Quote Of The Year

Timeless Quotes - Sadly The Late Paul Shetler - "Its not Your Health Record it's a Government Record Of Your Health Information"

or

H. L. Mencken - "For every complex problem there is an answer that is clear, simple, and wrong."

Thursday, March 01, 2018

Your Last Warning - The Data Breach Penalty Regime Is Now Operational And Coming For You!

This appeared last week and carries a rather ominous warning…

Data breach law: 60% of businesses 'unaware of basics'

Nearly 60% of Australian businesses are not aware of the details of the data breach law that takes effect on Thursday, a survey by GfK Australia for imaging solutions provider Canon claims.
Additionally, the survey, named the Business Readiness Index, found that small businesses, in particular, were seen to be least concerned about data security, stemming from a lack of awareness where only one in five (19%) were conscious of, and prepared for, the new regulations.
The survey was conducted in January and gathered insights from 400 key decision-makers from the business and IT communities. It aimed to gauge Australian businesses' existing information security practices, and determine their preparedness and ability to comply with the Data Breach Notification obligations.
“Third-party suppliers present a cyber security blind spot for many businesses. A business’ security posture doesn’t solely depend on its own efforts," said Gavin Gomes, director of Canon Business Services.
Internally, a business could be a fortress, but the walls could come crashing down if a supplier’s security measures aren’t as robust – this should be number one on every boardroom’s agenda at the moment."
Gomes pointed out that small businesses were seen as the engines of Australia’s economy.
"The fact that one in two are only ‘slightly’ or ‘not at all’ concerned about potential upcoming breaches is in itself a red flag," he said.
"In the short run, this makes them the ideal backdoor entry point for cyber criminals angling for prized data and revenue from larger enterprises. Longer term, the implications can include missed opportunities worth millions – be it lost contracts or irreversible reputational damage."
Other key findings of the survey:
  • Across the board, technology was seen as the biggest vulnerability, with 44% of risk attributed. Larger businesses had a more balanced view of their risks, but small businesses attributed 53% of the risk to technology, and only 25% to people and 22% to policies and processes.
  • Only 40% of the businesses surveyed had implemented six or more of the Australian Signals Directorate Essential 8 and just 18% reported implementing all of these steps. Twelve percent of small businesses had no strategies in place.
  • Average days that organisations took to detect a data breach was 24.7.
  • Daily back-up of important data was the most widely implemented cyber-risk mitigation strategy, but print security was often neglected.
  • The top five security incidences that occurred in Australia in the last 12 months were: viruses, spam, malware/spyware, phishing, ransomware.
  • Where there’s room for improvement:
    • Only 56% have been assessed for security risk management;
    • Only 40% have their printers secured;
    • Only 56% have a cyber security policy; and
    • Only 55% invest in security training.
  • Half thought their data security spend would increase once the new legislation took effect.
"When it comes to ovrall security, ignorance is no longer bliss. According to the Index, it reportedly takes nearly a month (24.7 days) on average for a security breach to even be detected – whether it’s seemingly innocuous spam, or insidious ransomware," said Sop Chen, general manager of Managed IT and Security Services at Harbour IT, a Canon Group company.
More here:
All individuals who handle health information, no matter what their size, fall under the legislation.
There is a primer here:

Data breach preparation and response

19 Feb 2018
Description
Strong data management is integral to the operation of businesses and government agencies worldwide. Digital platforms and technologies that utilise user data to provide personalised products or services have proliferated across communities and industries. At the same time, data analysis has been widely recognised for its value as fuel for innovation that can benefit the community in unprecedented ways, including identifying gaps in services, revealing needs for new or different products, and enabling better-informed policy-making.
In this environment, the success of an organisation that handles personal information or a project that involves personal information depends on trust. People have to trust that their privacy is protected, and be confident that personal information will be handled in line with their expectations.
As we’ve found in our long-running national community attitudes to privacy survey, if an organisation does not demonstrate a commitment to privacy, people will look for alternative suppliers, products, and services.
One of the biggest risks organisations face in this context is a data breach. A data breach involving personal information can put affected individuals at risk of serious harm and consequently damage an organisation’s reputation as a data custodian.
However, it is important to recognise that consumer and community trust is not necessarily extinguished immediately after a data breach occurs. After all, history has shown us that even organisations with great information security can fall victim to a data breach, due to the rapid evolution of data security threats and the difficulty of removing the risk of human error in large and complex organisations.
When a data breach occurs, a quick and effective response can have a positive impact on people’s perceptions of an organisation’s trustworthiness. That is why being prepared for a data breach is important for all organisations that handle personal information.
By an ‘effective’ response to a data breach, I mean a response that successfully reduces or removes the risk of harm to individuals, and which aligns with legislative requirements and community expectations.
This guide aims to assist you in developing and implementing an effective data breach response. It outlines the requirements relating to data breaches in the Privacy Act 1988 (Cth) (Privacy Act), including personal information security requirements and the mandatory data breach reporting obligations of the Notifiable Data Breaches (NDB) scheme. The guide also covers other key considerations in developing a robust data breach response strategy, including the key steps to take when a breach occurs, the capabilities of staff, and governance processes.
While this guide is primarily for Australian Government agencies and private sector organisations with obligations under the Privacy Act, the information provided is useful to any organisation operating in Australia. Taken holistically, the information provided in this guide provides a framework for meeting expectations for accountability and transparency in data breach prevention and management, which is key to maintaining and building consumer and community trust.
Publication Details
Copyright: Office of the Australian Information Commissioner (OAIC) 2018
Language: English
License Type: CC BY
Subtitle: A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth)
Published year only: 2018
Here is the link:
Here is a GP orientated immediate action plan.

