Are you prepared?
2 August 2022
Welcome to the August newsletter
Our HealthyPractice team (Shaun, Chris, Fiona, Bryce, and Bonnie) is part of the wider ‘business@mas’ team which also provides business insurance, key person cover, KiwiSaver for practice employees and other products and services.
Some of our subscribers may have already had contact with the MAS Business insurance team, often prior to the renewal of their Business Risk insurance policy. It’s great to have this team of specialists to look after your business needs, and they can be directly contacted on businessinsurance@mas.co.nz
The business team have shared that some MAS members have been surprised that cyber insurance isn’t part of the standard Business Risk cover – it is an optional add on. This reinforces the importance of reviewing and understanding your cover every year when it renews – this wider team can assist you with this.
A ransomware cyber-attack is still the most common type of attack, and these are usually a phishing email with a link that is clicked by an unsuspecting employee. The health sector is sometimes targeted due to the sensitivity of the information held – even some large entities have been caught out.
Do you have a plan if this happens to you? Will your IT providers be able to assist you?
Some things to consider:
Understand the basics
- What’s happened? What systems are impacted, work out your priorities – getting evidence or getting things up and running?
- What’s the plan? How long can you operate how do you respond?
- Who’s in charge? This team should involve your advisers – legal, communications, financial, IT, Privacy. Know the governance structure and the reporting lines?
- Crisis incident responses planning /governance
- Business engagement – who needs to be involved?
- Critical data – where is it stored?
- Offline backups – can you restore from these?
- Technical expertise – who can you call?
In the heat of the moment you do need to have a plan and know who is doing what. A good plan can reduce the negative impact of an attack – as a starter we recommend you consider:
Incident response
- Will your plan be effective if you have no IT systems
- Governance structure – not just IT. Pre-prepare templates to send out to patients/clients and business partners when required.
- Your plan needs to align with whole business
- Interact with your critical incident management team
- Legal advisers to respond to legislative and regulatory requirements
- Ransom – what are the criteria for paying/negotiation – has this been pre-approved by Board?
- Practice the response with a scenario to test that response is as expected.
Understand where the critical data is:
- Regulatory requirements
- What data is the minimum for you to operate for 3 months
- Offline back up is critical – test and validate. Make sure it is truly offline
- Technical expertise that you need to respond – for most this will be third party
- Can you operate without the cloud?
Remember your Privacy obligations
Understanding personal information
- It’s information about people
- It isn’t generally publicly available
- What would your patients/clients expect?
If the information extracted includes names, addresses and DOB it is probably notifiable.
If you can no longer access the information or the information has been lost – that is a privacy breach.
Use tools on the Privacy Commission website. Office of the Privacy Commissioner | NotifyUs - For organisations to report privacy breaches
How do you decide if you notify Privacy Commission and the people involved?
- Consider the human element – information conscience
- What would the impact be if it was a family members information?
- Do we need to look out for information appearing elsewhere?
- Can you find it on the dark web?
How you respond to an incident will impact on your business reputation, and a reputation (good or bad) is usually earned by what you do, rather than what you say you are going to do.
You can read our content at this link Reputational risk (healthypractice.co.nz)
Other recent articles
11 March 2025
Upcoming Changes
This newsletter we are highlighting upcoming changes – in the near future when you log onto HealthyPractice you will notice that the website has had a refresh and will be sporting the new MAS branding. On 1 April 2025 the adult minimum wage will increase from $23.15 to $23.50. The training wage also increases from $18.52 to $18.80. We are also highlighting some of the Coalition Government changes they are considering making to legislation in the employment space. These will probably be brought before the house in the second half of this year. The changes aim to boost productivity, simplify hiring and firing and reduce compliance costs.
10 December 2024
Christmas Greetings
The years seem to be shorter and shorter and 2024 has passed in a flash. We hope that you are looking forward to some days off as much as we are. It has been another busy year and a very challenging one for many practices.
19 November 2024
Resilience in challenging times
Working in a health practice is a challenging environment. It’s always busy and the people you are dealing with are often stressed and facing difficult situations. Workforce shortages are affecting all areas of health, which in turn leads to pressure on your practice staff as they need to work longer hours and deal with more complex patients, often doing more with less.
Join other practices already using HealthyPractice.
Register now