Data security and the new privacy laws
The recent extortion attempts by hackers against general practices in Queensland have brought into focus the effect that the new privacy laws will have on the healthcare sector, with particular ramifications for breaches of data security.
The Privacy Amendment (Enhancing Privacy Protection) Bill 2012 passed both houses of Parliament late last month and has since received Royal Assent, meaning it will come into effect in March 2014.
The new privacy laws bring together the former Information Privacy Principles, which covered the public sector, and the National Privacy Principles, covering the private sector, into one group of 13 Australian Privacy Principles (APP), which apply to all health service providers.
The Australian Privacy Commissioner, Timothy Pilgrim, has urged all organisations, both public and private, to review the new principles and warned that his office will have substantially boosted powers to enforce the laws and exact penalties for any breaches.
“From the commencement of the new laws, I will be able to accept enforceable undertakings, seek civil penalties in the case of serious breaches of privacy, and conduct assessments of privacy performance for both Australian government agencies and private sector organisations,” Mr Pilgrim said.
“While I will continue to work with agencies and businesses to help them comply with privacy laws, I will not shy away from using these powers in appropriate cases.”
It is expected an amendment to the new laws will be introduced next year to establish mandatory data breach notification rules, which the Office of the Australian Information Commissioner (OAIC) recommends follow the data breach notification requirements of the PCEHR Act.
What this means for healthcare providers is that all organisations should review their privacy policies now, as they will be required to have a written statement, according to a briefing note by Corrs Chambers Westgarth partner, David Smith, and senior associate, Matthew Craven.
It also means they should look at boosting their IT security arrangements to ensure a breach does not occur, security experts say.
The partners write that the new laws will require organisations to explain to consumers how they can complain about a breach of privacy and how the organisation will deal with privacy complaints.
Organisations must also specify if they are likely to disclose personal information to recipients overseas, which has implications for organisations using an offshore data centre or cloud computing provider for data storage. It also has implications for the transmission of information within Australia, particularly by email.
“You will need to review any arrangements you have in place, or that you are considering, which involve the transfer of personal information offshore, eg outsourcing or cloud computing arrangements,” Corrs writes.
The partners also warn that the Privacy Commissioner's powers will be bolstered, including the ability to apply to a court for a civil penalty if an organisation commits a “serious interference with a person's privacy”. The penalty for this can be up to $1.1 million for a company.
While most of the new principles are similar to those that healthcare organisations have worked under for many years, it is the potential for unintended breaches of privacy through lax IT security processes that has many in the industry concerned.
Paul Waite, director of solutions and innovation at obsecure, a Sydney-based company specialising in information security, said the Queensland hacking cases should be a warning sign to general practices in particular that they need to beef up their security.
The hackers in those cases insist that they have merely encrypted the data to render it useless in an attempt to extort money from the practice, not stolen it, but as HackLabs security consultant Chris Gatford told Pulse+IT, it is not as if they can be trusted.
“It is a fundamental mistake to assume that victims can take the attackers' word that the data has not been taken, only encrypted,” Mr Gatford said.
"These types of events along with [the new data breach notification laws] could actually close down businesses who don't take this seriously.”
Mr Waite said general practices are most vulnerable to data security lapses in the way they store and back up information. He said extortion attempts such as those on the Gold Coast should also encourage practices to investigate taking out cyber security insurance.
The main problem, however, is in practice workflows and the transmission of patient information, especially by email, he said.
“GPs tend to use email for the movement of sensitive information and the privacy legislation pretty well forbids you from doing that now,” he said. “Without going right down to saying you must not, it basically means that you need to take every precaution to protect information that is being transmitted, whether that be through email, through FTP or a product like obsecure’s. You need to take a duty of care in regards to that health information.”
Mr Waite has a vested interest in the topic as obsecure markets a software product that distributes sensitive patient data by providing a privacy-compliant, secure messaging platform for GPs and their patients which involves data encryption and strong two-factor authentication. However, he also believes that GPs and other healthcare providers are not adequately aware of what the new laws will mean.
As with a new app being developed by Melbourne plastic surgeon David Hunter-Smith and colleagues to provide a secure way of sharing clinical photographs (see Pulse+IT November 2012), ubiquitous forms of data transmission such as email now need to be carefully looked at.
Gmail, for example, is hosted in the cloud but Google's servers are located throughout the world, not here in Australia.
