PHOs, PHNs and the cyber threat
Wellington, NZ residents woke up last Saturday to the unpalatable news that local primary health organisation Tū Ora Compass Health had its IT system hacked four times over the last three years, and it is unlikely it will ever know if patient information has been accessed.
Two of the hacks appear to have been old-fashioned defacing of websites by a malicious hacktivist, but the other two may prove to be a bit more serious. While PHOs don't hold patients' medical data, they do keep records of people who are enrolled at general practices in the region, their National Health Index number, and their name, date of birth and address. That is all very valuable information for identity fraudsters.
All of the district health boards have been told by the Ministry of Health (MOH) to double-check their systems and the spooks at the Government Communications Security Bureau, which runs the National Cyber Security Centre, have been called in. A long, forensic investigation has been promised and in the meantime, the DHBs are all upping their security precautions.
Compass Health's experience will also probably encourage people who in the past have been none too keen about PHOs holding patient data to agitate for change. Last year, for example, some clinical software vendors raised an alarm about the privacy implications of Auckland PHO ProCare extracting storing patient data. Their claims were rejected by the Privacy Commissioner, but potential security concerns still remain.
That will resonate in Australia as well, where a battle over the privacy and security capabilities of primary health networks is continuing under the very touchy issue of the PIP QI, controversy over which continues to bubble along. One of the concerns that practice owners have about the program is the varying levels of security capability of each of the 30 PHNs who are collecting the data, albeit de-identified.
The Department of Health (DOH) is funding the build of a National Data Storage and Analytics Solution (NDSAS)) but that won't be ready for another year. In the meantime, we hear that the department has bowed to pressure and has engaged consulting firm Doll Martin, which offers privacy, information management and cybersecurity advice, to do a privacy and security review of the PHNs and their extraction and storage of data. Might have been an idea to do that a while back, eh?
DOH has not handled the PIP QI roll-out at all well, and this week had to issue a clarification of its previous clarification of exemptions to the data extraction process. Last week it appeared to be saying that any practice that refused to use the PHN-funded extraction tools or whose clinical software did not integrate with those tools would have to not only pay for but develop an alternative tool themselves. DOH had to clarify that practices themselves were not expected to do the development work, but in collaboration with their software vendor.
We took a poll on this very question last week and got some interesting results. We asked whether practices that refuse to use their PHN's chosen data tool for PIP QI should be required to develop and pay for their own. A small majority thought so: 56 per cent said yes, 44 per cent said no.
It also appeared this week that following the cyberattack on regional Victorian hospitals last week, they are now slowly getting back to normal. It comes as the suspected attack vector, the Ryuk ransomware, continues to cause havoc for health systems in North America. It appears to have knocked out three hospitals' systems in Ontario in the last few weeks, and one hospital service in Alabama has decided to pay up to get its systems back. A hospital in that state was also the subject of a very sophisticated phishing attack in August.
That brings us to our poll for this week: Should DOH and MOH be responsible for collecting population health data rather than the PHOs and PHNs?