1. Introduction
Ongoing education, training and regular review of cybersecurity and data protection policies are essential in today's digital healthcare landscape. Dermatology is particularly vulnerable due to its reliance on high‐resolution clinical imaging, which often includes personally identifiable and clinically sensitive visual data.
We conducted an audit of cybersecurity and data protection practices of Australian dermatology fellows and trainees. Our electronic survey was constructed using the online survey platform SurveyMonkey and was made available for 1 week to fellows and trainees via an electronic link in the college newsletter. In addition to an electronic invitation submitted to fellows and trainees via the college website, attendees at the Australian College of Dermatologists Annual Scientific Meeting were encouraged to participate in the survey during the CPD session on the 13th of May 2024.
A total of 108 dermatology consultants and trainees completed the survey (Table 1). The results of the survey are shown in Tables 2 and 3.
TABLE 1.
Demographic of Respondents.
| Participant characteristics | Number of respondents (%) |
|---|---|
| Contractor in private dermatology setting | 51 (47.2%) |
| Practice owner of principal in private dermatology setting | 54 (50.0%) |
| Visiting Medical Officer (VMO) or staff specialist in the public health system | 33 (30.6%) |
| Contractor in non‐for‐profit health system | 11 (10.2%) |
| None of the above | 1 (1.0%) |
| Others | 4 (3.7%) |
TABLE 2.
Workplace data protection practices.
| Number (%) | |
|---|---|
| Employment of data protection officer | |
| Yes | 34 (31.5%) |
| No | 42 (38.9%) |
| Not aware that one was needed | 7 (6.5%) |
| Unsure | 25 (21.2%) |
| Patients consented to practices' privacy and data handling policy | |
| Yes | 61 (56.5%) |
| No | 24 (22.2%) |
| Unsure | |
| Use of electronic medical records (EMR) or paper‐based records | |
| Paper‐based records | 3 (2.8%) |
| EMR | 71 (65.7%) |
| Mix of EMR and paper‐based records | 34 (31.5%) |
| Location of data storage | |
| On premises | 12 (11.1%) |
| Cloud storage | 23 (21.3%) |
| On premises and cloud | 53 (49.1%) |
| On premises and off site (not cloud) | 17 (15.7%) |
| Others/Not applicable | 3 (2.8%) |
| Regular backup of EMR data | |
| Yes | 82 (75.9%) |
| No | 5 (4.6%) |
| Do not know/Need to check | 17 (15.7%) |
| Not applicable | 4 (3.7%) |
| Procedures for assessing patient data | |
| Paper‐based system with restricted access | 3 (2.8%) |
| Paper‐based system that all employees can access | 5 (4.6%) |
| EMR with individual login for each employee | 93 (86.1%) |
| EMR and shared login for employees | 6 (5.6%) |
| Not applicable | 1 (1.0%) |
| Policy on use of personal devices for work purposes | |
| Yes | 34 (31.5%) |
| No | 43 (39.8%) |
| Yes, but not enforced | 6 (5.6%) |
| Don't know | 24 (22.25) |
| Others | 1 (1.0%) |
| Provision of cameras, clinical images and/or dedicated non‐personal smartphones for clinical photographic/dermatoscope images | |
| Yes | 73 (67.6%) |
| No | 27 (25.0%) |
| Yes, but not convenient to utilise | 8 (7.4%) |
| Personal smartphones for patient clinical images | |
| Never use personal smartphone to take or review patient images | 32 (29.6%) |
| Use personal smartphone for clinical work using appropriately encrypted applications and patient images/data are not stored on my phone | 15 (13.9%) |
| Occasionally use personal smart phone to take or review patient images (photos stored on device or received by SMS) | 56 (51.9%) |
| Regularly use personal device to assist/document patient encounters or provide/triage telehealth consultations | 5 (4.6%) |
| Regular cybersecurity and data protection training for employees | |
| Yes | 12 (11.1%) |
| Yes, but not for a while | 17 (15.7%) |
| No | 60 (55.6%) |
| Do not know | 19 (17.6%) |
| Prior or available data protection and cybersecurity training | |
| Yes within 2 years | 14 (13.0%) |
| Yes, but over 2 years ago | 4 (3.7%) |
| No | 85 (78.7%) |
| Do not know | 5 (4.6%) |
| Education or enforcing strong password policies | |
| Yes | 45 (41.7%) |
| No | 26 (24.1%) |
| Up to individuals | 35 (32.4%) |
| Unsure | 2 (1.9%) |
TABLE 3.
