Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

eHealth system — access security controls of seven healthcare provider organisations

pdfPrintable version356.16 KB

Privacy assessment report
Australian Privacy Principles assessment
Section 33 C Privacy Act 1988

Assessments undertaken: December 2014 to April 2015
Final report issued: October 2015

Part 1 — Introduction

1.1 This report outlines the findings of an assessment by the Office of the Australian Information Commissioner (OAIC) of the access security controls employed by seven General Practice clinics (GP clinics) when their staff access the personally controlled electronic health record system (eHealth system).

1.2 The OAIC examined the relevant policies and procedures used by each GP clinic and the implementation of those policies regarding how the eHealth system is accessed, how that access is controlled and monitored, and how risks to the security of personal information are identified and managed.

1.3 The OAIC has made six recommendations that, if put in place by the seven GP clinics will in the opinion of the OAIC, minimise the risks identified around how the security of personal information is managed. These are set out in the report and summarised at Part 2.

1.4 The recommendations in this assessment report may serve as a guide for other Healthcare Provider Organisations (HPOs) in developing or revising their own information security policies and procedures for accessing the eHealth system.

Back to Contents

Part 2 — Summary of findings and recommendations

Summary of findings

2.1 The findings of the OAIC’s assessment show that all of the assessed GP clinics:

  • have procedures for oversight, accountability and lines of authority for decisions regarding personal information security
  • have to some degree policies and procedures in place which govern information security
  • have password mechanisms in place for their ICT systems
  • provide some privacy and eHealth system training to new staff as part of their induction process.

2.2 However the OAIC’s findings also raise a number of privacy issues and they are set out in this report under the following headings:

  • Policies and procedures
  • Access to the eHealth system
  • Monitoring access – lack of audit log capability
  • Regular and ongoing privacy and eHealth access training
  • Risk assessments into eHealth system access

2.3 In summary the assessors identified the following as high or medium risks that the assessed GP clinics need to address to ensure they are effectively meeting the requirements of the PCEHR[1] Rules 2012 (Cth) (PCEHR Rules) which deal with the access control mechanisms and other security requirements that apply to HPOs who use the eHealth system and Australian Privacy Principle (APP) 11 which deals with securing personal information:

  • There is a high risk that one of the GP clinics assessed is not meeting the requirements of Rule 25 of the PCEHR Rules as they did not have (at the time of fieldwork) a written policy which reasonably addresses how the GP clinic authorises people to access the eHealth system.

  • There is a medium risk that the eHealth policies of the other six GP clinics assessed may not properly address all of the issues required under Rule 25 of the PCEHR Rules.

  • There is a medium risk in all assessed GP clinics of unauthorised access to the eHealth system due to passwords not being regularly reviewed and/or not being strong enough.

  • There is a risk that in all assessed GP clinics, when presented with a patient that has a PCEHR document or record code in place for locking parts or all of their eHealth record and the code is provided to a doctor to unlock their eHealth record, the code may not be handled and disposed of appropriately as none of the GP clinics had included in their policies a procedure for the handling of these codes.

    Currently there is a low risk that a patient’s document or record code may be retained and used in the future without the appropriate authorisation as only one GP clinic assessed by the OAIC had a patient which locked down parts of their eHealth record. However what is a low risk currently may become a medium or high risk if the use of the eHealth system increases significantly.

  • Those GP clinics assessed that do not have a process for handling privacy complaints face a medium risk that unauthorised access to the eHealth system may not be properly addressed immediately or not addressed at all. This may result in greater harm to the individual who is making the complaint or whose information has been mishandled.

  • There is a medium risk that staff in many of the GP clinics assessed may not properly be informed about the requirements of the Privacy Act and their privacy obligations when accessing the eHealth system as their policies are out of date and are not regularly reviewed. In particular, not all of the GP clinics reviewed their Rule 25 policies annually as required by Rule 25.

  • Generally, the GP clinics assessed face a medium risk of unauthorised access to the eHealth system as they have staff members capable of accessing the system and who either do not have an operational need for or have chosen not to use the system.

  • There is a medium risk that unauthorised persons could access personal information on unattended computers which have eHealth records open and do not have screensavers which revert to a logon screen when interrupted.

  • There is a medium risk that the lack of regular and ongoing refresher eHealth and privacy training by assessed GP clinics may lead to a GP clinic’s staff not being fully aware of their privacy and security obligations when accessing the eHealth system, especially if new functionality is added or significant changes are made to the eHealth system in the future.