There's been a data breach — here are your next four steps

21 February 2018

SMART PRACTICE

Mandatory data breach notification is finally here. All private sector organisations holding health information, regardless of their size, will be affected by these changes to the privacy legislation that come into force on 22 February.
Maintaining the privacy of health information has always been central to the relationship of trust and confidence between doctor and patient. In addition, there can be significant penalties for breach, as well as the potential for negative publicity and damage to a person’s reputation. Unfortunately, as the Australian Red Cross Blood Service discovered in 2016, data breaches can still happen in the best organisations and despite your best efforts, you may experience a breach.
While it is hoped you will never find your patients’ details on a public website, even a single breach of patient privacy has the potential to cause serious harm and may be notifiable. You do need to think about how you would respond if, for example, you discovered patient details had accidentally been disclosed; results had been sent to the wrong person; or a staff member had inappropriately accessed patient records.
Responding to a data breach involves four steps, which do not necessarily occur in order. You need to:
  1. Contain the breach and make a preliminary assessment
  2. Evaluate the risks and likelihood of harm
  3. Notify as necessary
  4. Prevent future breaches
The details are here:
You have been warned!
David.

34 comments:

Anonymous said...

Has the OAIC been funded adequately to effectively handle as many cases as this?

Anonymous said...

It is quite apparent they have not. Notifications will be lost in the pile. Canberra has become focused on themselves not the job they are trust with to do.

I note in Pulse this morning Timmy is touting a September conscription. Advertising will take place. That is if Turnbull can hold thing together that long

Anonymous said...

In Pulse "And contrary to some erroneous media reports, there will be a paid advertising campaign to support the initiative, backed by a communications strategy aimed at healthcare providers."

The media reports were probably quite correct - there was no intention to have a paid advertising campaign. There will now, because of the reaction.

I haevn't read any more - I don't pay to read that website.

Anonymous said...

Opt-out by 1 Sept?

That's assuming there's anyone left in ADHA.

Anonymous said...

March02, 2018 9:31AM. It would be interesting to see if staff levels, turn-over and capabilities are included in a Board level risk. In an open and transparent ADHA these would be visible as would efforts to manage and mitigate. The turn over of staff would be a useful performance indicator for this apparent focus the CEO has on the ADHA culture. It might also be a useful tool to determine if the ADHA is able to attract and retain the right skills in important specialists roles. Is the ADHA able to compete for this skills against the Jurisdictions and private sector?

The board would do well to look into it and determine what areas if any have high turnover of staff and what or who might be the root cause.

After all the consequences of a stuff up are considerable to citizens conscripted into the MyHR. The last thing we need is to end up having to rely on an HR manager running a complex high profile IT project let alone the MyHR optout

Anonymous said...

That 8:20 PM is a very reasonable request. I would be very interested in the ADHA ability to support the move to opt out and operate the system. I think that is the least we can expect as finders and users.

Anonymous said...

My GP ordered blood and heine tests for my 6 monthly diabetes review. I have a My Health Record. I was amazed to see the following instruction printed on the pathology request form "Do not send results to My Health Record".

Anonymous said...

9:19 AM .... the following instruction printed on the pathology request form "Do not send results to My Health Record".

Correct. If your dr didn't tick the box the results would be sent if you have a MYHR. However, if you ticked the box when you had your blood taken he results would not be sent.

