, speak to your Corum Customer Success manager, or contact us on 1300 669 865.

     

    Addendum – Cyber Security Legislation

    The following paragraphs include summaries of cybersecurity and IT-focused legislation or regulation that can impact most Australian businesses.

    Australian Data Privacy

    The Australian Privacy Principles under the Privacy Act (The Privacy Act 1988) and the Australian Privacy Principles (APPs) govern how companies collect, use and disclose personal information. APP 11 requires organisations to take active measures to ensure the security of their personal information.

    Mandatory Data Breach Notification Legislation

    The mandatory Data Breach Notification scheme, which came into force on February 22nd, 2018, requires organisations to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals “as soon as practicable” if it becomes aware that there are “reasonable grounds” to believe that an eligible data privacy breach has occurred. A data privacy breach is when personally identifiable information is lost, stolen, suspected, or stolen.

    The OAIC may impose penalties for non-compliance. These penalties may range from less severe sanctions such as public apologies (which could damage your reputation) to compensation payments and civil penalties for “serious or repeated non-compliance.” Failure to comply with the regime can incur fines of up to $360,000 for individuals and $1.8 million for organisations.

    Cybercrime Act (2001)

    The Cybercrime Act outlines a comprehensive regulation of Computer-based and Cyber (internet) based related offences. It outlines the authority’s (Law Enforcement) power regarding investigative powers and criminal offences related to computer systems’ unlawful access and intrusions. The offences focus on unlawful access and intrusion into computer systems, including damaging data and areas such as Denial of Service (DoS), theft of information, computer-based fraud, cyberstalking, harassment, and child pornography.

    Spam Act (2003)

    The Spam Act provides a scheme to regulate the commercial distribution of email and other types of electronic messaging. It restricts unauthorised and unsolicited electronic messages with some exceptions. There are rules for gaining consent, identifying the sender, and unsubscribing features. The Act is regulated by the Australian Communications and Media Authority.