The following is a draft short article for a Health Magazine - Comments welcome.
-----
It is quite clear, and very well known, that individuals who entrust their private information to clinicians and organisations have a high level of expectation regarding the protection of the privacy and security of that information. Individuals and organisations that do not meet those expectations can expect to suffer substantial reputational if not associated financial damage.
In the last few months there have been a few incidents that have served to remind both practitioners and hospitals that it is important to really careful with their patient’s private health information.
One spectacular health related recent breach was when a Queensland general practice had its patient records accessed and then encrypted by a foreign hacker and then was asked for a ransom to give back the information. It was a bad few days that followed as the practice suddenly had to revert to paper records as sadly - and incompetently - the practice lacked a recent backup of their patient data. [1] According to Medical Observer the Queensland Police were aware of 11 similar attacks on practices in 2012. [2]
On the broader front we have a recent report from the Commonwealth Privacy Commissioner indicating that there were 46 breach notifications in 2011-2012 - and this figure was reached without there being any current legislation requiring breach reporting. Organisations as large as Sony, Telstra and Dell Australia have all recently been investigated by the Commissioner for significant breaches.[3]
Usefully there has been a recent survey of patient attitudes and expectations for health information security and privacy. I published a blog with links to reports that summarised attitudes to electronic health record security in both the US and the UK. On the safe assumption that the Australian public would have similar views we can be pretty confident that well over 80% of the population have high expectations for security of their information - especially if the information held contained details of illnesses and conditions which may result in prejudice and discrimination as a result of disclosure. [4]
With that background it is important to realise that there are a range of responsibilities that holders of health information have - noting that the same principles apply to both hospitals and office based practices. First and key they have a responsibility to ensure that health information is not accessed by those who should not have access and also that the same information is indeed accessible to those who have a genuine need for access. Second they have a responsibility to preserve the existence and integrity of the information so that the information is available when needed by an authorised individual and that it is not in any way altered or corrupted (this means that there must be regularly tested backups made of all sensitive patient information and that this must also be protected). Third there is a responsibility when information is being transferred or shared that the path by which it is shared is similarly reliable and secure (Lost backup tapes, disks and laptops where unencrypted information is found account for many of the breaches where thousands of individuals are affected).
In recent years provision of technology solutions that meet there broad principles has been made increasingly difficult by some technology trends. The first and most important is that most holdings in health information are no longer functionally isolated due to the pervasive intrusion of internet connectivity. Back when such holdings were held on standalone computers with no network connectivity securing the information was considerably simpler that it is now. It was clear where the information was held, who controlled it and access could be managed with a high degree of rigor. Further complexity has emerged in the last few years with the location of at least some information becoming very blurred as the use of ‘cloud computing’ techniques (which reduce the cost of computer processing and storage) widens and more and more information is stored in the nebulous and location non-specific cloud. Additionally with the widening use of internet enabled portable devices (phones and tablets) the locations from which information is accessed are vastly increasing in number and making information and access security that much harder. Both cloud computing and the wider deployment of mobile devices are seen as making the health information security challenge harder. [5]
If we accept that it is the responsibility of all health care providers to properly protect and secure health information from breach and unauthorised leakage then there are a few questions that then arise. I will address these in turn.
Health Information Risks.
The first is to understand how and why health information is / can be compromised. Recognising that compromise of electronic information is surprisingly common (and causes real costs [6]) is a first step. To quote a recent article:
“According to Australia's Computer Emergency Response Team (CERT) 2012 Cyber Crime and Security Survey Report in February, 20 per cent of Australian businesses were the subject of hacking or other cyber-attacks last year.
The most serious involved the use of malicious software including ransomware and scareware, which extort payments for the return of data; trojan or rootkit malware, which lodge in the company's systems to steal information; theft or breach of confidential information; and denial-of-service (DoS) attacks.” [7]
Although detailed statistical breakdowns are not available for Australia there is considerable evidence that - other than malicious hacking as described above that many breaches are due to insider misbehaviour and stupidity (loosing unencrypted information on laptops or having passwords on Post-It Notes beside the computer) and occasionally just bad luck (couriers loosing backup tapes etc.)
In terms of information loss there is little doubt the biggie is to not have a properly developed information backup program which includes regular testing of the backup systems to ensure the backed up information is actually recoverable! Second to this is to not have a reasonably recent backup genuinely off-site to protect against theft, fire, flood and the like. It is worth noting the adequate backups is a useful defence against many woes from equipment failure to computer virus infection etc.
Compromise Prevention Best Practice.
The second is to consider what might be done by an organisation to prevent such compromise happening in the first place. Here is a list of the major points.
1. Accept that there is a ‘clear and present’ danger and risk of digital information loss, compromise or breach.
2. Develop a plan to address risk. At the very least this plan should cover ongoing staff / user awareness and education, the regular audit of all digital assets, policies for access and use of both fixed and mobile devices, password and other access control policies and so on.