The only way govt can ensure results ARE SENT to your MYHR is to legislate to make it an offense not to send them or financially penalise drs (w\through ePIPs) if they don't send them although that would be nigh on impossible to monitor and enforce.

This looks like another example of not thinking through the problem to be solved.

Bernard Robertson-Dunn said...

"This looks like another example of not thinking through the problem to be solved."

That's the default for myhr.

Which is why it will not be widely adopted - it doesn't solve any problem it just creates more problems e.g. GP's would have to manage two health record system, one, myhr, not designed to do anything for the GP putting the data in. In fact, if lots of data were put in, it would make it easier for a patient to move to another GP.

Why would a GP make it easier for a patient to move?

Anonymous said...

By default the box "Do not send results to MyEHR" must be unticked by default. Thats the ADHA rules. I pity their new doctor being faced with hundreds of pdfs when a patient moves as most of it will be rubbish and take a long time to view.

Anonymous said...

I assume that as I will opt out any reports of mine sent to the MyHR will receive a bounce back? How do you check that your record has not been created and a library of identifiable information is not being collected and access to that information remains outside my control?

Seem to me the only way is either to sign up to check (which would opt me in) or ask the checkout person at some random pharmacy to confirm

Anonymous said...

The simple answer Anon 7:56 AM is you won’t know. There are conflicting statements on whether a record is created and is simply not visable to you but is their in case you change your mind. The MyHR is the placebo of our time.

Anonymous said...

A view from inside the Sydney office is that the ADHA is headed for a meltdown. One executive is leaving and rumour has it she is not alone. Our staff turnover is quite high, especially in key operational areas. This maybe simply a natural occurance but the ADHA is loosing a lot of experienced people and an ability to understand all the moving parts in digital health.

The sooner MHR is handed over to DHS to operate the better for all.

Anonymous said...

@9:10 AM There is absolutely nothing to be gained from handing over management and control of a poorly architected failed system to the DHS which has more than enough problems of its own managing and redeveloping Centrelink and other IT systems. BTW DOH and DHS divested themselves of the MyHR and ADHA mess and have no inclination to get embroiled again. Vale MyHR, ADHA, Tim Kelsey.

Bernard Robertson-Dunn said...

"The sooner MHR is handed over to DHS to operate the better for all."

My experience of DHS is that they are pretty good at what they do. They refused to go along with the whole of government outsourcing debacle in the late 1990s and were eventually shown to be justified when the initiative was unceremoniously dumped.

I'd be surprised if they bought into something that smells so badly as myhr. They are already trying to work out how to get off the Model 204, a not insignificant and highly risky project.

Dr Ian Colclough said...

David, Bernard and other commentators on this blogspot I am beginning to wonder, not whether anything can be done or even what can be done to rectify the deep seated problems that are now so clearly embedded in the ADHA and the MyHR, but rather how can something be done?

That lead me to wonder whether those who have been so critical of the ADHA and the MyHR (including ANON commenters) would be prepared to put their names on a carefully constructed and objective letter to the Health Minister / Prime Minister?

If so the first step I suggest might be to send your name confidentially to David to collate as a first step in order to determine whether such a letter would likely be given serious and genuine consideration.

Anonymous said...

@9:53 PM great idea and very timely. What email address should I use?

Anonymous said...

Ian, can I suggest there are three options:

Express our concerns to:
1. The health minister/PM
2. RACGP, AMA etc
3. Both.

If anyone is interested and wants to stay anonymous, co-ordinate via
vivien@vivienharte.com

Anonymous said...

I would be happy to contribute. It is not that the idea of secure sharing of information is the problem, it is more the concept of MHR no longer fits with current and emerging models. I am concerned that as a tax payer The Government is being entrenched in an expensive and constrained technology that will suck the life and money out of National eHealth. The MHR I believe will also constrain policy setting further preventing innovation limiting software developers

Anonymous said...

I would also suggest sending a copy to Tony Abbott as when he was health minister he could smell a rat. Not sure his fix worked, well it didn't, but he is less likely to think everything is fine...

Anonymous said...