And it is not just Gmail, Mr Waite said. “It's any email system, because any administrator can see the contents of that particular email. A lot of organisations, and even some of the larger corporates in Australia, don't realise that if they are sending something of a personal nature internally using say a Microsoft environment, the Microsoft Exchange administrator can see every email that goes through the server.”
While organisations may take this risk, it is only when a breach occurs that it really hits home, he said. “If you haven't had a breach you can take a risk, but the important thing is that under the old Privacy Act, you'd basically just get a rap over the knuckles.
“Now because of the civil penalties being introduced, that changes the whole way that you should consider doing things. We are working with a few industry bodies to put together privacy impact assessments (PIAs), so with those PIAs, coupled with security technology and cyber security insurance, that pretty well gives you good coverage to be able to say we did things in the correct fashion so that the Privacy Commissioner, if you did have a breach, would then look at the way you conducted your business and how you handled this personal information.”
He warned that an action plan in the event of a breach was essential, not just because of the cost of the breach itself, but the cost of remediating it.
“The remediation means that for a period of time in the case of a breach of X number of personal records that could impact or form an identity – the majority of healthcare providers would have sufficient detail there with Medicare numbers and date of birth and addresses, for example, that would be enough information to form an identity – you would have to monitor every credit agency for a period of time to ensure that the personal information stolen was not used in applying for credit.”
Mr Waite said this would mean that organisations that are responsible for a breach would need to purchase subscriptions to credit agencies like Veda or Dun and Bradstreet to check that credit has not been applied for using an individual's details.
“The person responsible for monitoring those credit agencies is the person who let the information out,” he said. “When Sony had their 77 million PlayStation subscribers' details leaked, they thought they were covered under public liability insurance and they are not. Now Sony has to monitor 77 million people over a period of time, so you can imagine the cost. For an annual Veda alert, it costs about $60 so if you have a thousand people breached, that is going to cost you $60,000. That is a substantial cost, let alone the cost to reputation.”
He said that under the new act, personal information should only be opened by the intended recipient, meaning those hospitals that email discharge summaries and the like to GPs will have to ensure it goes to the GP him or herself and not to the receptionist.
obsecure’s product, developed here in Australia, allows users to drag and drop any electronic records into an interface, which will then encrypt the file, wrap it securely before storing it in a secure location, either in a data centre or hosted in the user's own environment, meaning it does not leave the office.
“We will email a link to the recipient and the recipient then needs to go through a two-factor authentication process where we issue a one-time password, whether that be to an email address or an SMS to a smartphone, or a combination of those two,” Mr Waite said. “We also can do a challenge response, which is a scrambled pin number, and we are working on a voice system where we can verify you through voice recognition.”
This is similar to the method being used by Dr Hunter-Smith and his team at PicSafe Medi, which will allow clinicians to take a photo of a wound, for example, upload it to a secure site and delete it from the camera or smartphone, and then a time-restricted email is sent to the intended recipient.
Dr Hunter-Smith was inspired to develop the app due to the former National Privacy Principles and his awareness of what the new privacy laws would entail. His company is currently in discussion with several public health services and private hospitals to launch the new app.
The RACGP has guidelines for computer security that must be followed by practices for accreditation purposes, but Mr Waite believes that no one is policing them, as the recent Queensland hacks illustrate.
“That's what I'm saying the Privacy Act now changes," he said. "The Privacy Commissioner now has the ability to enforce civil penalties. That's why you now have to be a lot more cautious about all aspects of personal data management.
“This has been around since 2008, through the Law Reform Commission recommendations, so it's not something that has just popped up overnight. The Privacy Commissioner has published some information recently that tells you the steps of what you need to consider and how you go about doing things. This is one aspect of the new law, but the bigger one that is going to affect more people is the proposed breach notification laws.
“That will be the real test because what you have to do then is that if you do have a breach, [the Office of the Australian Information Commissioner] is indicating that organisations should advise them if you have had a breach. If you don't advise them in a timely fashion or somebody makes a complaint that they've had their details somehow mislaid in any way, shape or form, there are potential significant civil penalties for non-compliance.
“It will change the whole way in which we do things and what we call trusted information. 20 years ago you'd go to the doctor and they'd have all of the patient files sitting behind the receptionist at the front desk, but now because everything is digital and we use smartphones and all sorts of methods of accessing information, the person at the front desk, the gatekeeper to that trusted information, is no longer there.”
Posted in Australian eHealth