Cybersecurity awareness of dermatology consultants or fellows.
| Number of respondents (%) | |
|---|---|
| Do you use a shared password for EMR | |
| Yes | 10 (9.3%) |
| No | 97 (89.8%) |
| Unsure | 1 (1.0%) |
| Does anyone else know your EMR password | |
| Yes | 25 (23.2%) |
| No | 75 (69.4%) |
| Unsure | 8 (7.4%) |
| The last time you changed or asked to change EMR password | |
| More than 2 years ago | 27 (25.0%) |
| More than 1 year ago | 29 (26.9%) |
| Within last 6 months | 17 (15.7%) |
| Within last 3 months | 15 (13.9%) |
| Never | 20 (18.5%) |
| EMR remote access | |
| Yes | 91 (84.3%) |
| Yes, but have not used it | 3 (2.8%) |
| No | 14 (13.0%) |
| VPN and/or two factor authentication for remote access to EMR | |
| Yes | 69 (67.6%) |
| No | 17 (16.7%) |
| Unsure | 16 (16.0%) |
| *6 respondents had skipped this question | |
| Email filters and anti‐phishing tools at workplace | |
| Yes | 58 (53.7%) |
| Have been offered but do not use them | 2 (1.9%) |
| No | 17 (15.7%) |
| Use personal email on work computer | 20 (18.5%) |
| Do not use emails at work | 13 (12.0%) |
| Confidence in recognising phishing emails | |
| Yes | 25 (23.2%) |
| Somewhat confident | 63 (58.3%) |
| Low confidence | 17 (15.7%) |
| Do not know what a phishing email is | 1 (0.9%) |
| Unsure | 2 (1.9%) |
| Do you ask colleagues regarding management of difficult cases or diagnostic dilemma | |
| Yes | 93 (86.1%) |
| No | 15 (13.9%) |
| If yes, modality is used for image transfer | |
| iMessage | 13 (15.9%) |
| 37 (45.1%) | |
| Official government health email | 7 (8.5%) |
| Regular email | 25 (30.5%) |
| *26 respondents skipped this question | |
| Where are photos stored | |
| Electronic medical records | 26 (28.3%) |
| Work computer | 19 (20.7%) |
| Phone/Tablet | 18 (19.6%) |
| Cloud server | 15 (16.3%) |
| Camera | 2 (2.2%) |
| Hard drive | 1 (1.1%) |
| Deleted after discussion | 9 (9.8%) |
| No photos taken | 2 (2.2%) |
| *32 respondents skipped this question | |
| Telehealth consultations | |
| Yes | 57 (52.8%) |
| No | 16 (14.8%) |
| Sometimes | 18 (16.7%) |
| Rarely | 17 (15.7%) |
| Type of telehealth consultation | |
| Audio | 45 (42.9%) |
| Teleconferencing | 12 (11.4%) |
| Audio and teleconferencing | 35 (33.3%) |
| Not applicable | 12 (12.4%) |
| *3 respondents skipped this question | |
| Telehealth platforms | |
| WhatsApp on work phone | 6 (5.7%) |
| Facetime on work phone | 20 (19.1%) |
| Secure teleconferencing platform on work computer | 37 (35.2%) |
| Not applicable | 42 (40.0%) |
| *3 respondents skipped this question | |
| Photographs sent by patients prior to telehealth consultations | |
| Always/most of the time | 43 (40.6%) |
| Sometimes | 32 (30.2%) |
| Rarely | 9 (8.5%) |
| No | 22 (20.8%) |
| *2 respondents skipped this question | |
| Receiving photographs from telehealth patients | |
| Via work email | 25 (23.6%) |
| Via work phone | 1 (0.9%) |
| Via practice reception email | 56 (52.8%) |
| Not applicable | 24 (22.6%) |
| *2 respondents skipped this question | |
| Opt in to receive phishing scam exercise via email | |
| Yes | 80 (74.1%) |
| No | 28 (25.9%) |
Note: The * at the bottom of several questions are indicative for the respective questions where respondents had skipped the question and not answered.
2. Discussion
The digital transformation of healthcare businesses has led to increasing vulnerabilities to cyber threats. Cybersecurity incidents can have serious repercussions, including medicolegal consequences, reputational damage and financial losses [1].
Our survey shows a substantial gap in the employment of a data protection officer and awareness of patient consenting policies, which points towards an area of improvement. Although most participants utilise electronic medical records (EMR) for documentation of patients' data, some participants only use paper‐based records or a combination of both. Reassuringly, the majority of participants reported using systems that include regular either onsite, offsite or cloud‐based backups of their EMRs and secure access via unique user credentials.
There is a disparity in cybersecurity awareness and education among dermatology fellows and trainees, particularly in cybersecurity training and the use of personal devices for reviewing clinical images. Telehealth is widely adopted, with variations in the use of secure teleconferencing platforms and telehealth practices, with less than half of the respondents using secure platforms on work computers. This places practitioners at risk, as studies have demonstrated inadequate data protection and weak or absent passwords as major contributors to data breaches [1].