I am still not reassured that this project is being brought back on track in terms of patient and professional confidence. A delay without a radical rethink and significant reassurance that well founded concerns have been listened to and robust protection measures implemented is for nought unless used to adjust confidence.
I know that I’m not alone in believing there still remains a road crash crisis of confidence in the MyHR. On the one hand we are being told that the aim of the project is to contribute to the care of patients but it is the management of the sensitivities surrounding the handling of sensitive data that significantly risks the project’s implementation and realisation of those laudable aims.
Will loosely anonymised data capable of being used to help triangulate patient identity continue to be sold to industry for example? Being reassured that the data is secure from hackers when data sets are being provided willy-nilly to industry is not at all reassuring. I know what sort of Commonwealth entity I want to work in and it isn’t one that can’t anticipate the issues and handle sensitive projects from the outset with the sensitivity that is deserved otherwise we end up in the very place we are with an important project critically bruised by a never ending set of botched implementations.
Also, of more concern, is contracts and money being spent of close links and self-indulgences with no transparency at all, which is why I wonder why some are in the position of both promoting transparency and knowing that this is happening right now? Where do these peoples loyalties lie?

There is also the atmosphere in which we have to suffer uncomfortable situations. On one hand we receive emails explaining how great everything is and how yet another culture initiative promoting values and re-education survey is heading our way, while on the other hand we have one and a coupe of cohorts stomp about creating a workplace of fear and uncertainty. Either the Executives are aware or they are promoting this unsettling behaviour.


Anonymous said...

@8:40 PM accept the facts show the project has failed and is unsalvageable and stop fretting about bringing it back on track.

Anonymous said...

8:40 PM that is pretty insightful especially as I get a sense you work in close proximity. As for transparency the ADHA seems all but transparent. I can find scant information and data of what is really going on. Am I suppose to believe the narrative for a CEO and a few obviously scripted stories for random people and organisations under a compact?

There is obviously a culture at the ADHA that sees people (employees and citizens) as little more than expendable pawns there to be used and abused for personal gain.

Anonymous said...

The opt out and MyHR rollout will happen, the ADHA will further distract everyone with this framework for action (or a framework for Timmy talking tour). What everyone should be more concerned with is the drafting of the secondary use. There seems to be some indication that secondary use might be opt out. This is a very worrying development and one that is seemingly being left out of public view.

Anonymous said...

The framework for action - https://frameworkforaction.digitalhealth.gov.au/assets/pdf/FFA-Consultation-Draft-v9-050318.pdf

Looks a lot like NEHTA, I guess it was only a matter of time before we came full circle and realised it is about standards and conformance. Shame they killed off a lot of highly skilled people in the process.

If this is a sample of thing to come we are in for a period of death by power point and lots of speaking void of any real understanding.

Anonymous said...

I am sure the will bully everyone into conforming to their standards, bully the public into mandatory secondary use participation. Seem Tim likes a bullying organisation so it would make sense he would extend that out to dealing with the community.

I did enjoy the ‘My Health Record is an unpredicted platform for innovation. Maybe it should have been a predicted platform for invitation to steal identifiable information.

Bernard Robertson-Dunn said...

Someone please tell me this "framework for action" is a joke. The one thing it certainly isn't is a robust plan or even proposal for government action.

There is no discussion on funding or anything on how it will be paid for by cost reduction or some other mechanism.

No serious government proposal should exist without a cost/benefit analysis and explanation/justification for spending government money. From day one, the myhr initiative has been missing this crucial component. Either there isn't one or the real justification for myhr isn't about improving health care it is something else they don't want us to know about.

The ADHA strategy talks about "Enhancing models of care, changing prescription processes and medicines information, and improving interoperability are some priority areas that will require changes in policy and funding structures"

yet funding is not identified as an issue, never mind how it is to be addressed.

myhr has cost well over $1.7b and counting. It will incur extra costs in GP time. It is not a simple matter of pressing a button and uploading a SHS.

The myhealthrecord.gov.au website says:

"When creating the SHS, the nominated healthcare provider needs to ensure that all aspects of it have been completed and verify the accuracy of the information it contains. In assessing its content, the nominated healthcare provider should take into account other relevant information on the patient’s My Health Record."

Who is paying for this? The patient, when their GP spends time doing this and less time attending to health needs? The government by paying more to GPs so they can extend consultation times?

It's all a big mystery, like a lot of things about myhr.

And I find section 1.2 "Enable the safe and secure use of My Health Record system data" gob smacking.

myhr has been live since July 2012 and there is no "...framework to govern the safe and secure use of My Health Record system data"?

Are these guys for real? This document isn't, it's a fantasy.

Bernard Robertson-Dunn said...

Further to my rant on a lack of attention to the issue of funding, there is another glaring omission.

Anyone who has done even the smallest amount of research (and I hope someone at ADHA has done some) will know that the future of the health care system lies with a patient centric approach.

The framework document doesn't even mention patient centric or patient centred.

