Healthcare data is being digitally transformed

The Royal Australian College of General Practitioners reports that the threat of cybercrime – inappropriate or unauthorised criminal access to practices’ electronic data – is growing significantly. General practices frequently face new forms of malicious software and cleverly designed social engineering scams that can place your clinical and business data at risk. The single leading potential risk in a general practice’s information security is an internal breach through human error or malicious intent. Cyber-criminals are known to target smaller businesses, like general practices, as their information security defences are more easily breached in contrast to larger businesses that often dedicate more resources to digital information security.

In the 2017–18 Budget, the Australian Government announced that every person known to Medicare or the Department of Veterans’ Affairs (DVA) who has not already registered for a My Health Record will automatically have a record created for them unless they choose to opt-out. The opt-out period was then extended to 31 January 2019. Individuals can cancel their My Health Record at any time.

What can patient data be used for if stolen?

Increasingly, hackers are selling the information for profit on the black market. According to Reuters, buyers might use the information to create fake IDs to purchase medical equipment or drugs, or to file a false insurance claim.

According to Experian, a patient's full medical records can sell for up to $1,000. By comparison, Government Identifiers and credit card information usually sell for $1 and up to $110, respectively.

According to Computerworld, One hacker, who went by "thedarkeroverlord," was selling 655,000 medical records stolen from three health care organizations for almost $700,000 on the darknet.

Security policies for healthcare providers

Requirements for Security Policies

Healthcare provider organisations are required to have a My Health Record Security and Access policy, to meet requirements outlined in the My Health Records Rule 2016  (Rule 42). The policy must be communicated to, accessible by, and enforced with, employees and other relevant parties. The policy must also be kept up to date by reviewing it, at least annually, or when any material new or changed risks are identified.

Additionally The Royal Australian College of General Practitioners recommends that in their Information Security in general practice guide that your practice should develop a policy specifying who has administration rights and access to specific systems. These guides are not additional obligations for GP's but instead aimed to assist you to meet your legal obligations for information security and the requirements necessary for accreditation against The Royal Australian College of General Practitioners (RACGP) Standards for general practices_ (5th edition).

What are Security Policies?

Your practice should document all policies and procedures for managing information security. A policy and procedures manual provides information and guidance to your practice team on the protocols used in managing your information systems. This manual is used to clarify roles and responsibilities, and to facilitate induction of new practice team members.

The Royal Australian College of General Practitioners recommends that to be effective policies should be:

• publicised and provided to all existing and new members of your practice team
• easily accessible (eg kept in policy manuals or available on your intranet)
• explained to team members through information and training sessions, at team meetings and during induction, reiterated and discussed regularly to maintain relevance
• periodically reviewed to ensure they are current, and updated when changes are made in information security processes in your practice or to relevant legislation
  re-issued to the practice team when updated.

Policies should include:

• a purpose and objectives
• scope (ie to whom and what the policy applies, and under what circumstances)
• definition of information security incidents and their consequences
• organisational structure and defined roles, responsibilities and levels of authority
• reporting requirements and contact forms
• processes for providing access to training for your practice teams.

How to maintain your practice's security controls

Undergoing a regular assessment of your security controls will be critical to ensuring you maintain the rules set out by your policies.

Access Control across Your Practice

You cannot properly control access unless to understand what assets you are control access for.

Practice asset register

Your practice asset register should include details of the following:

Physical assets

• computer and communications equipment
• mobile electronic device
• medical equipment that interfaces with your practice information systems
• backup media and uninterruptible power supplies

Information assets

• databases
• electronic files
• image and voice file
• system and user documentation
• business continuity and information recovery plans

Software assets

• operating systems
• application programs
• clinical and practice management software
• communications software
• software licence keys
• original software media and manuals

Personnel assets

• contact details of key members of the practice team and external service providers including internet service providers, telecommunication service providers, cloud service providers

Paper documents

• contracts
• patient records
• other paper documents important to your practice.

If you want to keep all your assets recorded in a central location use a cloud based asset register that allows you to manage risk associated with each asset.

Role Based Access Model

A role based access model is critical in ensuring you provide appropriate access to the right people within your business.

Maintaining appropriate access over time

To maintain appropriate access over time your practice should conduct regular user access reviews and have a process to support onboarding of administrative and clinical staff.

Data Breach and Incident Reporting for Healthcare Providers

My Health Reporting Requirements

Reporting a clinical incident or issue - A clinical incident may relate to the My Health Record system or content directly, or the behaviour of clinical software when interacting with the My Health Record system.

Data breach notification - The characteristics of a breach of health and personal information relating to the My Health Record system are outlined in the My Health Records Act 2012. According to this Act, a data breach involves:
The unauthorised collection, use or disclosure of health information in an individual’s My Health Record; or
A situation where:  
a) an event that has, or may have, occurred or  
b) any circumstances have, or may have, arisen that compromise, may compromise, have compromised or may have compromised, the security or integrity of the My Health Record system (whether or not involving a contravention of the My Health Records Act 2012).

The information you need to provide (at a minimum) regarding the actual or potential data breach is outlined in the checklist below:

• description of the data breach
• date and time of the data breach
• cause of the data breach
• type of information involved
• how many healthcare consumers were or may have been affected
• whether the data breach has been contained
• what action has been taken or is being taken to mitigate the effects of the data breach and/or prevent further data breaches
• name and contact details for the appropriate contact person within your organisation
• any other relevant information.

Information in MyHealth Records

A patient’s shared health summary (e.g. diagnoses, current medications, immunisations, allergies and adverse reactions)

• Immunisation information
• Event summaries
• Medication prescribing and dispensing history
• Discharge summaries
• Specialist letters
• Referrals
  Pharmacist shared medicines list
• Advance care planning information
• Information about a patient’s past health events
• Pathology reports
• Diagnostic imaging reports
• Child development information
• Consumer-entered information (see below)
• Medicare overview (see below)

There are also a number of ways you can view a patient’s test result history, including:

• Medicines Information View
• Pathology overview
• Diagnostic imaging overview

Consumer entered information

• Personal health summary – individuals can enter information about allergies and adverse reactions, and current medications into their My Health Record. This data can be viewed by healthcare providers.
• Advance care planning document – individuals can upload a document that outlines their preferences for personal care and health outcomes.
• Advance care document custodian – individuals can enter the contact information of a person or organisation who is a holder of their advance care planning document (or "living will").
• Emergency contact details – individuals can create a list of important emergency contacts in their My Health Record, which is visible to healthcare providers.
• Personal health notes – individuals can enter information to help them keep track of their health, i.e. like a health journal. The system dates each note, which includes an entered title and the entered text. These notes are not visible to healthcare providers.
• Child development – Parents can record information about their child’s growth and development and other useful information. The objective is to provide an integrated view of a child's health status for the parents/guardian and healthcare providers involved in the child's care.

Medicare overview

• An individual can choose to include Medicare information in their My Health Record.
• This can include up to two years of past MBS/DVA and PBS/RPBS claims information (where available) and all future MBS/DVA and PBS/RPBS claims information, as well as their organ and tissue donation decisions, which are sourced from the Australian Organ Donor Register.
  Healthcare providers can access an individual's Medicare information through the Medicare Overview or the Document List

‍