Healthcare providers may communicate electronically if reasonable safeguards are in place, consistent with the Code of Conduct for Doctors and privacy law [2]. Under Australian Privacy Principle 11, health information must be protected from misuse, loss, or unauthorised access. Failure to take reasonable steps may constitute a privacy breach with legal consequences [3]. Informed consent must be obtained from patients prior to telehealth appointments and when collecting or disclosing any medical information [3]. Secure platforms with features such as end‐to‐end encryption, MFA for hosts, and access controls using meeting ID, passwords, and secure meeting links are recommended [4].
Recommendations include the use of passphrases—a series of unrelated words with numbers or special characters [5]. Multi‐factor authentication (MFA) provides additional protection against unauthorised access. This involves a username or passphrase; a unique code obtained from a token, text message, or smartphone application; and a characteristic unique to the user, like a fingerprint or facial scan [4]. Regular software updates, installing anti‐virus software, and ad‐blocking browser plugins on work computers can ensure network and device security [5]. Frequent backup of patient data can prevent losing information in the event of a security breach. A data breach response plan should also be formulated in preparation for these security breaches [6]. General data protection practices should be implemented at an organisational level. These include implementing role‐based access controls with individual logins, as well as security audits to identify and address potential threats [7].
Our survey identified several critical areas for improvement in cybersecurity practices within dermatology settings. These include a clear need for more regular cybersecurity training, both for dermatologists and their team members. Inconsistent practices and knowledge around password protection have led to many participants not routinely reviewing password security measures. Approximately one‐third of respondents were either unaware of the security features associated with their remote EMR access, or were using access methods that do not meet recommended security standards. There is a significant gap in training related to phishing awareness, highlighting the need for ongoing education to help clinicians and staff identify and manage suspicious communications. These findings underscore the importance of proactive, structured cybersecurity protocols and ongoing education to safeguard sensitive clinical data.
3. Conclusion
Cybersecurity and data protection awareness in healthcare is paramount to maintain the confidentiality of patients. Our audit shows a disparity in current cybersecurity and data protection practices among dermatologists and dermatology trainees; hence, further education and training is needed in this digital space.
Conflicts of Interest
The authors declare no conflicts of interest.
Acknowledgements
The authors would like to acknowledge the Australasian College of Dermatology for their support in organising the Continuous Professional Development activity. The authors would also like to acknowledge MIGA for medico‐legal advice. Open access publishing facilitated by University of New South Wales, as part of the Wiley ‐ University of New South Wales agreement via the Council of Australian University Librarians.
Funding: The authors received no specific funding for this work.
Data Availability Statement
Data sharing is not applicable to this article as no new data were created or analyzed in this study.
References
- 1. Seh A. H., Zarour M., Alenezi M., et al., “Healthcare Data Breaches: Insights and Implications,” Health 8, no. 2 (2020): 133. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 2. AHPRA , Good Medical Practice: A Code of Conduct for Doctors in Australia 2020, https://www.medicalboard.gov.au/Codes‐Guidelines‐Policies/Code‐of‐conduct.aspx?TSPD_101_R0=08c403b005ab2000cbd4e7eb5fd92c393ca5abe7152fcc9d9700749cf31277c2235cf3bc6bf0199d084c665abc1430004d410f8aafd8df61acd6890490f21d6589a1744fd99fb2a347513e3763acc21df6a422e8e4b33c7fc73115ec6306823c. [DOI] [PubMed]
- 3. Commissioner OotAI , Guide to Health Privacy (2019), https://www.oaic.gov.au/__data/assets/pdf_file/0011/2090/guide‐to‐health‐privacy.pdf.
- 4. Agency ADH , Using Online Conferencing Technologies Securely (2021), https://www.digitalhealth.gov.au/sites/default/files/2020‐11/Online_conferencing_technologies‐Connected_secure_consultations.pdf.
- 5. Agency ADH , Information Security Guide for Small Healthcare Businesses 2018, https://www.digitalhealth.gov.au/sites/default/files/2020‐11/Information_security_guide_for_small_healthcare_businesses.pdf.
- 6. Nifakos S., Chandramouli K., Nikolaou C. K., et al., “Influence of Human Factors on Cyber Security Within Healthcare Organisations: A Systematic Review,” Sensors 21, no. 15 (2021): 5119. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 7. Bhuyan S. S., Kabir U. Y., Escareno J. M., et al., “Transforming Healthcare Cybersecurity From Reactive to Proactive: Current Status and Future Recommendations,” Journal of Medical Systems 44 (2020): 1–9. [DOI] [PubMed] [Google Scholar]
Associated Data
This section collects any data citations, data availability statements, or supplementary materials included in this article.
Data Availability Statement
Data sharing is not applicable to this article as no new data were created or analyzed in this study.