Sage Journals: Discover world-class research

Abstract

Increasing numbers of healthcare data breaches highlight the need for structured organisational responses to protect patients, trainees and psychiatrists against identity theft and blackmail. Evidence-based guidance that is informed by the COVID-19 pandemic response includes: timely and reliable information tailored to users’ safety, encouragement to take protective action, and access to practical and psychological support. For healthcare organisations which have suffered a data breach, insurance essentially improves access to funded cyber security responses, risk communication and public relations. Patients, trainees and psychiatrists need specific advice on protective measures. Healthcare data security legislative reform is urgently needed.

Keywords

cyber security health system data breaches identity theft counselling and support

Background

There have been increasingly frequent reports of healthcare cyber incidents, mainly of compromised systems, to the Office of the Australian Information Commissioner (OIAC) from 2019 onwards.^1,2 These include breaches in late 2023 of Personify Care, a third-party provider for digital patient pathways used by South Australian Health, in which 122 records were deleted,¹ and St Vincent’s Health network, operator of 13 hospitals (three public and 10 private) and 26 aged care facilities across Victoria, New South Wales and Queensland.³ These events underline the risks from electronic health record and health system data breaches, and the need for risk mitigation, which has been highlighted previously in a systematic review and commentary.^2,4

Unfortunately, it is often not practicable to identify the motive of the cyberattack or the information that has been accessed, until further events ensue, such as attempts at extortion via threatened publication of sensitive information, as in the Medibank data breach.⁵ Consequently, there is limited guidance for mitigating and communicating the risks of healthcare data breaches, and especially for the sensitive information available in psychiatric records.^4,6

For patients receiving mental healthcare, there have been examples of attempts at ransom or extortion on the basis of information regarding psychiatric or substance use diagnosis and treatment.^5,6 Also, for patients and healthcare workers, there are risks of identity theft, particularly for compromised electronic health record systems.^4,6 While the focus has been on larger healthcare providers in public and private sector, there have also been threats to smaller private medical practices, as recently seen in Canberra.⁷

We recommend specific crisis communication and risk mitigation for healthcare system data breaches to safeguard patients, healthcare workers (HCWs) and other staff, and especially for mental healthcare.

Evidence-based crisis communication and support

As in any health crisis, there needs to be clear and effective communication in relation to the media and wider public. Accordingly, we have adapted some evidence-based principles of risk communication from the COVID-19 pandemic, to address the issues of identity theft and data misuse by cyber criminals.^8–10

(1) Communication should be timely and from a reputable source, such as the official representative of the healthcare organisation, local, state or federal governmental organisation.^9,10

(2) Information should be tailored to the needs and perspectives of patients or HCWs. This includes accurate, contemporaneous updates on the nature, extent and ramifications of the data breach.^9,10

(3) In order to encourage action, instead of fearful inaction, patients and HCWs should be informed that effective measures can be taken to protect against identity theft and cyber security.¹⁰

(4) Calibrated pragmatic advice should be provided informing of the actions that need to be taken, and where to seek cyber security and identity support – specifically as recommended by the Australian Cyber Security Centre (see referenced weblink): ‘Options for stakeholders affected by the incident (customers [and workers])’.¹¹

(5) Encourage patients and HCWs to maintain their health and wellbeing routines, as well as provide access to counselling (which may include consulting their GP) even as coverage on the healthcare data breaches continues.⁹

Risk mitigation measures

Unfortunately, there is also a lack of detailed guidance on practical measures specific for healthcare data breaches, and especially in mental healthcare.^4,6 Professional advice on risk communication and public relations should be sought via cyber security insurance, as most organisations will not have specialised capabilities and protocols in this area.¹²

Information on the nature and extent of the data breaches should be publicly available,¹⁰ such as via a curated webpage which is regularly updated. This should provide practical advice on effective measures¹⁰ that those affected can take to enhance their cyber security from identity theft,¹² such as advising their banking providers,¹³ contacting IDCare (an Australian government-supported NGO) for advice,¹⁴ as well as access to cyber security experts for detailed advice on other practical measures.¹³ This webpage should also provide contact details of specialised counselling support services for the distress, and recommendations to seek further support from the patient’s or HCW’s GP as required.^4,6