I've never seen anything from the Department of Health, NEHTA or ADHA that suggests they have any idea what patient centric might mean.

Patient centric is not "Digital Health" or just drawing a picture with a patient in the middles showing lots of lovely data being stored in one place. It is much more fundamental than that.

The only mention of anything remotely connected with patient centric is this phrase "a collaborative approach to deliver a consumer-centric integrated healthcare ecosystem." in the context of national infrastructure. Now there's a sign it's all about marketing and nothing about reality.

ADHA and its strategy are stuck in the past, trying to automate old practices (and largely failing to achieve even that), although there are some worthy initiatives that would deliver better health outcomes, even if they do not lead to patient centric health care. There is no evidence that ADHA understands what even these worthy initiatives are.

It's like watching children at play.

Anonymous said...

The absence of intelligent insightful investigative journalism has enabled Health Ministers to turn a blind eye, bureaucrats to avoid being accountable and the ADHA to say and do whatever they want. Where have the quality investigative health IT journalists gone?

Anonymous said...

AnonymousMarch 08, 2018 9:16 AM

The issue is not that the ADHA HR unit does not have the ability or skill set to mediate, it is that the core issue owns HR, you dare not raise anything especially not regarding the the bullying, harassment and nepotism being conducted nor the very visible abuse of power and delegation of authority. I doubt the HR team could do much even if they wanted to, they it seems get the same treatment. Although not the case in all aspects of ADHA, under that manager, respect and support is never afforded to employees. It is a sad day when the norm is to performance manage the more junior officer, but that sadly seems to be the ADHA way, they have ignored basic APS rules and guidelines and conflicts of interest now prevent change. Without basic communication skills and respect there will never be reconciliation only disharmony. Sadly the bullying and harassment towards by a mid level manager affects many people and creates a broad discomfort across the ADHA. Why incompetence and blatant abuse of power is seemingly endorsed by the CEO and executive is beyond me, perhaps they share in the fear of reprisal.

Anonymous said...

Sounds as though ADHA has a lot in common with the White house - an incumbent with no knowledge or experience of running the sort of organisation they are now in charge of - and possibly with a similar personality - malignant narcissist.

And they both seem to have the same problem with staff turnover.

The same observation can be made of both - they're unsustainable.

Maybe Tim should get that overseas job he's been looking for. That recent meeting of the Global Digital Health Network in Sydney was a golden opportunity for the ambitious. It may well have had a hidden agenda all along. I wonder if Greg Hunt knew what he was really endorsing. So many questions.

Bernard Robertson-Dunn said...

Health has become a $164 billion drag on the economy in the past year alone, dwarfing the potential benefits from the Turnbull government's proposed company tax cuts.
SMH
https://www.smh.com.au/politics/federal/unprecedented-health-costs-the-australian-economy-40-billion-per-quarter-20180308-p4z3e3.html

I wonder if myhr has helped hindered or been totally irrelevant in all this.

It should be a simple matter for ADHA or DHS to analyse the data in myhr and give some sort of perspective.

All they have to do is add up all the Medicare claims and PBS costs (on a weekly or monthly basis) for the 5.5million people who have been registered for a myhr (we all know that being registered doesn't mean they have a current, accurate, useful myhr, but let's leave that aside for a moment).

Then calculate the expenditure rate (i.e. divide the weekly/monthly number by the number of registrations) and graph them.

First look for a trend.

Then go to Medicare who have the data for the other 20million or so people who are not registered and make a comparison.

I would expect ADHA to be shouting out the results if they were in the slightest bit favourable. I'm not holding my breath.

In reality, only about 4% of the 5,5million have anything like a useful SHS so drawing any sort of conclusion one way or the other is likely to be problematic.

Or to put it another way - there is probably no evidence myhr has had any impact one way or another since it went live in July 2012. Not bad for $1.7billion.

The promise of myhr and Digital Health is just that - a promise.

And until the Framework for Action is costed and funded, it will remain a promise.

Anonymous said...

Statistics- you might find this a fun read - https://www.theguardian.com/politics/2017/jan/19/crisis-of-statistics-big-data-democracy

As for ADHA comparison - Tim certainly seems to have some vulnerable parts in the organisation he is trusted to run. Perhaps with MyHR opt out looming he has not the backbone to make change, perhaps it is safer to keep loosing troops than sack a sergeant in the field. Certainly does not look like the corporate plan around organisational excellent sand values is being achieved. Wonder if the Board has a KPI on this for the CEO?

Anonymous said...

Tim has never run a government agency. Has he ever sacked anyone? That sorts the men from the boys.