Australia’s healthcare sector does not have a “broader cybersecurity problem” despite consistently reporting higher numbers of data breaches than other industries, according to medical indemnity insurer MIGA.
In a parliamentary submission published on Monday afternoon [pdf], MIGA defended the security record of the “private healthcare sector”, arguing that notifiable data breach (NDB) numbers needed to be understood in “context”.
Health service providers have “consistently reported the most data breaches compared to other industry sectors since the start of the NDB scheme”, according to the Office of the Australian Information Commissioner (OAIC).
Breach numbers from 2018 were cited by the Australian National Audit Office (ANAO) as evidence of the level of cybersecurity risks present in the health sector. The numbers have stayed high since.
But, according to MIGA, “comparatively higher levels of notifiable data breaches are understandable" and "are not suggestive of a broader cybersecurity problem in healthcare."
MIGA said the number of notifiable data breaches needed to be contextualised against “the sheer number of healthcare services provided each and every day” and the applicability of the NDB scheme in the sector.
“Private healthcare is one of the very few sectors where notifiable data breach and broader Privacy Act obligations apply to all healthcare providers, irrespective of size,” MIGA said.
“For most other sectors these obligations only apply to organisations with a turnover of greater than $3 million per annum.
“Before the notifiable data breach regime commenced, there was a concerted education campaign by the ADHA and professional healthcare stakeholders (including MIGA) to explain to healthcare providers what their obligations were. This did not occur in all affected sectors.
“These factors meant far greater scope for notifiable data breaches to occur, and far greater understanding of notification obligations, than in most other sectors.”