Thomsons Lawyers special counsel Kathie Sadler says people using the government's personally controlled e-health record (PCEHR) system will have to address their own storage and security requirements to ensure ongoing protection of medical data.
"Each of the doctors, hospitals, aged care facilities and allied health professionals legitimately accessing the PCEHR system will themselves be subject to privacy and confidentiality obligations to the patient," she said.
"Holders of the information therefore have a duty to implement their own safeguards in respect of the PCEHR and related information, and not rely upon the identifiers or systems put in place by the government."
Ms Sadler said it was "almost inevitable" that some medical information would be stored in a cloud environment at some stage of the chain of creation and use, and owners or holders generally would not know the physical location of that data.
The Privacy Act imposes restrictions on an organisation's ability to send personal information outside Australia without specific consent.
"Health information is, by its very nature, sensitive," she said. "It also has a value to other people, who may not always have the best of intentions."
Because information about a person in the PCEHR system can be compromised at any point where it is accessed and then used, Ms Sadler said it was essential all users have appropriate security systems in place.
"The government is proposing significant security measures in respect of the PCEHR system, which it will control," she said.
"It therefore seems likely that parties attempting to illegally access information will concentrate their efforts on systems belonging to individual health professionals and non-government healthcare providers.
"Health organisations and professionals will have to be vigilant."
Ms Sadler said most data breaches occurred through targeted hacking attacks, or because of human error.
"Generally leaks happen because somebody's hacked in, and we know people lose USB sticks, laptops get stolen, a new software program introduces a trojan," she said.
"It's not usually because a staff member was acting maliciously or negligently."
Ms Sadler said there were unlimited scenarios where practitioners may access information in the PCEHR and use it in ways that are not necessarily protected by the security measures imposed or envisaged by the government.
"A doctor attending a patient in hospital will access information created and/or obtained by that hospital through the national system," she said.
"That doctor may transfer all or some of the information, either directly or by way of their notes, onto a laptop, via email or other mobile device."
While draft PCEHR legislation proposes stiff financial and criminal penalties for data breaches, Ms Sadler warns any unauthorised access will also result in "significant fall-out and reputational damage" to all members of the chain of creation and use.
"This is especially so if it's not possible to identify all of the points of access, or which facility or professional created the opportunity for the unauthorised access," she said.
"It is important that each owner, holder or user within the PCEHR system be in a position to provide evidence of implementation and maintenance of appropriate security measures, not only in respect of their own storage, access and use of the information, but also in respect of provision of access by any third party."
Ms Sadler said it was a concern that individual practitioners and small private providers lacked the IT resources to ensure their systems remained secure.
They needed appropriate strategies and support to reduce the risks.
---
Autor(en)/Author(s): Karen Dearne
Quelle/Source: Australian IT, 24.11.2011
Bitte besuchen Sie/Please visit:
