Story image

Clear security guidelines needed to protect Australia’s digital health records

22 May 2018

Current initiatives aimed at promoting the use of digital medical records in Australia will lead to the delivery of better healthcare services for all citizens. Rather than gathering dust in a GP’s filing cabinet, records will be readily accessible by all medical practitioners involved in treating a patient.

However, the shift to the use of digital medical records poses challenges from an IT security perspective. This comes at a time when recent events reveal there is insufficient attention being given to ensuring personal health data is stored securely and only accessible by authorised parties.

The Office of the Australian Information Commissioner’s first quarterly report on data breach notifications received under the new Notifiable Data Breaches (NDB) scheme serves to highlight the problem. Of the 63 breach notifications received during the first six weeks of the legislation being in place, a third (33%) involved health information.

Problems are also occurring in other parts of the world. The UK’s National Health Service experienced significant problems when it was hit by the Wannacry ransomware outbreak in May 2017. Almost 20,000 medical appointments had to either be postponed or cancelled.

In 2016, a US hospital paid the equivalent of $US17,000 in Bitcoin to a cybercriminal who had managed to take control of its computer systems. The hospital believed this was best course of action to allow patient treatment to continue.

The challenge of protecting digital health records

The sensitive nature of medical records makes them a particularly attractive target for cybercriminals. Stolen records can be used for anything from identity fraud to ransom demands and are in strong demand on the black market.

There is also the issue of patient confidentiality. If citizens don’t believe their records are secure, they are unlikely to want to adopt any new digital system.

Keeping records safe at all times is not a trivial task. While it might be possible to have effective security in place when the records are stored centrally, risks occur when they are shared with third parties.

For example, specialists in a hospital would need to access centrally held records when treating a patient in the emergency department. Radiologists would also need access when checking scans and other test results. Even therapeutic care providers such as osteopaths may need to access the files when providing follow-up treatment.

As a result, an individual’s records could end up being accessed in multiple locations, by multiple parties using multiple devices. Copies of the records could also end up being stored locally, creating further data security issues. This would of particular concern if storage was on a mobile device such as a laptop or tablet.

The need for a security framework

For these reasons, ensuring the digital medical records of Australians remain secure at all times will require the introduction of an effective security framework.  This framework must detail the steps that need to be taken by each person who is using the records and the tools required to prevent unauthorised access.

To be effective, the framework should cover a range of areas in which security must be carefully assessed and enforced. These areas include:

  • Asset management – all devices including medical devices such as x-ay machines. These can never have AV installed on them but should be monitored
  • Identity management – each user should have their own identity.
  • Access controls – control access to sensitive data by only allowing the right people access to it and logging this access to identify suspicious behaviour
  • Information security policy development
  • User awareness training
  • 24x7 monitoring
  • Proactive testing of security processes

Naturally, such a framework cannot enforce a one-size-fits-all standard. The security requirements within a busy hospital will be very different from those in a single GP’s practice or the offices of an allied healthcare provider.  Instead, the framework should have different levels of requirements that relate to the different types of medical staff who will be accessing the records.

Ongoing management

There will be little point having a digital security framework for the protection of medical records if adherence to it is not mandatory. Resources will need to be allocated to ensure the regulations are enforced and any parties not undertaking the required security procedures are prevented from accessing the records.

Attention must also remain on the constantly evolving threat landscape. Should any new types of threats emerge that are not covered by the exiting framework requirements, these must be amended quickly and changes communicated to all parties.

By creating a security framework and ensuring all healthcare providers are adhering to it, Australian citizens will be able to enjoy the benefits that flow from a digital health records infrastructure without needing to be concerned about their personal data falling into the hands of criminals.

Article by Content Security senior security advisor and group manager, Anshul Pandey.

Microsoft urges organisations to tackle data blindspots
Despite significant focus placed on CX transformation, over a third of Australian organisations claimed that more than one in five of their projects failed.
Raising the stakes: McAfee’s predictions for cybersecurity
Security teams and solutions will have to contend with synergistic threats, increasingly backed by artificial intelligence to avoid detection.
Renesas develops 28nm MCU with virtualisation-assisted functions
The MCU features four 600 megahertz CPUs with a lock-step mechanism and a large 16 MB flash memory capacity.
DOCOMO ranked world's top mobile operator in 5G SEP applications
NTT DOCOMO has been ranked the world's leading mobile operator in terms of applications for candidate standard-essential patents.
Exclusive: Ping Identity on security risk mitigation
“Effective security controls are measured and defined by the direct mitigation of inherent and residual risk.”
CylancePROTECT now available on AWS Marketplace
Customers now have access to CylancePROTECT for AI-driven protection across all Windows, Mac, and Linux (including Amazon Linux) instances.
Gartner’s top 10 data and analytics trends for 2019
Data is the fuel for the modern world, and analytics the engine. Gartner has compiled the top 10 trends to watch this year.
How CIOs can work with colleagues to drive new competitive advantages
"If recent history has taught us anything, it’s that the role of the CIO is always changing, and that it won’t stop changing anytime soon."