Thursday, April 25, 2013

Look After Your Patient’s Electronic Health Information Effectively Or Suffer The Consequences.

The following is a draft short article for a Health Magazine - Comments welcome.
It is quite clear, and very well known, that individuals who entrust their private information to clinicians and organisations have a high level of expectation regarding the protection of the privacy and security of that information. Individuals and organisations that do not meet those expectations can expect to suffer substantial reputational if not associated financial damage.
In the last few months there have been a few incidents that have served to remind both practitioners and hospitals that it is important to really careful with their patient’s private health information.
One spectacular health related recent breach was when a Queensland general practice had its patient records accessed and then encrypted by a foreign hacker and then was asked for a ransom to give back the information. It was a bad few days that followed as the practice suddenly had to revert to paper records as sadly - and incompetently - the practice lacked a recent backup of their patient data. [1] According to Medical Observer the Queensland Police were aware of 11 similar attacks on practices in 2012. [2]
On the broader front we have a recent report from the Commonwealth Privacy Commissioner indicating that there were 46 breach notifications in 2011-2012 - and this figure was reached without there being any current legislation requiring breach reporting. Organisations as large as Sony, Telstra and Dell Australia have all recently been investigated by the Commissioner for significant breaches.[3]
Usefully there has been a recent survey of  patient attitudes and expectations for health information security and privacy. I published a blog with links to reports that summarised attitudes to electronic health record security in both the US and the UK. On the safe assumption that the Australian public would have similar views we can be pretty confident that well over 80% of the population have high expectations for security of their information - especially if the information held contained details of illnesses and conditions which may result in prejudice and discrimination as a result of disclosure. [4]
With that background it is important to realise that there are a range of responsibilities that holders of health information have - noting that the same principles apply to both hospitals and office based practices. First and key they have a responsibility to ensure that health information is not accessed by those who should not have access and also that the same information is indeed accessible to those who have a genuine need for access. Second they have a responsibility to preserve the existence and integrity of the information so that the information is available when needed by an authorised individual and that it is not in any way altered or corrupted (this means that there must be regularly tested backups made of all sensitive patient information and that this must also be protected). Third there is a responsibility when information is being transferred or shared that the path by which it is shared is similarly reliable and secure (Lost backup tapes, disks and laptops where unencrypted information is found account for many of the breaches where thousands of individuals are affected).
In recent years provision of technology solutions that meet there broad principles has been made increasingly difficult by some technology trends. The first and most important is that most holdings in health information are no longer functionally isolated due to the pervasive intrusion of internet connectivity. Back when such holdings were held on standalone computers with no network connectivity securing the information was considerably simpler that it is now. It was clear where the information was held, who controlled it and access could be managed with a high degree of rigor. Further complexity has emerged in the last few years with the location of at least some information becoming very blurred as the use of ‘cloud computing’ techniques (which reduce the cost of computer processing and storage) widens and more and more information is stored in the nebulous and location non-specific cloud. Additionally with the widening use of internet enabled portable devices (phones and tablets) the locations from which information is accessed are vastly increasing in number and making information and access security that much harder. Both cloud computing and the wider deployment of mobile devices are seen as making the health information security challenge harder. [5]
If we accept that it is the responsibility of all health care providers to properly protect and secure health information from breach and unauthorised leakage then there are a few questions that then arise. I will address these in turn.
Health Information Risks.
The first is to understand how and why health information is / can be compromised. Recognising that compromise of electronic information is surprisingly common  (and causes real costs [6]) is a first step. To quote a recent article:
“According to Australia's Computer Emergency Response Team (CERT) 2012 Cyber Crime and Security Survey Report in February, 20 per cent of Australian businesses were the subject of hacking or other cyber-attacks last year.
The most serious involved the use of malicious software including ransomware and scareware, which extort payments for the return of data; trojan or rootkit malware, which lodge in the company's systems to steal information; theft or breach of confidential information; and denial-of-service (DoS) attacks.” [7]
Although detailed statistical breakdowns are not available for Australia there is considerable evidence that - other than malicious hacking as described above that many breaches are due to insider misbehaviour and stupidity (loosing unencrypted information on laptops or having passwords on Post-It Notes beside the computer) and occasionally just bad luck (couriers loosing backup tapes etc.)
In terms of information loss there is little doubt the biggie is to not have a properly developed information backup program which includes regular testing of the backup systems to ensure the backed up information is actually recoverable! Second to this is to not have a reasonably recent backup genuinely off-site to protect against theft, fire, flood and the like. It is worth noting the adequate backups is a useful defence against many woes from equipment failure to computer virus infection etc.
Compromise Prevention Best Practice.
The second is to consider what might be done by an organisation to prevent such compromise happening in the first place. Here is a list of the major points.
1. Accept that there is a ‘clear and present’ danger and risk of digital information loss, compromise or  breach.
2. Develop a plan to address risk. At the very least this plan should cover ongoing staff / user awareness and education, the regular audit of all digital assets,  policies for access and use of both fixed and mobile devices, password and other access control policies and so on.
A recent article quoted Brad  Marden,  Australian Federal Police acting manager for cyber crime operations as suggesting the following specifics for inclusion in any plan which he suggested would prevent 85% of breaches.[8]
“1. Application whitelisting
Application whitelisting helps prevent malicious software and other unauthorised programs from running. The whitelist is a list of specific applications that are permitted to run on a given system.
2. Patch, patch, patch (applications and operating systems)
Patch applications such as PDF readers, Microsoft Office, Java, Flash Player, web browsers and operating systems as soon as patches for known security holes are released.
"A lot of data breaches occur on systems that are not protected, and not up-to-date," says Sean Kopelke, director of security and compliance solutions at Symantec.
3. Passwords and privileges
Minimise the number of users with administrative privileges. Also, check the identity of visiting technicians and change passwords when they leave.
4. Develop information policies
You should treat information in the same way on each platform or device, says Kopelke. "It sounds simple, but implement policies around securing information, not the devices. It is irrelevant where information is stored; the policy on how it is protected should be the same."
5. Educate staff
Often the weakest security link is the human link. Educate staff about how to handle confidential information. Teach them how to assess whether someone who rings asking for information is legitimate and to suspect all emails, links and attachments.
6. Rethink social media
The AFP goes a step further and recommends implementing policies banning employees from accessing social media sites at work, as these sites can allow malware to infiltrate company systems. Many security companies, however, recommend mitigating this risk with specialist applications and security modules to accommodate social media in the workplace.
7. Report
As far as security breaches go, Marden finds it strange that organisations don't report cyber compromises, but they do report burglaries. Australia does not have mandatory breach disclosure laws as is the case in the US.”