A recent article quoted Brad Marden, Australian Federal Police acting manager for cyber crime operations as suggesting the following specifics for inclusion in any plan which he suggested would prevent 85% of breaches.[8]
“1. Application whitelisting
Application whitelisting helps prevent malicious software and other unauthorised programs from running. The whitelist is a list of specific applications that are permitted to run on a given system.
2. Patch, patch, patch (applications and operating systems)
Patch applications such as PDF readers, Microsoft Office, Java, Flash Player, web browsers and operating systems as soon as patches for known security holes are released.
"A lot of data breaches occur on systems that are not protected, and not up-to-date," says Sean Kopelke, director of security and compliance solutions at Symantec.
3. Passwords and privileges
Minimise the number of users with administrative privileges. Also, check the identity of visiting technicians and change passwords when they leave.
4. Develop information policies
You should treat information in the same way on each platform or device, says Kopelke. "It sounds simple, but implement policies around securing information, not the devices. It is irrelevant where information is stored; the policy on how it is protected should be the same."
5. Educate staff
Often the weakest security link is the human link. Educate staff about how to handle confidential information. Teach them how to assess whether someone who rings asking for information is legitimate and to suspect all emails, links and attachments.
6. Rethink social media
The AFP goes a step further and recommends implementing policies banning employees from accessing social media sites at work, as these sites can allow malware to infiltrate company systems. Many security companies, however, recommend mitigating this risk with specialist applications and security modules to accommodate social media in the workplace.
7. Report
As far as security breaches go, Marden finds it strange that organisations don't report cyber compromises, but they do report burglaries. Australia does not have mandatory breach disclosure laws as is the case in the US.”
Not mentioned here - but also certainly worth considering is the issue of Data Breach Insurance which is increasingly available and makes some sense if handling sensitive information.
Not mentioned here - but also certainly worth considering is the issue of Data Breach Insurance which is increasingly available and makes some sense if handling sensitive information.
Legislative and Ethical Requirements.
The third is to understand clearly just what is required by best practice and legislation.
As indicated above there is a clear expectation on behalf of the public that their health information will be kept both secure and private. In response to the public requirement for information privacy - with respect to all sorts of personal information (financial, health etc.) there has been a range of legislation passed over the years.
At the time of writing Australian legislation is in a state of flux with some major changes to the foundational Commonwealth Privacy Act (1998) having been passed last year (2012) and legislated to comes into effect in March 2014.[7] The modifications harmonise the Privacy Principles, widen the scope of organisations covered by the act, change a range of credit reporting laws and also toughens the enforcement regime.
There is a dedicated web page covering the changes which can be found here:
The biggest change that is relevant to the health sector is the change from the National Privacy Principles to a new set of unified Australian Privacy Principles (APP) which happens in March 2014. Health Information Privacy being a little different there are some specific use cases defined where health information can appropriately be collected, used and disclosed. All those involved in handling health information (in any form both paper and electronic) would be well advised to review present and future obligations. The general web site is found here:
The Commonwealth Privacy Commissioner (who is a key part of the Office of the Australian Information Commissioner (OAIC) also has a role in the administration and enforcement of the special legislation which was developed to cover the privacy aspects of the Health Identifier Service and the Personally Controlled Electronic Health Record (PCEHR) where there are some quite strict rules for breaches and significant penalties available.
Sadly, of recent time there would appear to have been major staff losses within the Office of the Privacy Commissioner so there are some doubts as to just how effective the enforcement regime will be going forward.
The ethical situation when handling sensitive private information …..
Information Sources.
Lastly it is important for organisations to know where help be sourced?
The key resource provided by Government to manage cyber-attacks and infiltration is, at present, CERT (Computer Emergency Response Team) Australia. They provide a useful web site here:
In due course CERT Australia is to become part of an expanded Australian Cyber Security Centre which was announced by the Prime Minister in January 2013. [9]
There is guidance available on how information compromise and leakage should be addressed found at this link - which is part of the Office of the Australian Information Commissioner.
Additional information which might assist smaller organisations in preparation and prevention of issues related to information security (especially medical practices) is available from the Royal Australian College of General Practice (RACGP) web site. The following link provides a very useful set of freely available resources:
These three sites will provide a useful start for any organisation wishing to assess their current and desirable future state in securing the sensitive information they hold.
In summary patients expect their private health information to be managed securely and appropriately in the context of current and future legislative privacy and information protection requirements. To not pay proper attention to these issues invites both reputational and financial damage - to say nothing of the potential damage to patients.
Finally, this headline from Wired Magazine puts the risk in clear perspective - it is not a matter of if but when!
World’s Health Data Patiently Awaits Inevitable Hack
- By Daniela Hernandez
- 03.25.13
See here for the article.
The next step is yours!
References.
-----
David.