Protecting personal identifiable information (PII) is everyone's business.
I’ve been reading about today’s news from Australia regarding allegations of a data breach against the Australian Health Practitioner Regulation Agency (AHPRA) agency. Guardian Australia reported that an AHPRA employee assaulted a nurse over a personal grudge, after using his credentials to access her home address and phone number last September. AHPRA functions like a watchdog group and investigates complaints against Australian healthcare practitioners
Additionally, in 2014 another AHPRA employee used her credentials to access medical records regarding a complaint made against her as a midwife, and used the information in a court proceeding.
AHPRA Data Breach: "Classic Case of Systematic Regulatory Failure"
John Madigan, an independent senator in Australia told the newspaper, “While AHPRA is a classic case of systemic regulatory failure, unfortunately it is not unique. In recent times there has been an explosion in regulatory agencies of this type.”
These very unfortunate breaches reveal ongoing data security issues within the healthcare industry in any country. In this case it’s more serious than stealing information. This breach led to a physical attack upon a healthcare employee. There were signs that these kinds of breaches were possible as AHPRA noted in annual reports that resources were not sufficient for proper controls to patient data.
How Australia’s Largest Health Insurance Company Protects Data
The major gaps in data security practices in parts of the Australian healthcare system serve as a cautionary tale to any organization, in any industry, in any country. In my opinion, if you run any kind of organization – whether non-profit, government or corporate – you should be held accountable for any mishandling of sensitive personal information that leads to a data breach. It seems to me that the Australian government needs to enforce tighter regulatory compliance mandates that comprehensively cover their healthcare system, including watchdog groups like AHPRA.
Today's news made me think of our customer Medibank, Australia’s largest provider of integrated health insurance and health solutions. Each day, Medibank employees must transfer up to 15GB of confidential healthcare files, a volume that is expanding by around 3GB per month. These files include patient policy records that must be transferred securely between Medibank’s sites and 15 external business partners.
Medibank needed to meet Australian government and Commonwealth regulations and policies, including the National Safety and Quality Health Service Standards and the Privacy Act 1988 as outlined by the Office of the Australian Information Commissioner (OAIC). The organization sought out a managed file transfer system to provide a better, more secure and regulated way to send files within the organization and beyond. They knew they needed tight security controls built-in including identity and access management, data loss protection and encryption controls to avoid a data breach. This all together would allow their IT team to manage, view, secure and control all file transfer activity through a single system.
Jason Atkinson, IT Claims & Product Team Lead for Medibank shared with us, “As a health organization handling large volumes of sensitive data, security and compliance were probably the biggest drivers behind this project. It was important to us that any solution not only had good security controls in operation but also excellent auditing capabilities.”
Medibank turned to our Australian partner DNA Connect to address their needs. The healthcare organization ultimately chose Ipswitch MOVEit managed file transfer software to radically decrease the time required to set up secure file transfers.
MOVEit passed the Medibank security team’s demanding requirements for end-to-end encryption and auditability with flying colors. After quickly deploying MOVEit, Medibank staff and business partners were able to gain full visibility, auditing and compliance with Australian laws and regulations.
I don't see why any agency or healthcare organization couldn't do the same thing as Medibank. Our product is not high-priced software from Big IT. It's simple to deploy and use. Medibank’s innovative work to protect patient data is something that the entire Australian healthcare community can model for themselves to better protect personal information.