Back to News and Events
News
15 July 2022
5 min read

Cybersecurity and health practices– No room for oversight

Protecting personal information continues to grow as an essential function of businesses everywhere – particularly when it comes to sensitive information in sectors such as health industry.  

According to the World Economic Forum, cyber risk has been recognised as  the most immediate and financially material sustainability risk that organisations face today. A somewhat stark statement. 

The Australian Securities and Investment Commission (ASIC) has recently warned directors that a failure to adequately address cyber security risk or comply with relevant disclosure and reporting requirements may be a breach of their directors' duties. This inevitably impacts medical and health practice owners and managers who will be expected to remain proactive about cybersecurity and ensure their systems and processes can appropriately deal with and respond to a cyber-attack.

Why the heightened interest?

There are a number of factors at play here. Cyber security attacks are becoming more sophisticated with high profile cybersecurity incidents taking place. There has  also been a recent Federal Court of Australia decision in which a business and its directors in the financial services sector was found to have breached their obligations after failing to adequately manage its cybersecurity risks.The business was ordered to pay $750,000 towards ASIC’s costs. You can have a closer look at ASIC’s article here: Be prepared | ASIC - Australian Securities and Investments Commission.

As you can see, it’s a clear message from the corporate regulator– “Be prepared”.

Ensuring compliance, preventing a breach

According to ASIC, no business is too small for a cyber security strategy.  

Practices are routinely collecting,storing, utilising and disclosing personal information. In light of the heightened attention and elaborate cyber-attacks, globally, it would be a very good time to look at your systems and processes and ask yourself: 

  • Do you have appropriate cyber security risk management systems in place, and do they give you enough visibility of cyber risks so you can comply with your disclosure obligations?
  • Is there a way of testing and verifying the effectiveness of those risk management systems?
  • Are your current cyber security and IT systems adequate to store information securely and protect against third party infiltration?
  • Could you promptly identify any data breaches (actual or potential) and satisfy your reporting requirements?
  • Do your contracts with IT vendors protect your business by addressing and managing potential security breaches?

Hopefully you are confident the answer to each of these questions is ‘yes’.  

Cyber risk is, however, an area that continues to evolve, and all businesses and their directors will need to be on a journey of continuous improvement when it comes to cyber security. 

Cyber resilience toolkit

ASIC have published resources on Cyber resilience goodpractices to "enable organisations to operate highly adaptive andresponsive cyber resilience good practices" that would need to betailored to the company with the assistance of technically-expert, internal orexternal guidance. To access, click here or visit https://asic.gov.au/regulatory-resources/digital-transformation/cyber-resilience/cyber-resilience-good-practices/

More Information

if you have questions, or would like more information about how these recent developments could affect your business, please call 1800 867 113 or to organise a confidential discussion with our data protection and privacy law specialists at a time that suits you, click here.

About the Author

Justin Fung is a lawyer and the Head of Commercial and Corporate in our Avant Law team. Justin has over 15 years’ experience advising in commercial, corporate, risk, compliance, governance, regulatory enforcement and dispute resolution and advises clients in the private and public sectors.

He was previously General Counsel of a national allied health group of companies and held Group and Divisional Head of Legal roles in a major ASX-listed health company, whose operations covered medical and dental centres, allied health, pathology, diagnostic imaging, assisted reproductive technologies, day surgeries and hospitals. Prior to these in-house legal roles, Justin was an Executive Counsel with the global law firm Herbert Smith Free hills where he practiced for over 10 years.

Disclaimer: The information in this article is general in nature and is current to 15 July.  It does not take into account individual circumstances and is not professional legal, financial or taxation advice.  Avant Law provides legal services. It does not provide taxation or financial advisory services.

Liability limited by a scheme approved under Professional Standards Legislation. Legal practitioners employed by Avant Law Pty Limited are members of the scheme.