  • There is also a medium risk of staff in the assessed GP clinics:
    • missing out on eHealth system and privacy training opportunities; or
    • receiving training when they do not have an immediate need for it, for example staff undertaking training even though they recently completed it.

    This is due to a lack of consistent recording by the assessed GP clinics about privacy and eHealth system training undertaken by their staff. Principal GPs and practice managers (who are responsible for ensuring that their staff are adequately trained) may not be fully aware of their staff’s training needs. This could result in wrong decisions being made about which staff members should receive training for the first time or when a staff member is due for refresher training.

  • GP clinics assessed may not be conducting appropriate risk assessments of their access of the eHealth system and generally of their ICT systems. Accordingly assessed GP clinics may not be aware of all relevant security risks, including threats and vulnerabilities, along with the possible impacts, when their staff access the eHealth system. As security risks may change very quickly, there is a medium risk that the security controls used by assessed GP clinics may become out of date.

Summary of recommendations

2.4 The OAIC makes the following recommendations to address the issues discussed in Part 6 of this report:

Recommendation 1 — review and update policies and procedures

2.5 The OAIC recommends that assessed GP clinics undertake a review of all relevant policies so that they:

  • specifically, in relation to the eHealth policy required under the PCEHR Rules, ensure the policy:
    • clearly sets out the GP clinic’s current security controls and procedures for accessing the eHealth system and reflects requirements under the PCEHR Rules (in particular Rule 25)
    • contains information on when the policy was previously updated (iteration numbers and dates of previous iterations required under Rule 25(6)(c))
  • review the eHealth policy annually (as required under Rule 25(6)(c)) to ensure the policy’s relevance and accuracy. HPOs should also review the policy if any new material or changed risks are identified
  • accurately and consistently reflect obligations under the Privacy Act (in particular APP 11), the PCEHR Act and the PCEHR Rules (specifically Rule 25) to protect personal information when staff access the eHealth system
  • include a process for destroying eHealth system document and record codes
  • if the GP clinic has not already done so, record the different levels of individual staff access to their ICT systems including access to the eHealth system
  • set out a policy for regularly reviewing passwords/passphrases used to access its ICT systems, including the clinical software system and ensure passwords are regularly changed and sufficiently complex. Passwords and passphrases should be complex enough so that others are not able to guess it, for example using a combination of letters, numbers and symbols or using passphrases
  • outline a process for dealing with eHealth access related privacy breaches and the handling any complaints which may arise from these breaches, if the GP clinic has not already done so. Good privacy practice would involve having a policy which addresses all privacy breaches and complaints not just those which relate to eHealth system access
  • include accurate and up to date references to the eHealth system, the Privacy Act and other privacy obligations, in relation to their practice manuals and other policies.

Recommendation 2 — consider restricting access to users of the eHealth system

2.6 To minimise the risk of access without a patient’s consent or without other authority, the assessed GP clinics should consider limiting internal access to personal information in an eHealth record to those staff who are using or intend to use the eHealth system. Each practice should regularly assess staff’s need for access to the eHealth system in light of their use or intended use of the system and clinical needs.

Recommendation 3 — change screensaver settings on computers

2.7 The OAIC recommends that the assessed GP clinics review the settings on computers used to access the eHealth system so that users are required to enter their user name and password to deactivate screensavers.

Recommendation 4 — regular and ongoing privacy and eHealth system access training

2.8 The OAIC recommends that the assessed GP clinics implement a formal training program where all staff requiring eHealth system access undergo regular and ongoing privacy and eHealth system access training.

Recommendation 5 — record all eHealth system training

2.9 The OAIC recommends that the assessed GP clinics establish and maintain a record of instances where individual staff members have received and completed internal or external privacy and eHealth system access training.

Recommendation 6 — annual risk assessments into eHealth system access

2.10 The OAIC recommends that the assessed GP clinics:

  • confirm whether through their accreditation or some other method that they undertake a risk assessment into their ICT systems and that it includes an examination of privacy and security risks associated with eHealth system access
  • consider conducting a risk assessment into ICT security and eHealth system access every year to complement the risk assessments that may be undertaken, including as part of the practice accreditation process, when they occur
  • document all risk assessments appropriately.