Not mentioned here - but also certainly worth considering is the issue of Data Breach Insurance which is increasingly available and makes some sense if handling sensitive information.
Legislative and Ethical Requirements.
The third is to understand clearly just what is required by best practice and legislation.
As indicated above there is a clear expectation on behalf of the public that their health information will be kept both secure and private. In response to the public requirement for information privacy - with respect to all sorts of personal information (financial, health etc.) there has been a range of legislation passed over the years.
At the time of writing Australian legislation is in a state of flux with some major changes to the foundational Commonwealth Privacy Act (1998) having been passed last year (2012) and legislated to comes into effect in March 2014.[7] The modifications harmonise the Privacy Principles, widen the scope of organisations covered by the act, change a range of credit reporting laws and also toughens the enforcement regime.
There is a dedicated web page covering the changes which can be found here:
The biggest change that is relevant to the health sector is the change from the National Privacy Principles to a new set of unified Australian Privacy Principles (APP) which happens in March 2014. Health Information Privacy being a little different there are some specific use cases defined where health information can appropriately be collected, used and disclosed. All those involved in handling health information (in any form both paper and electronic) would be well advised to review present and future obligations. The general web site is found here:
The Commonwealth Privacy Commissioner (who is a key part of the Office of the Australian Information Commissioner (OAIC) also has a role in the administration and enforcement of the special legislation which was developed to cover the privacy aspects of the Health Identifier Service and the Personally Controlled Electronic Health Record (PCEHR) where there are some quite strict rules for breaches and significant penalties available.
Sadly, of recent time there would appear to have been major staff losses within the Office of the Privacy Commissioner so there are some doubts as to just how effective the enforcement regime will be going forward.
The ethical situation when handling sensitive private information …..
Information Sources.
Lastly it is important for organisations to know where  help be sourced?
The key resource provided by Government to manage cyber-attacks and infiltration is, at present, CERT (Computer Emergency Response Team)  Australia. They provide a useful web site here:
In due course CERT Australia is to become part of an expanded Australian Cyber Security Centre which was announced by the Prime Minister in January 2013. [9]
There is guidance available on how information compromise and leakage should be addressed found at this link - which is part of the Office of the Australian Information Commissioner.
Additional information which might assist smaller organisations in preparation and prevention of issues related to information security (especially medical practices)  is available from the Royal Australian College of General Practice (RACGP) web site. The following link provides a very useful set of freely available resources:
These three sites will provide a useful start for any organisation wishing to assess their current and desirable future state in securing the sensitive information they hold.
In summary patients expect their private health information to be managed securely and appropriately in the context of current and future legislative privacy and information protection requirements. To not pay proper attention to these issues invites both reputational and financial damage - to say nothing of the potential damage to patients.
Finally, this headline from Wired Magazine puts the risk in clear perspective - it is not a matter of if but when!

World’s Health Data Patiently Awaits Inevitable Hack

See here for the article.
The next step is yours!


Anonymous said...

Dear David

I have been banging on about the issue of Privacy, Cyber Security and Cyber Threats for some time on a variety of health related sites, but no one wants to pay any attention to a massive problem that will occur commencing in March 2014 or if not before.

Yes as you have outlined, patient and sensitive information is going to be an issue for many Australian healthcare professionals and providers into the future.

With the beefed up Privacy Act Amendments and discussions about mandatory breach notification laws awaiting passage, healthcare professionals will have to re-assess their exposure to cyber threats and risks, or not only face regulatory penalties but potential class actions from patients for remediation services like credit file monitoring.

