“ Keep It Secret, Keep It Safe” Security and Privacy in 21st Century Health IT Sebastian Morgan-Lynch Policy Adviser (Health) [email_address]

What is Privacy? Privacy is not secrecy or confidentiality Privacy is wider than security Privacy is about control Regulated by the Privacy Commissioner under the Health Information Privacy Code 1994

The HIPC in a Nutshell Only get it if you really need it Get it straight from the people concerned Tell them what you’re going to do with it Be nice when you’re getting it Take care of it once you’ve got it They can see it if they want to They can correct it if it’s wrong Make sure it’s right before you use it Get rid of it when you’re done with it Use it for the purpose you got it Only disclose if you’ve got a good reason Be careful with unique identifiers

Only get it if you really need it

Get it straight from the people concerned

Tell them what you’re going to do with it

Be nice when you’re getting it

Take care of it once you’ve got it

They can see it if they want to

They can correct it if it’s wrong

Make sure it’s right before you use it

Get rid of it when you’re done with it

Use it for the purpose you got it

Only disclose if you’ve got a good reason

Be careful with unique identifiers

Rule 5 Storage and Security of Health Information (1) A health agency that holds health information must ensure: (a) that the information is protected, by such security safeguards as it is reasonable in the circumstances to take , against: (i) loss ; (ii) access , use , modification , or disclosure , except with the authority of the agency; and (iii) other misuse ; (b) that if it is necessary for the information to be given to a person in connection with the provision of a service to the health agency, including any storing, processing, or destruction of the information, everything reasonably within the power of the health agency is done to prevent unauthorised use or unauthorised disclosure of the information; and (c) that, where a document containing health information is not to be kept, the document is disposed of in a manner that preserves the privacy of the individual.

(1) A health agency that holds health information must ensure:

(a) that the information is protected, by such security safeguards as it is reasonable in the circumstances to take , against:

(i) loss ;

(ii) access , use , modification , or disclosure , except with the authority of the agency; and

(iii) other misuse ;

(b) that if it is necessary for the information to be given to a person in connection with the provision of a service to the health agency, including any storing, processing, or destruction of the information, everything reasonably within the power of the health agency is done to prevent unauthorised use or unauthorised disclosure of the information; and

(c) that, where a document containing health information is not to be kept, the document is disposed of in a manner that preserves the privacy of the individual.

So, what does that actually mean?

“ Reasonable Security Safeguards” Security Plan Physical Security Operational Security Technical Security Security of Transmission Risk analysis! “Pluck the low- hanging fruit”

Security Plan

Physical Security

Operational Security

Technical Security

Security of Transmission

Risk analysis! “Pluck the low- hanging fruit”

“ Loss” Policy Laptops in cars – do laptops need to leave the office? Is data password protected? Encrypted? Do you require regular syncing of mobile devices to ensure valuable data isn’t lost if the device goes missing? Training Can you demonstrate it’s been carried out, that it’s relevant, that it’s accurate? Ongoing awareness building and reminders Incident reporting and response – document all reports! Periodic evaluation Processes Data backup Disaster recovery Emergency mode operation

Policy

Laptops in cars – do laptops need to leave the office?

Is data password protected?

Encrypted?

Do you require regular syncing of mobile devices to ensure valuable data isn’t lost if the device goes missing?

Training

Can you demonstrate it’s been carried out, that it’s relevant, that it’s accurate?

Ongoing awareness building and reminders

Incident reporting and response – document all reports!

Periodic evaluation

Processes

Data backup

Disaster recovery

Emergency mode operation

“ Unauthorised Access, Use, Modification or Disclosure” Establish Vulnerabilities Network insecurities? Disgruntled ex-staff? Shared passwords? Updated firewalls and virus scanners? Assess Access Controls “ Too much security is the same as not enough” Should be reasonable, pervasive, and up-to-date Consider log-in monitoring and reporting of discrepancies Audit regularly and randomly Take special note of famous people and employees Have clear and communicated policies on misuse and be public about enforcing them Design security into systems Make secure information handling the easier way Footprinting, audit trails, support for appropriate levels of access

Establish Vulnerabilities

Network insecurities?

Disgruntled ex-staff?

Shared passwords?

Updated firewalls and virus scanners?

Assess Access Controls

“ Too much security is the same as not enough”

Should be reasonable, pervasive, and up-to-date

Consider log-in monitoring and reporting of discrepancies

Audit regularly and randomly

Take special note of famous people and employees

Have clear and communicated policies on misuse and be public about enforcing them

Design security into systems

Make secure information handling the easier way

Footprinting, audit trails, support for appropriate levels of access

“ Disposal” Don’t hire a digger

Don’t hire a digger

“ Disposal” Confidentiality clause in contract with disposal company Destruction of hard drives – degaussing, physical destruction What to do with information after death of clinician – destroy, return, next-of-kin? Retention time Public Records Act 2005 General Disposal Authorities Health (Retention of Health Information) Regulations 1996

Confidentiality clause in contract with disposal company

Destruction of hard drives – degaussing, physical destruction

What to do with information after death of clinician – destroy, return, next-of-kin?

Retention time

Public Records Act 2005

General Disposal Authorities

Health (Retention of Health Information) Regulations 1996

So, what should I do? Assign Responsibility Develop a Plan Conduct a Risk Analysis Develop Security Policies Implement Administrative, Physical and technical Controls Develop and Deliver a Security Training and Awareness Program Develop an Ongoing Security Monitoring Process

Assign Responsibility

Develop a Plan

Conduct a Risk Analysis

Develop Security Policies

Implement Administrative, Physical and technical Controls

Develop and Deliver a Security Training and Awareness Program

Develop an Ongoing Security Monitoring Process

When it goes wrong: Complaints and Investigation Privacy Commissioner has power to investigate complaints of breach PC investigates as neutral party Complainant needs to have suffered adverse consequence (“harm”) Loss or misuse of data doesn’t always = breach of rule 5 Privacy policy and training relevant, but must be carried out Finding of breach => can end up in Human Rights Review Tribunal Maximum jurisdiction = $200,000

Privacy Commissioner has power to investigate complaints of breach

PC investigates as neutral party

Complainant needs to have suffered adverse consequence (“harm”)

Loss or misuse of data doesn’t always = breach of rule 5

Privacy policy and training relevant, but must be carried out

Finding of breach => can end up in Human Rights Review Tribunal

Maximum jurisdiction = $200,000

When it goes wrong: Privacy Breach Notification Contain and assess breach Evaluate risks Consider or undertake notification Put future prevention strategies in place

Contain and assess breach

Evaluate risks

Consider or undertake notification

Put future prevention strategies in place

Contact Telephone: Wellington (04) 474 7590 Auckland (09) 302 86 80 Enquiries hotline: 0800 803 909 Email: [email_address] Internet address: http://www. p rivacy. o rg.nz

Telephone: Wellington (04) 474 7590

Auckland (09) 302 86 80

Enquiries hotline: 0800 803 909

Email: [email_address]

Internet address: http://www. p rivacy. o rg.nz