Patients & Privacy

Look After Your Patient’s Electronic Health Information Effectively or Suffer the Consequences
It is clear, and a known community expectation, that individuals who provide their private information to clinicians and health organisations have a high level of trust regarding the protection of the privacy and security of that information. Individuals and organisations that do not meet those expectations can expect to suffer substantial reputational and possibly financial damage, writes Dr David More.
Recent incidents have served to remind both practitioners and hospitals it is vital to carefully consider the privacy and security of patient’s private health information.
One spectacular health-related recent breach was when a Queensland general practice had its patient records accessed and then encrypted by a foreign hacker. The practice was then asked for a ransom to give back the information. It was a difficult few days that followed as the practice had to revert to paper records as unfortunately, and all too commonly, the practice lacked a recent and reliable backup of their patient database. ^[1] According to Medical Observer, the Queensland Police were aware of 11 similar attacks on practices in 2012. ^[2]
On the broader front, we have a recent report from the Commonwealth Privacy Commissioner indicating that there were 46 breach notifications in 2011 to 2012 - and this figure was reached without there being any current legislation requiring breach reporting. Organisations as large as Sony, Telstra and Dell Australia have all recently been investigated by the Commissioner for significant breaches.^[3]
Usefully, there has been a recent survey of patient attitudes and expectations for health information security and privacy. This report summarised attitudes to electronic health record security in both the US and the UK. On the realistic assumption that the Australian public would have similar views we can be confident that well over 80 per cent of the population have high expectations for security of their information - especially if the information held contained details of illnesses and conditions which may result in prejudice and discrimination as a result of disclosure. ^[4]
With that background, it is important to realise there are a range of responsibilities holders of health information have - noting that the same principles apply to both hospitals and office-based practices. First and key, they have a responsibility to ensure health information is not accessed by those who should not have access and also that the same information is accessible to those who have a genuine need for access. Second, they have a responsibility to preserve the existence and integrity of the information so that the information is available when needed by an authorised individual and that it has integrity, that is it must not in any way be altered or corrupted (this means that there must be regularly tested backups made of all sensitive patient information and that this must also be protected). Third, there is a responsibility when information is being transferred or shared that the path by which it is shared is similarly reliable and secure (lost backup tapes, disks and laptops where unencrypted information is found account for many of the breaches where thousands of individuals are affected). ^[5]
In recent years, provision of technology solutions that meet these broad principles has been made increasingly difficult by some technology trends. The first and most important is that most holdings in health information are no longer functionally isolated due to the pervasive intrusion of internet connectivity. Back when such holdings were held on standalone computers with no network connectivity securing the information was considerably simpler than it is now. It was clear where the information was held, who controlled it and access could be managed with a high degree of rigor.
The situation of the pre-technological privacy has been described by Justice Kirby as arising: ‘from the sheer costs for retrieving personal information; the impermanency of the forms in which that information was stored; and the inconvenience experienced in procuring access (assuming that its existence was known)’.
Other protections for privacy arose from the incompatibility of collections with available indexes and the ineffective undiscoverability of most personal data. These practical safeguards for privacy largely disappear in the digital age’. ^[6]
Further complexity has emerged in the last few years with the location of at least some information becoming very blurred as the use of ‘cloud computing’ techniques (which reduce the cost of computer processing and storage) widens and more and more information is stored in the nebulous and location non-specific cloud. Additionally, with the widening use of internet enabled portable devices (phones and tablets) the locations from which information is accessed are vastly increasing in number and making information and access security that much harder. Both cloud computing and the wider deployments of mobile devices are seen as making the health information security challenge harder. ^[7]
If we accept, as we must under our Australian Privacy legislation, that it is the responsibility of all health care providers to properly protect and secure health information from breach and unauthorised leaks, then there are a few questions that then arise. I will address these in turn.
Health Information Risks
The first is to understand how and why health information is/can be compromised. Recognising that compromise of electronic information is surprisingly common and causes real costs ^[6] is a first step. To quote a recent article: “According to Australia’s Computer Emergency Response Team (CERT) 2012 Cyber Crime and Security Survey Report in February, 20 per cent of Australian businesses were the subject of hacking or other cyber-attacks last year.” The most serious involved the use of malicious software including ransom-ware and scare-ware, which extort payments for the return of data; trojan or rootkit malware, which lodge in the company’s systems to steal information; theft or breach of confidential information; and denial-of-service (DoS) attacks.” ^[8] Although detailed statistical breakdowns are not available for Australia there is considerable evidence that apart from the malicious hacking described, many breaches are due to insider misbehaviour and stupidity (losing unencrypted information on laptops or having passwords on Post-It Notes beside the computer) and occasionally just bad luck (couriers losing backup tapes etc.)
In terms of information loss there is little doubt the biggie is to not have a properly developed information backup program which includes regular testing to ensure the backed up information is actually recoverable. Second to this, is to have a reasonably recent backup genuinely off-site to protect against theft, fire, flood and the like. It is worth noting the adequate backup is a useful defence against many woes from equipment failure to computer virus infection etc. Also, to avoid non-compliance with the Privacy Amendment (Enhancing Privacy) Act 2012 which will be in force from 12 March 2014, make sure that your backups are not in an overseas jurisdiction which has a less stringent privacy regime than Australia. In other words, if you consider using Drop Box, you must do a lot of research first.
Compromise Prevention Best Practice
The second is to consider what might be done by an organisation to prevent such compromise happening in the first place. Here is a list of the major points.

