In the wake of the data security breaches of 2022, the aged care sector has never been more aware of the importance of safety and security—and with the recent changes to the Security of Critical Infrastructure Act (the SOCI Act), every provider will be held accountable.
As part of the healthcare and medical sector, aged care providers—along with many companies across the 11 newly added sectors—are now considered ‘critical infrastructure’ and must comply with the new SOCI Act regulations.
How do the SOCI Act changes impact the aged care sector?
The Security of Critical Infrastructure Act (SOCI Act) has recently been amended to ‘strengthen the security and resilience of critical infrastructure by expanding the sectors and asset classes the SOCI Act applies to’ (Cyber and Infrastructure Security Centre, 2023). This means that there are now 11 sectors classified as critical infrastructure providers and they have been given a six-month window, from February 17 to August 17, 2023, to comply with the new regulations.
Although the aged care sector is not directly included in the list of critical infrastructure providers, it is part of the healthcare and medical sector. Under the SOCI Act, companies are considered part of the healthcare and medical sector if they involve:
- The provision of healthcare
- The production, distribution, or supply of medical supplies
So, the requirements for aged care providers will be:
- Create and maintain a critical infrastructure Risk Management Program (RMP)
- Register critical assets and report any cybersecurity events
What do age care providers need to do?
The biggest hurdle aged care providers are facing, ahead of the August 17 deadline, is the creation of a Risk Management Program (RMP). This process involves figuring out which components and sites of your asset are critical, then pinpointing the potential threats and hazards that could harm its operations. Then, you must do what is ‘reasonably practicable’ to minimise and mitigate these risks. (Risk Assessment Advisory for Critical Infrastructure Healthcare and Medical Sector, 2022)
Building a Risk Management Program (RMP), step by step
If you need a clear recommended process for developing an RMP, follow these steps:
- Step one: Understand the landscape
- Identify the context of your individual organisation within both the healthcare and medical sector and the Australian economy. There is no one-size-fits-all approach for risk assessment and management, you need to determine the best method for your organisation.
- Step two: Identify your critical assets
- What do you need to protect? What is valuable to you? Which services, assets, and components would impact you if they were disrupted or damaged?
- Step three: Analyse threats and hazards
- Analyse the threats and hazards that could cause harm to your critical infrastructure assets, look to similar organisations to see what they have identified.
- Step four: Assess risk
- Evaluate the risk of each threat, how likely is it? What will the consequences be?
- Step five: Identify and implement controls
- Decide if the initial outcome of each risk is tolerable or if more controls are required. Create the necessary controls and then update the risk profile.
- Step six: Monitor risk
- Risk management is not something you organise and then forget about; it needs to be ongoing to manage ever-evolving threats and changing assets and infrastructure. Measure progress, effectiveness, and work to continually improve your processes. (Risk Assessment Advisory for Critical Infrastructure Healthcare and Medical Sector, 2022)
A prominent target for data hacking
Data security is a paramount concern for all critical infrastructure industries, but the healthcare sector is especially vulnerable to attacks. In the first half of 2022, healthcare providers reported the most data breaches of any industry—a trend that stretches back to 2018.
According to Peter Leonard, principal at Data Synergies, the reason the healthcare sector may experience more data breaches is because, “There is a lot of sharing of data between individuals delivering health services: the GP, the chiropractor, the pharmacy. The more humans involved in handling information, the more likely something is going to go wrong.” (2022)
And this translates to the aged care industry, as Mr Leonard says, “Think about all of the personal information about your aunt who is in a nursing home, that the nursing home has to handle to look after her wellbeing.” It just takes one email being sent to the wrong person, or paperwork getting lost, and her most private information is no longer safe. (Bogle, 2022)
Penalties for non-compliance
As aged care providers are especially vulnerable to data breaches, it just makes sense to gain the protection of the SOCI Act requirements. Unlike the ten other critical infrastructure industries, the healthcare sector is dealing directly with people’s lives and deeply private information, so there is no room for risk. But as the August 17 deadline moves closer, the other significant motivator for providers is the penalties for non-compliance.
If you do not meet requirements for the Risk Management Program (RMP), then you will receive 1,000 penalty units ($275,000) per day, until you do. Also, if you do not meet the annual reporting requirement for you RMP, you will have to pay 750 penalty units ($206,250) per day (Clyde & Co, 2023).
References:
Bogle, A. (2022, November 10). Healthcare industry continues to be main target of data breaches, with 79 reported in six months. ABC News. https://www.abc.net.au/news/science/2022-11-10/data-breach-medibank-healthcare-system/101612056
“Critical Infrastructure. Changes to current regulation.” Cyber and Infrastructure Security Centre. (2023, March 23). https://www.cisc.gov.au/legislative-information-and-reforms/critical-infrastructure
“Critical Infrastructure Update: Risk management program obligations under the SOCI Act now ‘turned on’”. Clyde & Co. (2023, February 27). https://www.clydeco.com/en/insights/2023/02/critical-infrastructure-update-risk-management-pro
Risk Assessment Advisory for Critical Infrastructure Healthcare and Medical Sector. (2022). Cyber and Infrastructure Security Centre. https://www.cisc.gov.au/critical-infrastructure-centre-subsite/Files/raa-healthcare-medical.pdf
