Skip to main content

Privacy & Security

Privacy & Security
By Saif Abed | 10:02 am | January 22, 2019
Dr Saif Abed, founding partner of health IT consultancy AbedGraham, looks at the new 10-year plan for the National Health Service in England.
By Diana Manos | 04:16 pm | January 18, 2019
The whole point of electronic health records is to facilitate the sharing of patient data, but that is still difficult, not just because interoperability hasn't been fully achieved, but also because matching patient records is still not easy to achieve – putting patients at risk for incorrect care and also posing privacy concerns, according to a new report by the Government Accountability Office. The report, titled, "Approaches and Challenges to Electronically Matching Patients' Records across Providers," says there two ways that records are failed to be matched accurately. These include: Records for different patients are mistakenly matched. When this happens, health, safety and privacy are in jeopardy. A provider may use a diagnosis or medication information for the wrong patient. Or, if the wrong patient's medical information is added to another patient's record, the first patient's privacy has been breached. Records for the same patient are not matched. When medical records for the same patient are not matched, providers don't have all the information they need to provide proper care. For the study, GAO interviewed representatives from physician practices and hospitals to find out how they match patient records. Some of them told GAO they have worked to improve the consistency with which they format demographic data in their electronic health records. Multiple stakeholders said no single effort would solve the challenge of patient record matching. Stakeholders suggested these general ways the healthcare community could improve how patient records are matched: implement common standards for recording demographic data; share best practices and other resources; and   develop a public-private collaboration to improve matching. When it comes to the role the Office of the National Coordinator for Health IT (ONC) should play, most interviewed for the survey weren't sure. However, some suggested that ONC could require demographic data standards for health IT certification, while others said the agency should push voluntary adoption of the standards. WHY IT MATTERS Healthcare providers are increasingly sharing patients' health records electronically. When a patient's records are shared with another provider, it is important to accurately match them to the correct patient. GAO and others have reported that accurately matching patient health records is a barrier to health information exchange. GAO cites a 2014 study found that as few as 50 percent of records are accurately matched when organizations exchange information. In the American Hospital Association's 2017 survey, 45 percent of large hospitals reported that difficulties in accurately identifying patients across health IT systems limited health information exchange. THE LARGER TREND GAO points out how important industry standards are for entering names and identifying data into an EHR, and recommends ONC's Interoperability Standards Advisory Reference as a way to ensure accurate matching. The latest version was just released Jan. 15, and was based on 74 comment letters, including nearly 400 individual recommendations for revisions. A standards-based health ecosystem is also critical, and this year's HIMSS Global Conference and Exhibition's Interoperability Showcase next month Orlando  will feature 82 organizations demonstrating 121 health IT systems across 16 different use-cases. The showcase is designed to get at the heart of what the true value of interoperability really is, said Christel Anderson, senior director, interoperability initiatives, at HIMSS. Diana Manos is a Washington, D.C.-area freelance writer specializing in healthcare, wellness and technology.  Twitter: @Diana_Manos Email the writer: dnewsprovider@gmail.com  Healthcare IT News is a HIMSS Media publication.   
By Dean Koh | 10:23 pm | January 16, 2019
Minister for Health Gan Kim Yong delivered a ministerial statement on the Committee of Inquiry (COI) report on the SingHealth cyberattack in the Singapore Parliament on January 15 2019. In the statement, he said that the Ministry of Health (MOH) has appointed a Cybersecurity Advisory Committee to conduct a horizontal review of the cybersecurity governance structures and processes across the public healthcare clusters and Integrated Health Information Systems (IHiS), the IT agency for the Ministry. He also outlined four key responses to the COI report’s recommendations. The first is enhancing governance and organisational structures as there is a “need for clearer cybersecurity risk ownership and accountability between IHiS and the public healthcare clusters, underpinned by a strong relationship to avoid fragmenting the Ministry’s healthcare IT strategy.” At MOH, the Chief Information Security Officer (CISO) is currently also the Director of Cyber Security Governance at IHiS but these roles will be separated. The MOH CISO will be supported by a dedicated office in MOH and report to the Permanent Secretary. The MOH CISO office will be the cybersecurity sector lead for the healthcare sector. It will coordinate efforts to protect Critical Information Infrastructure in the healthcare sector, and ensure that the sector fulfils its regulatory obligations under the Cybersecurity Act.  For its part, IHiS will have its own separate Director of Cyber Security Governance. At the clusters, the cluster Group CIO office will now be made fully accountable to the respective cluster management and Boards. The GCIO office will be adequately resourced to carry out its role. The position of the Cluster Information Security Officer will be elevated to report directly to cluster management, and be accountable to the IT and Risk Management Committees of the cluster Boards. Secondly, a cybersecurity model with multiple lines of defence will be put in place. A more robust ‘Three Lines of Defence’ structure within the public healthcare: The first line comprises units and personnel who develop, deliver and operate the IT systems. This is the Delivery Group. MOH will strengthen the IT delivery group to better integrate cybersecurity into IT delivery initiatives, improve the management of network security, and increase emphasis on security architecture and monitoring.    