1. Accept that there is a ‘clear and present’ danger and risk of digital information loss, compromise or breach.


2. Develop a plan to address risk. At the very least this plan should cover ongoing staff / user awareness and education, the regular audit of all digital assets, policies for access and use of both fixed and mobile devices, password and other access control policies and so on.

A recent article quoted Brad Marden, Australian Federal Police acting manager for cybercrime operations as suggesting the following specifics for inclusion in any plan which he suggested would prevent 85 per cent of breaches.^[9]

1. 
   Application whitelisting
   Application whitelisting helps prevent malicious software and other unauthorised programs from running. The whitelist is a list of specific applications that are permitted to run on a given system.


2. 
   Patch, patch, patch
   (applications and operating systems)
   Patch applications such as PDF readers, Microsoft Office, Java, Flash Player, web browsers and operating systems as soon as patches for known security holes are released.
   “A lot of data breaches occur on systems that are not protected, and not up-to-date,” says Sean Kopelke, director of security and compliance solutions at Symantec.


3. 
   Passwords and privileges
   Minimise the number of users with administrative privileges. Also, check the identity of visiting technicians and change passwords when they leave.


4. 
   Develop information policies
   You should treat information in the same way on each platform or device, says Kopelke. “It sounds simple, but implement policies around securing information, not the devices. It is irrelevant where information is stored; the policy on how it is protected should be the same.”


5. 
   Educate staff
   Often the weakest security link is the human link. Educate staff about how to handle confidential information. Teach them how to assess whether someone who rings asking for information is legitimate and to suspect all emails, links and attachments.


6. 
   Rethink social media
   The AFP goes a step further and recommends implementing policies banning employees from accessing social media sites at work, as these sites can allow malware to infiltrate company systems. Many security companies, however, recommend mitigating this risk with specialist applications and security modules to accommodate social media in the workplace.


7. 
   Report
   As far as security breaches go, Marden finds it strange that organisations don’t report cyber compromises, but they do report burglaries. Australia does not have mandatory breach disclosure laws as in the US.Not mentioned here - but also certainly worth considering is the issue of Data Breach Insurance which is increasingly available and makes some sense if handling sensitive information. The potential issue with insuring against data breaches is that, perversely, having such insurance may have an organisation let its level of preparedness and alertness decrease - feeling that a breach will have less consequences.

