Are you prepared?
2 August 2022
Welcome to the August newsletter
Our HealthyPractice team (Shaun, Chris, Fiona, Bryce, and Bonnie) is part of the wider ‘business@mas’ team which also provides business insurance, key person cover, KiwiSaver for practice employees and other products and services.
Some of our subscribers may have already had contact with the MAS Business insurance team, often prior to the renewal of their Business Risk insurance policy. It’s great to have this team of specialists to look after your business needs, and they can be directly contacted on businessinsurance@mas.co.nz
The business team have shared that some MAS members have been surprised that cyber insurance isn’t part of the standard Business Risk cover – it is an optional add on. This reinforces the importance of reviewing and understanding your cover every year when it renews – this wider team can assist you with this.
A ransomware cyber-attack is still the most common type of attack, and these are usually a phishing email with a link that is clicked by an unsuspecting employee. The health sector is sometimes targeted due to the sensitivity of the information held – even some large entities have been caught out.
Do you have a plan if this happens to you? Will your IT providers be able to assist you?
Some things to consider:
Understand the basics
- What’s happened? What systems are impacted, work out your priorities – getting evidence or getting things up and running?
- What’s the plan? How long can you operate how do you respond?
- Who’s in charge? This team should involve your advisers – legal, communications, financial, IT, Privacy. Know the governance structure and the reporting lines?
- Crisis incident responses planning /governance
- Business engagement – who needs to be involved?
- Critical data – where is it stored?
- Offline backups – can you restore from these?
- Technical expertise – who can you call?
In the heat of the moment you do need to have a plan and know who is doing what. A good plan can reduce the negative impact of an attack – as a starter we recommend you consider:
Incident response
- Will your plan be effective if you have no IT systems
- Governance structure – not just IT. Pre-prepare templates to send out to patients/clients and business partners when required.
- Your plan needs to align with whole business
- Interact with your critical incident management team
- Legal advisers to respond to legislative and regulatory requirements
- Ransom – what are the criteria for paying/negotiation – has this been pre-approved by Board?
- Practice the response with a scenario to test that response is as expected.
Understand where the critical data is:
- Regulatory requirements
- What data is the minimum for you to operate for 3 months
- Offline back up is critical – test and validate. Make sure it is truly offline
- Technical expertise that you need to respond – for most this will be third party
- Can you operate without the cloud?
Remember your Privacy obligations
Understanding personal information
- It’s information about people
- It isn’t generally publicly available
- What would your patients/clients expect?
If the information extracted includes names, addresses and DOB it is probably notifiable.
If you can no longer access the information or the information has been lost – that is a privacy breach.
Use tools on the Privacy Commission website. Office of the Privacy Commissioner | NotifyUs - For organisations to report privacy breaches
How do you decide if you notify Privacy Commission and the people involved?
- Consider the human element – information conscience
- What would the impact be if it was a family members information?
- Do we need to look out for information appearing elsewhere?
- Can you find it on the dark web?
How you respond to an incident will impact on your business reputation, and a reputation (good or bad) is usually earned by what you do, rather than what you say you are going to do.
You can read our content at this link Reputational risk (healthypractice.co.nz)
Other recent articles
19 November 2024
Resilience in challenging times
Working in a health practice is a challenging environment. It’s always busy and the people you are dealing with are often stressed and facing difficult situations. Workforce shortages are affecting all areas of health, which in turn leads to pressure on your practice staff as they need to work longer hours and deal with more complex patients, often doing more with less.
16 October 2024
Cybersmart week and Business Life Plan
Cyber Smart week is 21-27 October. Cert NZ the Government Agency will be providing information on their website. The focus this year is to raise the importance of being secure on-line and encouraging the use of two-factor authentication and maintaining strong passwords.
17 September 2024
September newsletter
This month we have highlighted the recent Court Appeal determination that four Uber drivers are in fact employees not contractors. We are also looking at the Institute of Directors guidelines on the responsibilities of Directors under health and safety legislation, and privacy guidelines from the Office of the Privacy Commission.
Join other practices already using HealthyPractice.
Register now