The second line of defence comprises units and personnel who have the specific responsibility to oversee security strategy, risk management and compliance. MOH will strengthen and elevate this second line of defence by establishing a dedicated Cyber Defence Group in IHiS headed by a senior leader at or equivalent to the Deputy Chief Executive level. The strengthened group will have independent oversight of cybersecurity implementation, compliance and risk management, and will oversee incident reporting and management. This will ensure that cybersecurity is managed at the senior management level, and an appropriate balance is struck between service delivery and cybersecurity considerations.   The third line of defence comprises checks and assurances independent of IHiS and our healthcare clusters, and independent of the first two lines of defence. MOH Holdings Group Internal Audit will continue to play this role. MOH also intends to commission and tap on independent third parties where appropriate. The third aspect would be improving the cybersecurity awareness and capacity of staff. Starting this year, IHiS will engage specialist providers to conduct realistic hands-on “Cyber Range” simulation training to raise the competence of their security incident response personnel. IHiS also intends to learn from GovTech’s bug bounty and vulnerability disclosure programmes and start similar efforts. Lastly, a tiered model of Internet access will be considered. In its report, the COI has recommended that an internet access strategy which minimises exposure to external threats should be implemented. Following the cyberattack, temporary Internet Surfing Separation (ISS) was implemented across Singapore’s public healthcare sector. However, the implementation of the ISS has posed several challenges in the provision of patient care in some areas such as emergency care, decision-support for prescriptions and treatments, access to patient education resources, and booking of clinical appointments. ISS also caused delays to frontline patient management and backend administrative tasks. Research and education initiatives in the public healthcare institutions have also been impacted by ISS. The current model of ISS is still workable but there needs to be longer-term solutions that are more efficient and sustainable. One such solution is the “virtual browser”, which allows access to the Internet through strictly controlled and monitored client servers. The client server acts like a decontamination room in which a file is opened and only an image/copy of the file is taken and sent to the recipient. In this manner, any malicious material or hidden content is ‘left behind’ in the decontamination room, greatly reducing cybersecurity risks. This “virtual browser” pilot will begin in the first quarter in 2019 at the National University Health System. “Virtual browsers” will be deployed in selected job functions at selected departments and clinics. Some of the job roles participating in the pilot include frontline pharmacists, and emergency department clinicians. The conduct and evaluation of the pilot is expected to take about 6 months and MOH will closely with the Cybersecurity Agency of Singapore (CSA) to assess the cybersecurity adequacy of the solution. The effectiveness of the Virtual Brower will also be assessed. Mandatory contributions to the National Electronic Health Record (NEHR) system will continue to be deferred as it is undergoing a series of cybersecurity assessments conducted by the CSA, GovTech, and independent firm PwC. The NEHR will also be subject to further testing and reviews, including exercises to test its defences against targeted attacks, as well as business continuity and disaster recovery plans.
Connected Health
By HIMSS TV | 03:25 pm | January 16, 2019
Aimee van Wynsberghe, co-founder of the Foundation for Responsible Robotics, looks at what we should do with robotics to improve life for patients and caregivers.
By Tom Sullivan | 10:06 am | January 15, 2019
Without proper documentation for government regulators, infosec protocols might safeguard data without meeting federal criteria.
By Tom Sullivan | 10:04 am | January 15, 2019
The speciality exhibit will have 90 booths, two theaters, nearly 60 education sessions and eight challenge opportunities to test your infosec chops.
By Dean Koh | 03:10 am | January 15, 2019
Following the release of the public report by the Committee of Inquiry (COI) for the SingHealth cyberattack which occurred in July 2018 and Integrated Health Information Systems (IHiS) taking disciplinary action on staff members involved in the incident and senior management team staff, the Personal Data Protection Commission (PDPC) has imposed financial penalties on both IHiS and SingHealth, according to an official statement. The PDPC administers the Personal Data Protection Act 2012 (PDPA) in Singapore, which aims to safeguard individuals’ personal data against misuse and promote proper management of personal data in organisations. PDPC’s investigations into the data breach arising from a cyberattack on SingHealth’s patient database system, found that IHiS had failed to take adequate security measures to protect the personal data in its possession. PDPC has imposed a financial penalty of S$750,000 on IHiS. A financial penalty of S$250,000 has also been imposed on SingHealth as the owner of the patient database system. PDPC found that the SingHealth personnel handling security incidents was unfamiliar with the incident response process, overly dependent on IHiS, and failed to understand and take further steps to understand the significance of the information provided by IHiS after it was surfaced. These financial penalties (a total of S$1 million) are the highest ever imposed by PDPC to-date. PDPC took into account the fact that the data breach was the largest breach that Singapore has ever experienced, as well as the sensitive and confidential nature of the patients’ data. In addition, the penalties took into account the fact that IHiS and SingHealth were cooperative throughout the investigations and took immediate remedial actions. PDPC also recognised that both organisations were victims of a skilled and sophisticated threat actor bearing the characteristics of an Advanced Persistent Threat group, using numerous advanced, customised and stealthy tools and carrying out its attack over a period of more than 10 months.
By Dean Koh | 05:54 am | January 14, 2019
The IHiS Board of Directors appointed an independent human resource panel to examine the roles, responsibilities and actions of the IHiS staff involved, and assess the appropriate HR actions to be taken.