HCWs should be informed and supported for the risk of identity theft from data breaches, especially as criminals may use the electronic credentials of workers to access and use healthcare data systems, as well as their personal or financial details for fraudulent activities.⁴ Accordingly, HCWs should be vigilant for any unusual electronic transactions in healthcare data systems (e.g. unusual requisitions, data deletion,¹ etc.), in addition to the cyber security responses of their employer/organisation. This will require specific advice tailored to HCWs.

Since a data breach may rightly raise concerns about the veracity of communications that apparently come from the affected healthcare organisation, care should be taken with emails and social media.¹³ As cyber criminals may misuse contact information, those affected should be advised to verify communications using a channel different from the contact source, such as phoning a listed number to check an email contact.¹³

Perhaps the most challenging consideration for risk mitigation relates to ransomware or blackmail of patients or HCWs (with threats to expose sensitive breached data) – the recommendation is not to engage with extortionists (do not respond or pay),¹⁵ but rather report to local police for advice and further action.¹⁵ Cyber security insurance can also provide access to expert advice, in addition to covering costs for crisis communication, data recovery and restoration.¹²

Please see Table 1 for practical advice on managing data breaches for patients and HCWs.

Table 1.

Healthcare data breach checklist for patients and healthcare workers.

Keep informed on the progress of the data breach

• Through healthcare organisational contacts and monitoring media

Contact IDCare for advice

• Cyber security NGO funded by Australian and NZ governments, and other organisations: https://www.idcare.org

• Identity & cyber security case managers can provide direct advice and support: https://www.idcare.org/contact/get-help

As needed, seek support for psychological distress

• From data breach counselling services that are provided by the healthcare organisation, if available

• Or, consult your GP for more specialised mental healthcare, including psychological therapy

Contact government agencies if your government ID has been compromised

• Contact the issuing government agency, for example, Medicare check the office of the australian information commissioner website for further advice: https://www.oaic.gov.au

Enhance personal data security

• Change passwords

• Review account security settings

• Review account activity and notify online providers if you note suspicious activity

• Inform family, friends and contacts if your social media accounts have been compromised

Seek independent contact information from an official website or business directory to verify communications from organisations or businesses

Advise your bank

• Report that your personal details have been compromised

• Change online banking password

• Request support with additional security measures

• Monitor account transactions and communications, reporting those that are suspicious to the Bank

Inform credit reporting agencies your personal information has been compromised

Adapted from and see for further details: https://www.westpac.com.au/content/dam/public/wbc/documents/pdf/security/WBC-Data-Breach-Checklist_241023.pdf

Conclusions

Healthcare providers, including public and private mental healthcare services, have been increasingly targeted by cyber criminals. In the context of the St Vincent’s Health network and other recent data breaches,⁴ there is a pressing need for the formulation of coordinated, healthcare-organisation-specific guidance on risk mitigation for patients, trainees and psychiatrists. This includes evidence-based risk communication, cyber security and identity theft support, psychological support, as well as insurance for access to cyber security advice, psychological and financial injuries. There remains a need for specific legislative reform to improve governance of cyber security in healthcare, in order to protect from, and mitigate, data breaches, such as through the US Health Insurance Portability and Accountability Act (HIPAA).^2,4,6

Footnotes

Author contributions

All authors have satisfied: Substantial contributions to the conception or design of the work; or the acquisition, analysis or interpretation of data for the work; AND Drafting the work or revising it critically for important intellectual content; AND Final approval of the version to be published; AND Agreement to be accountable for all aspects of the work in ensuring that questions related to the accuracy or integrity of any part of the work are appropriately investigated and resolved.

Disclosure

The author(s) declared the following potential conflicts of interest with respect to the research, authorship, and/or publication of this article: The authors declare that JCLL, SA. TB, PAM, and SK are editorial team members for the journal – they were not involved in the independent peer review process.

