Cloud software due diligence mandatory compliance for healthcare practice managers.
Our Mission and Value We Create.
The Cyber Medica Value: By drawing from decades of expert experience and knowledge, Cyber Medica conducts on behalf of healthcare professionals detailed cyber security and privacy due diligence assessments on commonly used software products.
By utilising Cyber Medica, healthcare professionals not only gain access to robust assessments that fulfil their mandatory compliance requirements, but they also gain an easy comparison tool of multiple software providers thereby saving days or even weeks of precious time and resources conducting their own lengthy due diligence assessments.
Our mission: is to create a safer world by empowering medical professionals and practitioners to achieve their success through the use of products and services that are secure, private, compliant, and transparent. That empowerment begins and ends with Trust.
Under the Australian Privacy Act 1988, an Australian healthcare operator must take all reasonable steps to protect personal information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure. To comply with these mandatory requirements, a healthcare practice manager needs to assess the security and privacy controls of their computing software to ensure that it complies with the Australian Privacy Principles. The maximum federal penalties for healthcare provides who fail to adequately conduct reasonable steps to protect health information stored or transmitted in the cloud – $444,000 for individual healthcare practitioners and/or $2,220,000 for corporations.
The Australian cloud software standards: The Australian Information Security Manual as published by the Federal Government‘s Australian Cyber Security Centre.
Security Control: 1452; Revision: 3; Updated: Dec-20;
Before obtaining (cloud) services relevant to the security of systems, a review of suppliers and service providers (including their country of origin) is performed to assess the potential increase to systems’ security risk profile, including by identifying those that are high risk.
Security Control: 1567; Revision: 1; Updated: Dec-20;
(Cloud) Suppliers and service providers identified as high risk are not used.
Security Control: 1568; Revision: 1; Updated: Dec-20;
Services relevant to the security of systems are chosen from (cloud) suppliers and service providers that have made a commitment to secure-by-design practices.
Security Control: 1632; Revision: 0; Updated: Dec-20;
Services relevant to the security of systems are chosen from (cloud) suppliers and service providers that have a strong track record of transparency and maintaining the security of their own systems, services and cyber supply chains.
Data security, as opposed to privacy, usually focuses on preventing the “unintended” access, use or disclosure of data. Such unintended disclosures could be a result of a malicious attacks (cyber crime) or accidental disclosure e.g. sending an email to the wrong address. The controls typically used to implement best practice data security relate mainly to engineering controls such as software, hardware or physical controls.
Healthcare providers should be committed to protecting the security of all personal data within their care. Organisations should use a variety of security technologies and procedures to help protect personal data from unauthorised access, use, or disclosure as well as ensure data is destroyed or de-identified when no longer required.
Compliance is about an organisation’s ability to respect and adhere to all relevant laws and regulation. An organisation should be able to provide evidence of this compliance if and when requested without delay or deflection.
Examples of the relevant laws and regulations to healthcare could be:
- Australian Privacy Act 1988
- My Health Records Act 2012
- Healthcare Identifiers Act 2010
- Australian Standards / International Standards Organisation (ISO) 27001
- Australian Signals Directorate – Australian Information Security Manual
- National Institute of Standards and Technology (NIST)
- HIPAA and HITECH Acts
- GDPR EU and GDPR UK
Privacy, as opposed to data security, usually focuses on controlling the “intended” access, use or disclosure of data. Such intended disclosures could be a result of marketing, disclosures to employees or third party contractors or as a part of a legal dispute.
The controls typically used to implement best practice privacy relate mainly to an organisation’s internal policy and process.
Transparency is about an organisation’s commitment to open disclosure and communication on the treatment of data, the policies and process surrounding that data, who has access and control over that data and the security arrangements in place to protect that data.
Best practice organisation’s fully, and in detail, communicate and disclose all relevant information in a timely manner.