Health Data Privacy and Security in the NZDF


Published on

Karl Cole
(Formerly doctor in the NZ Army)

Published in: Health & Medicine
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Health Data Privacy and Security in the NZDF

  1. 1. NZDF Health Information system It would be easy if it wasn’t for security
  2. 2. Overview Military medicine 101 East Timor lessons learnt Post game analysis,. Audit general report DMIS Security Strategy
  3. 3. Military medicine To Serve, team players, motivated to be “fit to deploy” Patient records have same protection as civilians, except in extreme case. – Confidentiality cornerstone. similar to a rural civilian medical centre. Doctor as Officer, works for Organisation also. Health and wellness focus, more integration with HR, other aspects org.
  4. 4. If you are lucky….
  5. 5. Military populations - deployment D/BI Disease was major cause of death. 7 Mil Med works!! 6 5 – Minimizing impact of illness on deployed force 4 – Major advances in last 3 0.05 50 years 2 1 JFHQ level planning 0 Wellness and force M ex ican W ar C iv il W ar S p an ish -A m erican W ar WW1 WW2 K o rean V ietn am protection focus – Health threat assessment – Education plan • Bugs are still there…..
  6. 6. DMIS Command and Control systems
  7. 7. East Timor, the year is 2001 What was the records system like?
  8. 8. Most innovative Records
  9. 9. Security, what security?
  10. 10. Past and Present Disjointed databases Paper record mainly – Focused on occupational grading – Loose leaf, enclosed Chronologically – Multi problem was a problem….. Recall and follow up. – Geographical, reminders difficult. Looking back past last medical board,….
  11. 11. Audit Report Auditor – Generals report • Difficulty in determining numbers meeting vaccine requirements, access to JEV.. • Incomplete medical records • Labour intensive • Inadequate health surveillance systems and linking risk factor to clinical outcomes RECOMMENDED – Joint electronic medical information system – That meets individual care as well as organisational and operational wider planning requirements.
  12. 12. The future…… some ideas Improved medical records access, DMIS, health planning Improved tracking of individual health. Population Health surveillance/KPI from clinical databases. – Geo coding – Bio strain measurer. Cohort studies, should each deployment be a virtual cohort study? linked via NHI, when leave service – Cohort follow up. (US have a “2000 cohort” 100 000 military following since 2000)
  13. 13. STOP! Greater availability, access, integration National Tri service Workshop Privacy Privacy Privacy
  14. 14. Security vulnerabilities Concerns for patients privacy – Cornerstone doctor patient relationship – non authorised access • Intra as well as inter organisation threat. Concerns for Organisation, Force protection – could be used by enemy • Attack individual • Attack system
  15. 15. Just how safe were we?
  16. 16. Individual privacy Threats that the new system brings Paranoia Much more vulnerable to unauthorised access from within – Not everybody expects their health data to be open access Somewhat more vulnerable to other unauthorised access
  17. 17. Force protection, military specific vulnerabilities Pre deployment – What part of the record is medical <> organisational Intra deployment – Add complexity, soldier proof ? – Source of attack, • info could get from medical record for interrogation ?? Locations when where etc – Over reliance on telemed, communications Post deployment – No major
  18. 18. Existing standards HIPAA HDC guidelines MPS Directorate of Defence medicine • Unique military demands • Staff, Community/patients, deployment, POW How to balance availability of records with privacy
  19. 19. User requirement Privacy became important part of the User requirement – (note the requirement to be actively looking for misuse, not good enough to wait for compliant) ?? Like banking!! • Physical • Technical - restrictive. • Technical - active looking • Policy – No 3rd party testing!!
  20. 20. Security Physical – Bases, screens, windows, – Security checked Technical – restrictive – Password, network security, alert when access notes outside Health care providers area – manage relationship database, single source of the truth, shared data layer, etc.
  21. 21. Security Technical – proactive query to system for suspicious behaviour – Look for misuse, can not be complaint driven. – Late night access. – Overly high access to notes – Same surname access – Notes opened when Doctor not in country…
  22. 22. Security - Policy All health workers can see all records, but with warning when looking outside your unit/area. Operational planning elements from each health record extracted to SDL, one source No sealed envelope Education – We are watching you. Security Officer in each medical treatment centre In course training Brig DGMS can see all…..
  23. 23. Care Plan Analysis Example Example Gets a snap shot of overall status of cohort Patient groups allow focus on a Service/Unit/etc (4.4) Now adding “Group Plans”, allowing review (5.1) • Plan A AND B; or Plan A OR B
  24. 24. Conclusion Have we got the balance right?