PHOs, PHNs and the cyber threat

Wellington, NZ residents woke up last Saturday to the unpalatable news that local primary health organisation Tū Ora Compass Health had its IT system hacked four times over the last three years, and it is unlikely it will ever know if patient information has been accessed.

Two of the hacks appear to have been old-fashioned defacing of websites by a malicious hacktivist, but the other two may prove to be a bit more serious. While PHOs don't hold patients' medical data, they do keep records of people who are enrolled at general practices in the region, their National Health Index number, and their name, date of birth and address. That is all very valuable information for identity fraudsters.

All of the district health boards have been told by the Ministry of Health (MOH) to double-check their systems and the spooks at the Government Communications Security Bureau, which runs the National Cyber Security Centre, have been called in. A long, forensic investigation has been promised and in the meantime, the DHBs are all upping their security precautions.

Compass Health's experience will also probably encourage people who in the past have been none too keen about PHOs holding patient data to agitate for change. Last year, for example, some clinical software vendors raised an alarm about the privacy implications of Auckland PHO ProCare extracting storing patient data. Their claims were rejected by the Privacy Commissioner, but potential security concerns still remain.

That will resonate in Australia as well, where a battle over the privacy and security capabilities of primary health networks is continuing under the very touchy issue of the PIP QI, controversy over which continues to bubble along. One of the concerns that practice owners have about the program is the varying levels of security capability of each of the 30 PHNs who are collecting the data, albeit de-identified.

The Department of Health (DOH) is funding the build of a National Data Storage and Analytics Solution (NDSAS)) but that won't be ready for another year. In the meantime, we hear that the department has bowed to pressure and has engaged consulting firm Doll Martin, which offers privacy, information management and cybersecurity advice, to do a privacy and security review of the PHNs and their extraction and storage of data. Might have been an idea to do that a while back, eh?

DOH has not handled the PIP QI roll-out at all well, and this week had to issue a clarification of its previous clarification of exemptions to the data extraction process. Last week it appeared to be saying that any practice that refused to use the PHN-funded extraction tools or whose clinical software did not integrate with those tools would have to not only pay for but develop an alternative tool themselves. DOH had to clarify that practices themselves were not expected to do the development work, but in collaboration with their software vendor.

We took a poll on this very question last week and got some interesting results. We asked whether practices that refuse to use their PHN's chosen data tool for PIP QI should be required to develop and pay for their own. A small majority thought so: 56 per cent said yes, 44 per cent said no.

It also appeared this week that following the cyberattack on regional Victorian hospitals last week, they are now slowly getting back to normal. It comes as the suspected attack vector, the Ryuk ransomware, continues to cause havoc for health systems in North America. It appears to have knocked out three hospitals' systems in Ontario in the last few weeks, and one hospital service in Alabama has decided to pay up to get its systems back. A hospital in that state was also the subject of a very sophisticated phishing attack in August.

That brings us to our poll for this week: Should DOH and MOH be responsible for collecting population health data rather than the PHOs and PHNs?

Sign up to our weekend edition or Pulse+IT Chat to vote, or leave your thoughts below.

Comments  

+1 # Helmut Modlik 2019-10-12 12:49
GP clinics with local server or application implementations are almost certainly more vulnerable to cyber attack than most PHOs or PHNs i.e. the issue isn't who is storing patient data, it is how robustly the risks around that storage are being managed. The answer too is that financially stressed health sector organisations of all sizes and purpose, are almost certainly not doing as well as they should i.e. focus on the "ball not the player"!
# Tom Bowden 2019-10-14 08:13
If we all started from the position that personally identifiable data should only be collected when it is needed for a legitimate purpose, we would lower the security risks immediately.

I am still completely mystified as to why a PHO/GP network really needs to collect a daily scoop of detailed data concerning all practices' patient consultations.

I am also firmly of the view that most patients in the Auckland region have no idea that this is happening to their data.

Once we reduce the mount of sensitive data being shipped around we lower the risk.

Of course every entity large or small is responsible for the security of the data it holds.

Additionally, practices need to take great care because they are being asked to run data extractions by a number of parties. While this can be a good idea, it also greatly increases their risk exposure.
# Rod Sayers 2019-10-15 07:55
Well yes Tom, maybe we should all go back to patient cards in an index box instead of actually addressing the data security and safety issue.
The elephant isn't in the room anymore, it is rampaging down the high streets!
# Tom Bowden 2019-10-15 13:22
The big security/privac y issue for the health system is ensuring we do not lose the confidence of patients.

We can achieve this by reducing the amount of sensitive data we collect thus reducing the attraction to hackers or by improving our data security practices. I am suggesting we do both of those things.

And back to my question: Why does a PHO/network need to have a database holding personally identifiable data and details of every GP consultation?
# Rod Sayers 2019-10-17 05:09
So, Tom, is the only way to make it less attractive to the hackers to assume they will hack and then say " oh dear, I only got their name, address, phone number and ID number, so it's just not worth me going there again". Or, is the proper solution to make it impossible for the hacker to get anything, I repeat, anything that can be recognisable as a "medical record with patient ID"?
Let's secure the information rather than limit it.
# Tom Bowden 2019-10-17 10:15
No Rod, I have explicitly stated that there are two tasks here:

One is for each healthcare provider to successfully secure all of the information they hold.

Two is to ensure that information is only collected where it is necessary to do so.

If you have a PHO affiliation, perhaps you could explain why some (but I hope not all) PHOs feel the need to capture large amounts of patient data on a daily basis?

And please do continue to ensure that whatever data you hold is well and truly secured. I do realise that is a non-trivial task.
# Rod Sayers 2019-10-17 22:31
Perhaps it is to ensure a "complete record" of diagnosis, treatment and prognosis so the a carer or medic has a better chance of doing no harm in subsequent treatment.
One of the biggest issues for patients is, the use of their information by authorised entities such as government departments who want the detail for statistical B.I. or A.I. purposes but can't guarantee anonymity of the subject.
I am, by the way, neither associated with nor a spokesperson for PHOs, PHNs or any organisation that in their normal course of business, collects or uses patient data. I only look on this topic from the point of longitudinal, irrefutable and totally secured.
Cheers, Rod
# Faustin Roman 2019-10-17 13:56
Cybersecurity is everyone's responsibility!
PHOs, PHNs, GPs, NGOs, DHBs, NGOs, MOH and any of the third-party vendors in between.
All these parties storing, processing or transmitting patient information have obligations to manage their risks to information security (not just cyber, think lost paper records, theft, internal privacy breaches!...).
We are all on the same side and we should collaborate at least as much as the bad guys do.
Do the basic hygiene (CERT Top 10) to mitigate most risks and prepare for an incident - it will happen (if you are not already compromised and unaware), above all do not think technology will solve everything or be ever perfect.
He tangata, he tangata, he tangata

You need to log in to post comments. If you don't have a Pulse+IT website account, click here to subscribe.

Sign up for Pulse+IT eNewsletters

Sign up for Pulse+IT website access

For more information, click here.

Copyright © 2019 Pulse+IT Magazine
No content published on this website can be reproduced by any person for any reason without the prior written permission of the publisher.