Legislative and Ethical Requirements
The third is to understand clearly just what is required by best practice and legislation.
As already indicated, there is a clear expectation on behalf of the public that their health information will be kept both secure and private. In response to the public requirement for information privacy - with respect to all sorts of personal information (financial, health, etc.) there has been a range of legislation passed over the years.
At the time of writing, Australian legislation is in a state of flux with some major changes to the foundational Commonwealth Privacy Act (1998) being passed last year as noted above.^[10] The modifications harmonise the Privacy Principles, widen the scope of organisations covered by the act, change a range of credit reporting laws and also toughens the enforcement regime.
There is a dedicated web page covering the changes which can be found here: http://www.oaic.gov.au/privacy-portal/resources_privacy/Privacy_law_reform.html
The biggest change of relevance to the health sector is the change from the National Privacy Principles to a new set of unified Australian Privacy Principles (APP) which happens in March 2014. Health Information Privacy being a little different there are some specific use cases defined where health information can appropriately be collected, used and disclosed. All those involved in handling health information (in any form both paper and electronic) would be well advised to review present and future obligations. The general web site is found here: http://www.oaic.gov.au/privacy-portal/index.html
The Commonwealth Privacy Commissioner, who is a key part of the Office of the Australian Information Commissioner (OAIC), also has a role in the administration and enforcement of the special legislation which was developed to cover the privacy aspects of the Health Identifier Service and the Personally Controlled Electronic Health Record (PCEHR) where there are some strict rules for breaches and significant penalties.
Sadly, of recent time there would appear to have been major staff losses within the Office of the Privacy Commissioner so there are some doubts as to just how effective the enforcement regime will be going forward. ^[11] The ethical situation when handling sensitive private information is very clear cut. Those that have the control and custody of private health information have a high level of responsibility to meet their obligation to avoid potential harm to their patients, while, at the same time, making sure that personal information that is needed by clinicians to assist their patients is easily accessible and available.
Information Sources
Lastly, it is important for organisations to know where help can be sourced.
The key resource provided by Government to manage cyber-attacks and infiltration is, at present, Computer Emergency Response Team(CERT) Australia. They provide a useful website at www.cert.gov.au.
In due course CERT Australia is to become part of an expanded Australian Cyber Security Centre which was announced by the Prime Minister in January 2013. ^[12]
There is guidance available on how information compromise and leakage should be addressed found at the Office of the Australian Information Commissioner at http://www.oaic.gov.au/publications/guidelines/privacy_guidance/data_breach_notification_guide_april2012.html
Also, in late April the Privacy Commissioner has provided new security guidance for organisations handling private information. This also will be useful in formulating a plan to manage the combined privacy / security issue. See http://www.oaic.gov.au/publications/guidelines.html#other_privacy_guidance
Additional information which might assist smaller organisations in preparation and prevention of issues related to information security (especially medical practices) is available from the Royal Australian College of General Practice (RACGP) web site. The following link provides a very useful set of freely available resources: http://www.racgp.org.au/your-practice/e-health/cis/ciss/
These three sites will provide a useful start for any organisation wishing to assess their current and desirable future state in securing the sensitive information they hold.
In summary, patients expect their private health information to be managed securely and appropriately in the context of current and future legislative privacy and information protection requirements. To not pay proper attention to these issues invites both reputational and financial damage - to say nothing of the potential damage to patients.
Finally, the headline from Wired Magazine puts the risk in clear perspective - it is not a matter of if but when! ^[13] ‘World’s Health Data Patiently Awaits Inevitable Hack’, by Daniela Hernandez on 25 March 2013
Essentially what we face, in the ever increasingly connected and complicated world, is a continuing and rising risk and a greater chance of compromise and damage. As a correspondent put it - in response to a draft of this document - there is a war going on out there and we are all finding it a good deal harder to stay ahead. If the CIA is struggling, what hope, without great care and effort, does any small business have?
The next step is yours!
Dr David More was assisted in the development of this article by Emma Hossak, CEO of Extensia, lawyer and privacy expert.
Interested in keeping up with privacy changes and training for your business? Join other businesses who are members of iappANZ - visit www.iappanz.org.
REFERENCE
[1] http://www.medicalobserver.com.au/news/hacked-qld-medical-centre-assures-patients-records-intact
[2] http://www.medicalobserver.com.au/news/hacking-into-health-files
[3] http://www.computerworld.com.au/article/457420/state_data_breaches_/
[4] http://aushealthit.blogspot.com.au/2011/11/this-is-very-interesting-summary-of.html
[5] http://www.ponemon.org/news-2/23
[6] Michael D Kirby, ‘Privacy in Cyberspace’ (1998) 21 (2) UNSWLJ 323, 325.
[7] http://aushealthit.blogspot.com.au/2013/04/just-reminder-that-security-of-health.html
[8] http://www.ft.com/intl/cms/s/0/bb3fcc90-ab4a-11e2-ac71-00144feabdc0.html
[9] http://www.smh.com.au/it-pro/security-it/seven-top-cyber-safety-measures-for-business-20130416-2hwtr.html
[10] http://www.youtube.com/watch?v=_6x2V870Y2k
[11]http://www.oaic.gov.au/about/foi/disclosure_log/OAIC%20response%20to%20AGD%20on%20OGP%20Jan%202013_Redacted.pdf
[12] http://www.pm.gov.au/press-office/australian-cyber-security-centre
[13] http://www.wired.com/wiredenterprise/2013/03/our-health-information/