If your company is part of the disability sector, then safety and security have always been a priority – there is no room for error when people’s lives are at stake. However, there have been recent updates to compliance laws, and as part of the healthcare and medical sector, disability providers are considered ‘critical infrastructure’ and will be affected by these changes.
The Security of Critical Infrastructure Act (the SOCI Act) is the most recent bill to go through amendments – a move influenced by widespread data security breaches across Australia – and every company in a ‘critical’ sector must now achieve compliance.
What are the changes to the SOCI Act?
Although the Security of Critical Infrastructure Act (SOCI Act) was first created in 2018, it has now been updated and expanded, and suddenly affects a new swathe of companies. After the Security Legislation (Critical Infrastructure) Act 2021, the SOCI Act was amended to enhance the security and resilience of critical infrastructure, aiming to protect against potential cyber-attacks and other security breaches. There are now 11 sectors included as critical infrastructure providers, and companies within these sectors have a 6-month window, from February 17 to August 17, 2023, to organise a Risk Management Program (RMP) in compliance with the new regulations.
How disability providers are included in the SOCI Act
Disability providers are not directly mentioned in the list of critical infrastructure providers in the SOCI Act, but they are included under the healthcare and medical sector.
Your company will be considered part of the healthcare and medical sector if it involves:
- The provision of healthcare
- The production, distribution, or supply of medical supplies
And if you are affected, the general requirements for your company will be:
- Create and maintain a critical infrastructure Risk Management Program (RMP)
- Register critical assets and report any cybersecurity events
How can disability providers meet the requirements?
The Risk Management Program (RMP) is the most time-consuming aspect of these requirements and will be the part that looms overhead as the August 17 deadline moves closer. For disability providers in the healthcare and medical sector, developing your RMP involves determining which components and sites of your asset are critical, and then analysing how its operations may be harmed by threats and hazards.
Let’s strip away the legal jargon and use the example of a hospital to illustrate. In this case, the critical sites (physical locations that are required for it to function) could be the intensive care units or data centres for Information and Communication Technology (ICT) services. And the critical components could include air conditioning and ventilation systems, or the ICT systems in the data centres.
Your job is to do what is ‘reasonably practicable’ to minimise and mitigate any risks that could affect these aspects of your asset—just replace the hospital with your company’s critical asset. And the plan you devise based on the analysis of these risks, that is your RMP. (Risk Assessment Advisory for Critical Infrastructure Healthcare and Medical Sector, 2022)
Consequences of non-compliance, through the Medibank lens
Disability providers handle sensitive, personal information, and carry out work that has a direct effect on participants’ everyday lives and well-being, so the effects of a data or security breach can be deeply damaging.
“An outage affecting a critical asset in the healthcare and medical sector could result in significant economic or societal implications, with effects including loss of life, reduced patient care, reputational damage, and financial and productivity loss.”Risk Assessment Advisory for Critical Infrastructure Healthcare and Medical Sector, 2022
We only need to look to Medibank to see the financial and societal implications of a healthcare data breach. In October 2022, Medibank was hacked by a Russian ransomware group that released data from millions of customers onto the dark web (Brown, 2023). Personal information like customers’ addresses, date of birth, and health claims data was exposed, the latter revealing their medical history (Bogle, 2022).
A law firm has now begun proceedings in the Federal Court to compensate people affected by this breach, they state that Medibank failed to take reasonable steps to protect their customers’ information and failed to comply with legal obligations (Brown, 2023).
What happens if you fail to meet requirements
Even without the potentially dramatic consequences of non-compliance, providers will be faced with a penalty if they fail to meet obligations. If you fail to meet the requirements for the Risk Management Program (RMP), then you will receive 1,000 penalty units ($275,000) per day until you meet the requirements. You will also be penalised if you fail to meet the annual reporting requirement for your RMP, in this circumstance you will have to pay 750 penalty units ($206,250) per day (Clyde & Co, 2023).
Bogle, A. (2022, Oct 28). Privacy fears for children caught up in Medibank data breach. ABC News. https://www.abc.net.au/news/science/2022-10-28/medibank-data-breach-children-caught-up-privacy-concerns/101584376
Brown, M. (2023, May 5). Law firm launches class action on behalf of millions of customers caught up in Medibank data hack. ABC News. https://www.abc.net.au/news/2023-05-05/medibank-data-breach-class-action-slater-gordon/102307106
“Critical Infrastructure Update: Risk management program obligations under the SOCI Act now ‘turned on’”. Clyde & Co. (2023, February 27). https://www.clydeco.com/en/insights/2023/02/critical-infrastructure-update-risk-management-pro)
Risk Assessment Advisory for Critical Infrastructure Healthcare and Medical Sector.(2022). Cyber and Infrastructure Security Centre. https://www.cisc.gov.au/critical-infrastructure-centre-subsite/Files/raa-healthcare-medical.pdf