Cybersecurity and Privacy Breach Notification
When we talk about the impact of the COVID-19 pandemic, we tend to think about the health or economic impacts. Less well understood are the opportunities that have opened up for cyber crime, as major global economies looked to move online almost overnight.
New Zealand is not immune from these attacks. In September this year, NZX was attacked over the course of several days, and trading had to be suspended until the problem was resolved. It seems that a number of the companies trading on the exchange were also targeted, although they were advised by the Government Communications Security Bureau to avoid public comment.
As well as the disruption to normal business trading, those attacks carry a significant cost in terms of reputational damage, and the technical expertise required to investigate the attacks and secure the IT systems affected.
The challenges of working from home
New Zealand’s rush to adopt a new way of working when nationwide lockdowns were announced left cyber backdoors and windows open at many Kiwi businesses, making them vulnerable to attacks. New Zealand Police estimated that during lockdown Kiwi businesses lost $2.2 million to scammers.
During the lockdown period, scammers also preyed on people’s emotions by attempting to extort social media passwords in order to access urgent information about the ever-evolving pandemic. CERT NZ – the Government agency in charge of New Zealand’s cyber preparedness received steady reports of online criminals using the pandemic as an opportunity to carry out online scams and malicious cyber activity.
Keep yourself and your colleagues safe
Regardless of your practice’s budget for cybersecurity, there are some basic things you can do right now to keep yourself and your colleagues safe from cyber crime, and to protect your patients’ information.
- Take your passwords seriously
Put simply, you need strong passwords, and you need to change them regularly. It might be convenient to use “password” for everything but you’re putting yourself at severe risk. Ideally, your passwords should have a mixture of lower- and upper-case letters, numbers and special characters.
Once you have a strong password, you should avoid using it for all your devices and applications and aim to update it every few months. If you’re finding it difficult to keep track of everything, a password manager is a good idea – it’s effectively a vault for all your passwords.
- Check your privacy settings
Know and control who can see your information. It might seem harmless to share pictures of friends and family gathered at special occasions but remember that the more you share, and the more identifiable everyone is, the more data you’re potentially providing cyber criminals.
Check the privacy settings on your social media accounts so that only friends and family can see your full details. Unlike or Unfollow social media pages and leave groups that you no longer have an interest in.
The basic principle is to give out as little information as possible when you’re online, particularly when you’re signing up for what are marketed as ‘free’ services or apps.
- Stay on top of all the relevant software updates
Keep up-to-date with any software updates that are issued for your phone, computer or IT system. Not only do those updates improve the usability of your system, they also contain regular security upgrades to patch any flaws.
- Use two-factor authentication
Two factor authentication (2FA) is a way of double-checking someone is who they say they are when they try to login to a system. So, as well as providing their username and password, they will often be asked to enter a special code that is texted to their phone.
You can add 2FA to all sorts of things but it’s essential on systems like email or accounting software.
These are a few basic tips to get you started but cybersecurity is something you need to take seriously. For more information, check out the resources at www.cert.govt.nz.
Privacy Act 2020 changes
The major changes to the Privacy Act (effective 1 December 2020) are the mandatory notification to the Privacy Commission of some privacy breaches and the requirement to advise patients/clients that personal information collected will be disclosed outside NZ (IPP 12 – Disclosure of personal information outside NZ).
Agencies will be legally required to notify breaches in privacy if the breach poses a risk of serious harm or causes serious harm to an individual or group. There are three reasons why this is important:
- People can’t protect themselves from the impact of a privacy breach if they don’t know a breach has occurred
- The speed that data can be transferred and copied means the potential for harm is much greater
- Learning from privacy breaches that have already occurred can help prevent similar beaches in the future
If a notifiable privacy breach occurs the business should notify the affected people.. The Privacy Commission has developed a Notify Us tool which will help you to identify if the breach meets the notification threshold. Failure to notify could result in a penalty of up to $10,000.
Examples of likelihood of serious harm being caused by a breach include:
- Physical harm or intimidation
- Financial fraud including unauthorised credit card transactions or credit fraud
- Family violence
- Psychological, or emotional harm
New IPP12 – relates to the sharing information to overseas agencies. Agencies are required to tell individuals that their information will be shared overseas unless the overseas company complies with Privacy Act 2020 or comparable. This notification doesn’t apply if practices are using cloud computing where the overseas agency is only holding the information of behalf of practice.
Other recent articles
6 July 2021
Increase to Sick leave entitlements From 24 July the sick leave entitlement increases to 10 days per year. The extra 5 days is applied after the completion of 6 months continuous employment, or on the next sick leave entitlement anniversary (12 months after the previous entitlement). This means that anyone employed after 24 January 2021 will be entitled to 10 days sick leave.
1 June 2021
We’re really pleased to welcome Bryce Pullan to the team as a Business Adviser, he will be working with us on Monday and Tuesday. Like all of the team Bryce has been with MAS for some time and is looking forward to supporting Members and their practices. Bryce joining us, has allowed Chris to achieve her dream of a four-day working week, Tuesday to Friday and Chris is very much enjoying her three-day weekends. Emailing us your queries to firstname.lastname@example.org generally means we can respond the same day especially if you send before midday. If your query is urgent just let us know in your email subject line or call 0800 800 627 and ask for the HealthyPractice team.
4 May 2021
The celebration is starting with a staff conference to be held this Thursday and Friday (6-7 May) and the HealthyPractice team will have limited availability to respond to your queries during this time. Email would be the best way to be in touch on these days and our response time might be delayed. We appreciate your understanding.
Join other practices already using HealthyPractice.Register now