Tuesday, July 23, 2013

Another Warning To Take EHealth Security Seriously. The Risks Are Rising With The NEHRS/PCEHR.

This appeared a day or so ago:

Health professionals asked to consider security as priority

Sunday, 21 July 2013 06:00

HEALTH providers need to instil a culture of security when safeguarding their medical data to avoid becoming the weakest link in the national eHealth system, according to Edith Cowan University (ECU) researchers.
Security experts at ECU’s Security Research Institute say security is not well regarded by medical professionals and is usually an afterthought they are reluctant to invest time and money in.
“Security as part of requirements engineering is now seen as an essential part of systems development in several modern methodologies,” senior lecturer Mike Johnstone says.
“However, medical systems are one domain where security is seen as an impediment to patient care and not as an essential part of a system.”
He says this attitude makes developers less likely to include advanced security protocols into their products.
“Unfortunately, most software is insecure. This is due to the tension between functional requirements [as seen by a customer] and security requirements [which often are not],” Dr Johnstone says.
“Security is often relegated when shipping dates approach because developers know clients see functionality and don’t think about security as much.”
ECU senior lecturer Trish Williams says the weakest point of the upcoming national eHealth system is with the end users such as health practices and hospitals.
She says there is no security culture among medical practitioners which keeps it from becoming an integral part of operations.
“Medical systems appear especially problematic as their primary focus is patient care and security is either assumed or ignored,” she says.
More here:
I have to say all this is totally correct. As far as what to do about the issue this is a very good place to start - and it was only updated a few weeks ago.

Computer and information security standards and templates

The second edition of the RACGP Computer and information security standards (CISS) provides general practices with information and recommendations that will raise awareness of contemporary security issues and help protect against potential exposure to loss of sensitive data.
The CISS provides general practice with a framework for evaluating risks, and guidance and solutions to improve competency and capacity in computer and information security. This edition includes additional information to support GPs and their practice teams develop policies that relate to participation with the Personally Controlled Electronic Health Record (PCEHR).
The Computer and information security templates enable general practices to build a comprehensive suite of computer and information security policies and procedures. This document is designed in an interactive PDF format; for practices to download, fill out and save electronically.
This project has been funded by the Australian Government Department of Health and Ageing.
The page with (free) download links is here:
Well worth a look and some consideration.
David.

8 comments:

Anonymous said...

Amazed that there are no comments obviously security and privacy of patient information is not a concern to the broader healthcare fraternity...

Anonymous said...

"Amazed that there are no comments (sic) obviously security and privacy of patient information is not a concern to the broader healthcare fraternity..."

One interpretation and a very large assumption!

There are certainly many others if you think hard enough and try hard enough for long enough...

For example, there is ZERO Risk of any breach to the privacy of patient information within the NEHRS/PCEHR if there is NO Patient Information contained therein to begin with.

By the very low participation rates with the NEHRS/PCEHR and the even extremely lower rates of "Private Patient Information" uploaded to the NEHRS/PCEHR as Health Summaries, the broader healthcare fraternity may well be exercising this Low Trust/Even Lower Risk option.

As another interpretation and professed assumption for the relevance of minimal if any comments to this BLOG Post, and the subsequent heightened concern around the privacy of patient information within the broader healthcare fraternity...

For those that TRUST the Government, DOHA and NEHTA with their "Private Patient Information" within the NEHRS/PCEHR, Good Luck to them!

K said...

It's a bit confusing to know that people want to know whether they trust NEHTA or not.

NEHTA has nothing to do with the operational PCEHR. It just develops the technical specifications. DOHA runs it, and sets the privacy rules.

Anonymous said...

Why the confusion "K"?

As you state, "(NEHTA) just develops the technical specifications."

Then by this reasoning and by analogy, driving over a "Toll Bridge" warrants no TRUST of the Engineers that specify its design and performance parameters, and only warrants Trust in the Tollway Operators and maybe by extension, the road maintenance crews and State Road Authority?

Of course NEHTA is included in the NEHRS/PCEHR chain of TRUST, as if it's flawed by design at its specification stage (including the Security Requirements), then no PCEHR/NEHRS Operator will be bright enough and sharp enough to pick-up and compensate for ALL the design flaws and unknown security holes compromising the security and privacy of patient information.

Still confused?

If so, then exercise your right to "blind faith" and TRUST your Government, DOHA and NEHTA with your "Private Patient Information".

It's yours after all to share and risk at your discretion!

K said...

Well, the specific issue was about ongoing management of access to information. Given that NEHTA has no standing here, the trust issues are entirely different. In a wider context, yes, trust in NEHTA is still required, since not all the inputs NEHTA makes are public

Anonymous said...

K, you are correct that NEHTA has no ongoing role to play once the system is built and complete.

But most in the information management industry, would say they should have no further involvement in trying to repair the current PCEHR design that NEHTA was involved with.

The base platform structure, access controls, registration and re-registration processes, authentication are all fundamentally floored and that is not even one 100th of the issues.

Let's take usability, functionality, meaningful contents, all inclusiveness from every stakeholders perspective, data ownership and mining, privacy issues etc. etc. etc.

Let's face reality. On the surface it appears that the PCEHR was designed and built by Academics with no real life experiences and importantly with organisations who have consulted on other globally failed EHR systems. A great recipe for disaster and that is what we have.

Reasoning is as follows -

Just ask 94% of Doctors who are the key stakeholders in this project that have yet to add anything to the PCEHR. I believe NEHTA is now trying to engage with a GP from WA to assess what the issues are, just because he called for the system to be scrapped. 5 years to late me thinks.

Also just ask the 500,000 registered users with less than 10% actively using the system.

Why? because the current PCEHR design does not meet their needs.

Stop wasting tax payers money until the system is full reviewed and all stakeholders have had their say.

Enough is enough.

Anonymous said...

I have read through the various articles linked to the post and had a good look at the RACGP standards.

The RACGP standards are well thought out and provide health professionals with a baseline to work from.

My question is who ensures that GP's and health professionals adhere to these standards as published.

I believe that AGPAL and other accreditation providers are based on Peer review, so if that is the case what experience do other GP's have when investigating and reviewing practices IT environments and security systems?

Or is this not included in the review process?

Anonymous said...

Those in charge in DOHA will be very aware of the increased threat they have imposed on vulnerable practices, I recall over a year ago at one of the PCEHR presentations the security team bluejacket an audience members smartphone and then went on to explain how one of them had hacked a GP's network from the waiting room and located the files the NASH cert would be located, I doubt much would have happened to address this, the PCEHR has been and will remain a victim of reactionary planning and rushed implementation dates