Over the past five years, the government and industry have developed legislation and standards that enable healthcare institutions to effectively share electronic health data.
National e-health standards now cover key areas such as accurately identifying healthcare providers and consumers (national health identifiers), secure messaging, and repositories for personally-controlled electronic health records (PCEHRs). These standards attempt to address information privacy concerns and mandate security mechanisms to protect consumers’ sensitive health information.
Importantly, this level of protection has earned the support of consumer groups for the electronic distribution of health information outside of organisational boundaries. Consumer groups recognise the benefit of e-health and support the sharing of patient data between healthcare providers when the appropriate level of protection is applied.
But as new privacy legislation and penalties for breaches emerge, it’s time to consider whether the e-health industry is providing enough support to healthcare providers to help them secure private information within organisational boundaries.
Data privacy is important because consumers have a natural tendency to trust their individual healthcare professionals and the institutions they visit with their sensitive information.
As the health sector embraces e-health technologies, consumers also trust that their personal health information will continue to be handled appropriately.
Healthcare providers can ill afford to break the trust given to them by consumers to protect their sensitive health information. Disclosure, misuse or unauthorised access of each patient’s health data will break their trust in a healthcare provider and impact consumer confidence that the national e-health program can protect their private information.
Breaches have real repercussions for providers
There’s a real risk that people will stop sharing their medical history with healthcare providers if they don’t have confidence that the right privacy controls are in place.
This could be an extremely dangerous scenario for the healthcare industry as healthcare and contracted service providers can now face considerable fines of up to $1.1 million for privacy breaches.
The Privacy Amendment (Enhancing Privacy Protection) Bill 2012 gives the privacy commissioner enhanced powers to seek civil penalties for serious privacy breaches.
With this in mind, data privacy needs to be a key focus for healthcare organisations recording and sharing health data electronically. In the past, privacy hasn’t received the attention it deserves for many reasons, which include:
Lack of education around policies and procedures
There has been a lack of education across the health sector on the importance of adopting appropriate privacy policies and procedures despite the availability of national and state-based health privacy principles.
Healthcare organisations are now exposed to additional privacy risks with e-health driving the transfer of patient information to an electronic format. They risk losing sensitive data from unauthorised access or sharing of information, loss of data on digital media or information being stolen from mobile computing devices.
According to latest figures from <i>iHealthBeat</i>, at least 1.8 million consumer health records were lost in 16 major incidents involved UK-based National Health Service organisations between July 2011 and July 2012.
The worst incidents involved patient records being stolen and posted on the Internet and unsecured laptops with patient data being pinched from homes of staff members.
Wrong mindsets around data ownership
Typically, the healthcare provider who creates health information owns that information. While this does not interfere with the right of customers to access their health information held by healthcare providers, the notion of ownership does impact on the security of patient information and ultimately on its privacy.
In the context of information you “own”, it can be argued that it is not unreasonable for healthcare providers to hold patients’ health information on digital media or mobile devices for their future reference. The exception is when healthcare providers are considering the risks posed to information privacy if additional security precautions are not adopted.
Healthcare providers should consider a change in mindset around data privacy because ultimately, we are all patients, parents of patients, and children of patients who are concerned about information security.
Too much of a focus on features and functions
A major driver for investment in software systems in the health sector is to reduce costs and improve the effectiveness of healthcare providers delivering quality care to patients.
E-health is expected to take the pressure off healthcare professionals, reduce medication errors, and provide reduced incidences of preventable illnesses so it is understandable that many legacy and specialised health applications initially only focused on particularly features and functions. Not enough attention was given to providing adequate security and privacy frameworks.
Furthermore, neither legislation nor healthcare providers pushed health software vendors into providing appropriate mechanisms for securing patient information to reduce the risk of breaches of information privacy.
This is in contrast to the US health sector where HIPAA (Health Insurance Portability & Accountability Act of 1996) has driven the compliance of health software with certain policies and procedures around the access and control of electronic health information.
So what needs to be done to improve the security of patient data in Australia? Changes to the Privacy Act in Australia will not come in effect for 15 months, which gives the e-health industry time to help healthcare providers ensure the privacy of electronic health information.
When considering the legal implications and impact on consumer sentiment for breaches of privacy, healthcare providers should also be asking software suppliers for the latest versions of their health applications. This will ensure providers can implement security and privacy policies that significantly reduce the risk of privacy breaches.
A new framework
Released in December 2011, NEHTA’s E-health Information Security and Access Framework aims to provide health software vendors with a “blueprint” to strengthen the protection of consumer health.
The framework aligns with other IT industry security standards and includes implementation guidance for protecting data at rest, appropriate authentication and authorisation mechanisms, and traceability against access to consumer health information to prevent and detect security and privacy breaches.
Security mechanisms should be seamless, easy to manage, and non-intrusive to the everyday activities performed by healthcare providers. There is little point implementing strong authentication mechanism if it is seen as a management nightmare and demands consistent interruption to healthcare professionals who are providing care to patients.
To verify health software conformance to national e-health standards that cross organisational boundaries, the e-health industry has mandated third-party conformance testing by industry test labs.
But neither the security standards and frameworks nor the privacy principles in Australia define security implementation approaches. Perhaps creating a national certification program for assessing information security, which is adopted by the healthcare industry, will give healthcare service providers the confidence that their systems are secure.
Brett Avery is e-health programme manager at Webstercare and has spent the past seven years researching and prototyping software for the health sector. He is also a member of the CIO Executive Council’s Pathways Leadership Development Program.