Funding

The author(s) received no financial support for the research, authorship, and/or publication of this article.

ORCID iDs

Jeffrey CL Looi

Stephen Allison

Tarun Bastiampillai

References

Ang

. 1 out of 3 top Australian hospitals prone to email fraud: research 2023, https://www.healthcareitnews.com/news/anz/1-out-3-top-australian-hospitals-prone-email-fraud-research (accessed 28 December 2023).

Offner

Sitnikova

Joiner

, et al. Towards understanding cybersecurity capability in Australian healthcare organisations: a systematic review of recent trends, threats and mitigation. Intell Natl Secur 2020; 35: 556–585. DOI: 10.1080/02684527.2020.1752459.

Malcolm

Brown

. St Vincent’s unable to confirm if medical records stolen 2023, https://www.theaustralian.com.au/nation/st-vincents-unable-to-confirm-if-medical-records-stolen/news-story/704f324efb76bce82594d904817da292 (accessed 29 December 2023).

Looi

JCL

Allison

Bastiampillai

, et al. (2023) Mitigating the consequences of electronic health record data breaches for patients and healthcare workers. Aust Health Rev 48: 4–7. DOI: 10.1071/ah23258.

ABC . Hackers claim they demanded $15 million ransom as more Medibank customer data posted to dark web 2022, https://www.abc.net.au/news/2022-11-10/medibank-data-breach-latest/101637160 (accessed 25 September 2023).

Looi

Maguire

, et al.

Psychiatric electronic health records in the era of data breaches - what are the ramifications for patients, psychiatrists and healthcare systems?

Australas Psychiatry 2024; 32: 121. DOI: 10.1177/10398562241230816.

Evans

Tindale

. Patient fears after medical centre hack 2024, https://www.canberratimes.com.au/story/8490748/crace-medical-centre-hack-patient-data-breach/(accessed 19 January 2024).

Looi

Allison

Bastiampillai

, et al. Fire, disease and fear: effects of the media coverage of 2019-2020 Australian bushfires and novel coronavirus 2019 on population mental health. Aust N Z J Psychiatry 2020; 54: 938–939. DOI: 10.1177/0004867420931163.

Looi

JCL

Allison

Bastiampillai

, et al. Clinical update on managing media exposure and misinformation during COVID-19: recommendations for governments and healthcare professionals. Australas Psychiatr 2021; 29: 22–25. DOI: 10.1177/1039856220963947.

10.

Maguire

Looi

JCL

. Risk perception research informing recommendations for COVID-19 preventative health measures and public messaging. Australas Psychiatry 2022; 30: 601–603. DOI: 10.1177/10398562221117060.

11.

ACSC . ACSC cyber response plan guidance 2023, https://www.cyber.gov.au/sites/default/files/2023-03/ACSC-Cyber-Incident-Response-Plan-Guidance_A4.pdf (accessed 25 December 2023).

12.

IPA.

Cyber and privacy protection insurance. Institute of Public Accountants: Melbourne, VIC, Australia, 2023, https://www.publicaccountants.org.au/membership/ppc/ipa-insure/cyber-and-privacy-protection-insurance (accessed 28 December 2023).

13.

Westpac . Data breach checklist. Westpac Banking Corporation: Sydney, NSW, Australia, 2024, https://www.westpac.com.au/content/dam/public/wbc/documents/pdf/security/WBC-Data-Breach-Checklist_241023.pdf (accessed 1 January 2024).

14.

IDCare . 2023, https://www.idcare.org/ (accessed 25 September 2023).

15.

eSafetyCommissioner . What you can report to eSafety - what if I’m being blackmailed for money or more intimate content? 2023, https://www.esafety.gov.au/report/what-you-can-report-to-esafety (accessed 1 January 2024).

Healthcare provider data breaches – framework for crisis communication and support of patients and healthcare workers in mental healthcare

Abstract

Keywords

Background

Evidence-based crisis communication and support

Risk mitigation measures

Conclusions

Footnotes

Author contributions

Disclosure

Funding

ORCID iDs

References