Sunday, November 15, 2015

Now Here Is An Article The PCEHR Proponents Will Not Be Happy About! Their Security Planning Is Not Up Scratch!

This appeared last week:

Practices fail the eHealth test

9 November 2015
SEVEN GP practices assessed for eHealth PCEHR privacy safeguard compliance all failed to fulfil the requirements — sometimes for simply not activating the screensaver lock when a computer was left unattended. 
That assessment is one of five audits the Office of the Australian Information Commissioner (OAIC) has undertaken, according to its 2014–15 report. 
The report refers to the audits and says no complaints of breaches were made to the independent PCEHR overseer, but that “a number of recommendations” had been accepted by the health department. 
One of these assessments, not contained in the annual report, scrutinised eHealth security in the seven clinics — all active eHealth system users and Health Provider Organisation (HPO) members — between December 2014 and April 2015.
One clinic was considered a high risk for privacy breach (defined as requiring “immediate management attention”) because it had no written policy about who could access the eHealth system.
Other clinics displayed various security problems , defined as medium and low risk, including:
  • Lack of ‘password diligence’, seen as a medium risk for unauthorised access to the eHealth system
  • No procedures at any practice for handling ‘record codes’ for locking parts of a patient’s eHealth record
  • No process for handling privacy complaints
  • Staff unaware of Privacy Act requirements
  • Staff with access who did not need or want to use the system 
  • Screensavers that didn’t revert to log-in mode when left unattended
  • Inconsistent recording of privacy and eHealth training.
Lots more here:
Now for a few links to the source information.
First the report that resulted in this article. It can be found here:
Here are the recommendations:

Summary of recommendations

2.4 The OAIC makes the following recommendations to address the issues discussed in Part 6 of this report:

Recommendation 1 — review and update policies and procedures

2.5 The OAIC recommends that assessed GP clinics undertake a review of all relevant policies so that they:
  • specifically, in relation to the eHealth policy required under the PCEHR Rules, ensure the policy:
    • clearly sets out the GP clinic’s current security controls and procedures for accessing the eHealth system and reflects requirements under the PCEHR Rules (in particular Rule 25)
    • contains information on when the policy was previously updated (iteration numbers and dates of previous iterations required under Rule 25(6)(c))
  • review the eHealth policy annually (as required under Rule 25(6)(c)) to ensure the policy’s relevance and accuracy. HPOs should also review the policy if any new material or changed risks are identified
  • accurately and consistently reflect obligations under the Privacy Act (in particular APP 11), the PCEHR Act and the PCEHR Rules (specifically Rule 25) to protect personal information when staff access the eHealth system
  • include a process for destroying eHealth system document and record codes
  • if the GP clinic has not already done so, record the different levels of individual staff access to their ICT systems including access to the eHealth system
  • set out a policy for regularly reviewing passwords/passphrases used to access its ICT systems, including the clinical software system and ensure passwords are regularly changed and sufficiently complex. Passwords and passphrases should be complex enough so that others are not able to guess it, for example using a combination of letters, numbers and symbols or using passphrases
  • outline a process for dealing with eHealth access related privacy breaches and the handling any complaints which may arise from these breaches, if the GP clinic has not already done so. Good privacy practice would involve having a policy which addresses all privacy breaches and complaints not just those which relate to eHealth system access
  • include accurate and up to date references to the eHealth system, the Privacy Act and other privacy obligations, in relation to their practice manuals and other policies.

Recommendation 2 — consider restricting access to users of the eHealth system

2.6 To minimise the risk of access without a patient’s consent or without other authority, the assessed GP clinics should consider limiting internal access to personal information in an eHealth record to those staff who are using or intend to use the eHealth system. Each practice should regularly assess staff’s need for access to the eHealth system in light of their use or intended use of the system and clinical needs.

Recommendation 3 — change screensaver settings on computers

2.7 The OAIC recommends that the assessed GP clinics review the settings on computers used to access the eHealth system so that users are required to enter their user name and password to deactivate screensavers.

Recommendation 4 — regular and ongoing privacy and eHealth system access training

2.8 The OAIC recommends that the assessed GP clinics implement a formal training program where all staff requiring eHealth system access undergo regular and ongoing privacy and eHealth system access training.

Recommendation 5 — record all eHealth system training

2.9 The OAIC recommends that the assessed GP clinics establish and maintain a record of instances where individual staff members have received and completed internal or external privacy and eHealth system access training.

Recommendation 6 — annual risk assessments into eHealth system access

2.10 The OAIC recommends that the assessed GP clinics:
  • confirm whether through their accreditation or some other method that they undertake a risk assessment into their ICT systems and that it includes an examination of privacy and security risks associated with eHealth system access
  • consider conducting a risk assessment into ICT security and eHealth system access every year to complement the risk assessments that may be undertaken, including as part of the practice accreditation process, when they occur
  • document all risk assessments appropriately.
Here is the separate link to the System Operator Annual Report:
So the system operator really did not highlight that 7 out of 7 practices failed the audit of their security around access to the PCEHR.
The obvious recommendation - not made - is that all practices need to be regularly audited so they know security is taken seriously and will be closely watched!
The people running the PCEHR and setting policy clearly just don’t care and are waiting for the complaints that will start rolling in - once people are opted in and practices are under more pressure to access the system.
Just hopeless!
David.

No comments: