This appeared a few days ago.
Lessons to be learned from the OAIC’s security assessment of St Vincent’s hospital
Blog IP Whiteboard
King & Wood Mallesons
Australia July 30 2015
Last month the Office of the Australian Information Commissioner (OAIC) issued a privacy assessment report of St Vincent’s Hospital Sydney Limited (St Vincent’s).[1]
The Privacy Commissioner has the power to carry out assessments under section 33C of the Privacy Act in order to determine whether an organisation is complying with the Australian Privacy Principles (APPs) and other relevant requirements under the Act. Assessments are seen as an educative process as well as a compliance mechanism, and the results reported by the OAIC serve as a useful indication for other organisations as to the Commissioner’s view of the standard of compliance required under the APPs. These assessments supplement the more formal guidance that the Commissioner has already made available, such as guidelines on the APPs and on information security matters.[2]
The primary purpose of the particular assessment carried out on St Vincent’s was to determine whether St Vincent’s had satisfied the requirement under APP11 to take reasonable steps to protect the personal information in its possession from unauthorised access, modification or disclosure. In particular, the assessment looked in detail at the access security controls used by St Vincent’s in relation to information stored in its electronic health record system (eHealth system). The Commissioner’s report made four key recommendations (all of which were accepted by St Vincent’s), from which other organisations can learn useful lessons:
Recommendation 1 — Update security and access policies
St Vincent’s had a security and access policy in relation to the eHealth system. However, the policy was considered by the Commissioner to be inadequate because it did not include information about St Vincent’s obligations under the Privacy Act and did not include guidance for staff on security measures they should take to protect patient privacy when accessing the eHealth system. This information was available in other documents that St Vincent’s had produced, but was not available in a single consolidated form.
The Commissioner recommended that the security and access policy be updated to reference relevant privacy compliance requirements, and append all relevant compliance guidelines.
Lessons to learn: Organisations should ensure that security and access policies for their key IT systems include information on relevant privacy obligations and that all guidance on security compliance processes are consolidated in a single guide or manual. Ideally staff should have a single “bible” or “authoritative source” in relation to privacy compliance matters, so that they know where to turn for guidance on these issues.
Lots more here:
or here for the original post:
All four recommendations have considerable implications for training, monitoring of staff and ongoing assessment of the risk of potential harm.
What is totally clear in all this is that Privacy Protection is an ongoing and continuous process that required diligence and care on behalf of both staff and management - as well as appropriate education and training, written polices and sensible sanctions for breech.
An ongoing problem!
David.
1 comment:
Interesting point about the access log issues. We routinely ask for access to be logged when building requirements for a new implementation, but most vendors provide no tools to analyse or summarise these logs. Most logs are simply a long, intimidating text file that must be analysed with excel or something similar.
These days it is possible to provide some intelligence behind this process, such as automatically flagging staff "browsing" multiple patient records. However, vendors seem reluctant to do this, either because "we have not been asked for it" (incorrect: we ask for it constantly) or, more likely, through lack of understanding the background for this issue.
Post a Comment