This equates based on market estimates at around $200 per record. The math is simple 1,000 patients x $200 = $200,000

As I mentioned, I see a "big elephant in the room" that no one wants to see or mitigate against, that is a significant data breach of sensitive patient information and a subsequent "Class Action" against the offending practice by the patients. It is just around the corner the US, Canada, UK are already seeing this, Australia will be next.

We have a flu shot to prevent us getting the flu, the same applies to IT environment security. Put tools and systems in place to prevent a data breach or privacy event occurring. It could cost a few dollars now, but could save a lot more down the track.

Additionally there are affordable cyber insurance policies to assist with additional peace of mind.

Time to act to make environments more defensible against cyber attacks and not just after an event. It is too late then, trust me, loss of income and reputation.

Happy to help David further.

- Privacy Paul

Bernard Robertson-Dunn said...

Privacy Paul.

You might want to modify your "no one wants to pay any attention to a massive problem" statement to "no one responsible for delivering eHealth in Australia wants to pay any attention to a massive problem ..."

There are plenty of people who agree with you and I'm one of them.

However, I'd add that in addition to issues of Privacy, Cyber Security and Cyber Threats that involve Information Systems, there are also other, external issues that impact patient data.

If you take banks and cash as a metaphor, the banks can have all the physical protection in the world so that no-one can get at the cash, but if someone "persuades" a legitimate customer to hand over their cash, then no amount of physical security will help.

For example, I was at a dentist's waiting for my appointment and heard the receptionist call Medicare on the phone. The receptionist had a phone conversation about a patient, quoting all the identification details to fully identify the patient, along with what she was being treated for.

It's the human behaviours that need to be addressed. Legislation may help in some cases but the problem with information is you can't get it back, once it's been shared or taken.

And on the issue of insurance, it can have the opposite effect. If a medical centre thinks that they are protected from financial penalties because they have insurance, they may be lax in protecting patient information. I'd rather the medical centre knew that if they were party to a data breach, they would suffer significant penalties. Their behaviour might be somewhat different, but a lot more responsible.

Anonymous said...

Good points Bernard and there are many other issues besides the ones that I have pointed out.

I however am very pleased that you have joined in the dialogue, as most people in health tend to avoid discussing this topic generally, as you noted and I am not sure why?

Maybe you can shed some light on this?

To your point about insurance, yes insurance, can have an opposite and adverse effect in some instances.

However to obtain cyber insurance coverage you must answer certain questions as the risks are much higher than normal insurance such as house or car insurance.

If you you do not meet the minimum requirements of the policy you do not obtain coverage, until you rectify the areas of concern. This knock-back approach to cyber insurance also makes practices aware of areas that they need to be more diligent in (and hopefully rectify).

Additionally if you obtain coverage but fail to answer the questions truthfully, have a breach, make a claim and are found not to not have answered the questions accurately, the insurer will decline your claim and the offending practice would be on the hook for whatever statutory penalty and class action that may present.

Excuse the pun and as my father says "Honesty is the best Policy"

Privacy Paul

Terry Hannan said...

David, this is an excellent topic to discuss. As stated already ~85% of unauthorised access to medical records in hopsitlas is by staff who have no rights to access these records-including doctors and nurses. I was trying to find the reference to the study showing the risks to health data neteworks from USB devices that act as a 'remote device' to the netwrok. Some institutions will not permit the use of USB devices on thier networks. For docs storing records on USBs the LOSS of records becomes a very high risk. Terry

Anonymous said...

You wouldn't happen to run a company specialising in security and now offering cyber security insurance packages would you Privacy Paul??

As they say, "Honesty is the best Policy"..

Paul Fitzgerald said...

"You wouldn't happen to run a company specialising in security and now offering cyber security insurance packages would you Privacy Paul??"

The amazing perception of this group is one of the strengths, I think! :-)
But David, quite rightly, frowns on blatant advertising on his site.
Sometimes it is difficult to get a message out, so highlighting the issues is nice subtle way of spreading the word. (by the way, I am a different "Paul")

Anonymous said...

You wouldn't happen to run a company specialising in security and now offering cyber security insurance packages would you Privacy Paul??

You are very clever to work that out and to answer your question, Yes I do, and proud of it. It is interesting to see how people knock others who come up with innovative ways to assist organisations overcome issues that they may face day to day.

Anon - Don't hide come out

Privacy Paul

Anonymous said...

Hers's a couple of additional pieces of reading material about the importance of privacy.,dreyfus-backs-mandatory-data-breach-laws.aspx?eid=7&edate=20130430&utm_source=20130430&utm_medium=newsletter&utm_campaign=daily_newsletter

For Privacy Paul

Anonymous said...

I am very clever.

Genuinely, not knocking your efforts. You obviously believe in this or you wouldn't be going to the trouble of setting up your new product.

Just thought that perhaps a "*Disclaimer: I offer a product in this area" might have been in order - transparency and all that.

Yes, I realise this is a strange comment from someone posting anonymously. I am not selling a "transparency" product/service though so I think I can argue for it without attaching my name.