This yarn appeared a few days ago.
How two British shark victims posed a challenge for Queensland patient confidentiality
By Lucy Stone
November 24, 2019 — 9.33pm
Confidentiality "flags" were placed on the private medical records of two British shark attack victims treated at Mackay Hospital, warning curious staff they should only access the records for valid medical reasons.
The incident was one of several case studies presented to the Crime and Corruption Commission’s public hearings for Operation Impala, investigating the misuse of private data in public organisations.
Mackay Hospital and Health Service’s executive director of people, Rod Francisco, gave evidence to the hearings last week, detailing his concerns about the broad level of access to patient medical data in the integrated electronic medical record (ieMR).
The ieMR enables clinicians to view a patient's medical record from any of the 14 Queensland public hospitals in which the software has been installed.
Questioned by counsel assisting the CCC Julie Fotheringham, Mr Francisco said the broad access of data was a risk that Mackay HHS had not fully understood in the lead-up to the software’s rollout there about two years ago.
"The greatest risk from my perspective is that staff can do things that they shouldn't be doing," Mr Francisco told the hearing on Tuesday, November 12.
"In some systems that we have, a person can look at everything. And I think that's the greatest risk, that they can look at everything, whether they need to or not."
Queensland Health director-general John Wakefield also gave evidence at the CCC hearings, saying the end of paper-based records had been a "revolution" saving thousands of hours of administration and patient time and frustration.
Dr Wakefield said privacy breaches on the ieMR were "thankfully rare", but when they do occur, they "undermine our public trust and our reputation for being custodians of probably the most precious information that citizens hold".
He said the ieMR had "dramatically improved our ability to deliver the sort of healthcare outcomes that our community and our patients tell us they want and, indeed, expect".
"I think it is not hyperbole to suggest that lives depend upon access to this information in a very timely way for the people who need to have it to help those people, particularly where time criticality matters in emergencies," he said.
One option to reduce the number of potential breaches could be to remove the access of administration staff to the ieMR, Mr Francisco suggested.
"You physically can’t lock some information down. So you can lock a specific record down, but generally, the people can access any data they choose to look at," he said.
Lots more here:
With a little research it becomes clear this is a known issue.
See here:
'Flawed' privacy in Queensland Health's electronic medical record, expert says
By Lucy Stone
February 1, 2019 — 11.08am
A "very strange model" allows all Queensland Health clinicians to edit the medical data of all patients in public hospitals that have the integrated electronic medical record installed, a leading health law expert says.
Queensland University of Technology innovation law professor Matthew Rimmer said it appeared the $600 million electronic medical record project had a “whole host of issues”.
Dr Rimmer, who specialises in intellectual property and public health, questioned why clinicians working in any of the state's digital hospitals could view any patient's record and edit all aspects, including medication prescriptions.
“That seems a terrible approach, surely one would want to engage in data minimisation,” he said.
An Australian Medical Association Queensland letter to Queensland Health director-general Michael Walsh, dated September 2018 and seen by Brisbane Times, warned that clinicians were seriously concerned about the statewide access.
"Clinicians are concerned that write access to medication charts outside their immediate hospital can result in adverse events," the letter reads.
"For example, a doctor from Princess Alexandra Hospital had prescribed heparin on a patient in Mackay ICU who was also on other blood thinning agents, resulting in the patient bleeding and coming to harm."
The letter says the Mackay Hospital's medication safety committee had been "inundated with incidents" due to difficulties prescribing medications such as insulin and heparin, a blood thinner, through the integrated electronic medical record (ieMR), and other medications have gone missing from the system.
In one instance a clinician calling the ieMR helpline because oxytocin "went missing from the system" was told to prescribe an alternative drug, when there was none available.
"System wide 'upgrades' have also resulted in alerts to all ieMR sites about patient safety risks on the medication module and an order to revert to using paper with little notice," the AMAQ letter says.
The letter cites an alert issued on April 11, 2018, which warned of urgent patient risk.
Vastly more is found here:
Surely it can’t be too hard to have both ways of flagging patients who need enhanced privacy and to prevent staff from browsing patients other than those they have some genuine role in delivering care for. Patient data should be able to be accessed by their care team and those the care team gives access to for consultation as well as those involved in handling of test results and so on. Equally nursing staff the ward need access but surely not from the whole hospital or other hospitals.
I sense this is the outcome of a rushed implementation – and it really is not good enough on any score, allowing that the fine details of what changes are made need to mix practicality and protection of privacy. The system also needs to very fully track and control who can alter and add to records.
What do others think?
David.
Two things:
ReplyDelete1. "Confidentiality "flags" were placed on the private medical records of two British shark attack victims treated at Mackay Hospital, warning curious staff they should only access the records for valid medical reasons."
Why is "only access the records for valid medical reasons" not the default? Backed up with training and penalties for breaches.
2. If data from a patient's myhr has been downloaded into their "private medical record" anyone can see it with no audit trail.
From the ANAO review:
"Shared cyber security risks from the broader My Health Record system
3.70 ADHA assessed shared cyber security risks potentially posing ‘high’ to ‘very high’ residual risk to the My Health Record system.
3.71 ADHA conducted assessments of shared cyber security risks but did not appear to focus on potential consequences to vendors, healthcare providers and healthcare recipients. Shared risk assessments considered all key stakeholder groups — the NIO, Services Australia, software and mobile application vendors, healthcare providers and healthcare recipients — however primarily focused on consequences to the ADHA itself and the in-house technical ICT controls and treatments protecting core infrastructure."
Recommendation #1 of the ANAO review:
"ADHA conduct an end-to-end privacy risk assessment of the operation of the My Health Record system under the opt-out model, including shared risks and mitigation controls, and incorporate the results of this assessment into the risk management framework for the My Health Record system."
Could the reason why the ADHA has not conducted an "end-to-end privacy risk assessment" be because they already knew what it would say and didn't want an assessment that said as such to exist?
Rushed implementation, based on biased procurement founded on poor design wrap in a culture of engage but don’t listen is probably the case.
ReplyDeleteManaging all the various risk flavours and complicated nature of mitigation maybe hard but ignoring the issue or dismissing it is simply compounding the problem.
Identify risk and applying controls to mitigate can become challenging in a multi-dimension risk environment.
Information security risk = hard
Privacy risk = hard
Clinical safety = hard
Information + privacy = very hard
Information + clinical safety = very hard
Information + clinical + privacy = pardon my French
Don’t have the answer but seems little is being done to even start the conversation
Information + clinical + privacy = pardon my French
ReplyDeleteThat's why security 101 says, only collect data if you really really need it. The ADHA has no need for My Health Record data. They just have a want.
Want != need.
Want without need is greed.
11:26 just what is the right ‘information’? When applying controls what is traded off! Clinical safety? Or Privacy or Security of data?
ReplyDeleteOh and ADHA and MyHR are just two bullfrogs in a large swamp. There are more important things to do than worry about those distractions.
ReplyDelete5:42 PM just what is the right ‘information’?
ReplyDeleteThe Federal government has no right to an individual's health information.
The article is about Qld Health, not the Federal Government. All I am saying is there are many hidden threats when you look at a multifaceted risk landscape such as health through a single discipline. It is likely your mitigation to your perceived risk results in complications for others.
ReplyDeleteWhat is the trade-off? Your privacy, security and safety?
If anyone knows of studies into this I would be very interested.