Back to Contents

Part 3 — Background

The eHealth system

3.1 The eHealth system commenced operation on 1 July 2012. The eHealth system was established by, and is regulated under, Personally Controlled Electronic Health Records Act 2012 (Cth) (PCEHR Act), PCEHR Rules, the Personally Controlled Electronic Health Records Regulation 2012 (Cth) (PCEHR Regulations) and the PCEHR (Participation Agreement) Rules 2012.

3.2 The System Operator (currently the Secretary of the Department of Health) is responsible for the operation and management of the eHealth system. Consumers can apply to the System Operator to register for an eHealth record. When a consumer registers for an eHealth record they are consenting to have their health information uploaded to their eHealth record by Healthcare Provider Organisations (HPOs) involved in their care. To view its patients’ eHealth records, HPOs need to register to participate in the eHealth system.

3.3 Each HPO appoints staff to undertake two key roles in relation to the eHealth system - the ‘responsible officer’ (RO) and the ‘organisation maintenance officer’ (OMO). An RO has authority to act on behalf of the HPO in its dealings with the System Operator. The RO has primary responsibility for their HPO’s compliance with participation requirements in the eHealth record system. The OMO’s primary role is to undertake the day to day administrative tasks in relation to the eHealth system. An HPO can have multiple OMOs. An OMO needs to be someone who is familiar with the ICT systems used by the HPO.[2]

The Privacy Act, the APPs and the PCEHR Rules

3.4 The Australian Privacy Principles (APPs) set out in the Privacy Act 1988 (Cth) (Privacy Act) generally regulate a HPO’s handling of consumers’ personal information. In addition, the PCEHR Rules (specifically Part 5, Division 2) set out the security requirements that HPOs must comply with to be eligible to be registered and to remain registered under the eHealth system.

Back to Contents

Part 4 — Description of assessment

Overview of HPOs assessed

4.1 The OAIC assessed seven GP clinics, who are also registered HPOs and users of the eHealth system. The assessment reviewed the policies and procedures of each GP clinic relevant to their use of the eHealth system, in particular the security measures used by the GP clinics to control access to the eHealth system by their staff.

4.2 The assessment targets were determined from data provided by the System Operator after consideration of factors including the amount of upload and download activity undertaken by the assessed GP clinics and their relative size.

4.3 The assessed GP clinics ranged from smaller medical practices of four doctors to larger practices of just over 20 doctors based in NSW and Victoria. No sole practitioners were involved in the assessment.

4.4 All seven assessed GP clinics have staff who were or are users of the eHealth system.

Objective and scope

4.5 The assessment was conducted under s 33C(1)(a) of the Privacy Act which allows the OAIC to assess whether personal information held by an entity is being maintained and handled in accordance with the APPs. The objective of this assessment was to assess whether the security controls employed by the GP clinic when its staff access the eHealth system are consistent with:

  • APP 11 in respect of the reasonable steps taken to protect the information from misuse, interference and loss; and from unauthorised access, modification or disclosure.[3]
  • Security requirements set out in the PCEHR Rules, specifically Division 2 of Part 5 of the PCEHR Rules.

4.6 The scope of the assessment involved a consideration of whether relevant policies and procedures used by the assessed GP clinics and the implementation of those policies are reasonable in the circumstances in relation to how the eHealth system is accessed by their staff; how that access is controlled and monitored, and how risks are identified and managed.

Timing, location and methodology

4.7 The assessment was conducted over the period from early December 2014 to April 2015. Each GP clinic assessed was asked to provide information to the OAIC; this included copies of relevant policies and procedures and details of access controls relevant to the GP clinic’s access to and use of the eHealth system. The information request is set out in Appendix A. The assessors then conducted the fieldwork component of the assessment at the premises of each HPO which included:

  • review of documents, including policies and procedures provided by that HPO
  • interviews with relevant HPO staff, usually the OMO and RO, particularly to test the implementation of those policies and procedures.

Assessment technique

4.8 The assessments of the GP clinics were risk based in that they focussed on identifying the privacy risks to the effective handling of personal information by the GP clinics in accordance with relevant legislation.

4.9 The OAIC identified risks and, where they were considered high or medium risks, made recommendations to each assessed GP clinic in individual reports about how to address those risks.

4.10 For more information about privacy risk ratings, refer to the OAIC’s ‘Risk based assessments – privacy risk guidance’ at Appendix B. Further detail on this approach is provided in Chapter 7 of the OAIC’s Guide to privacy regulatory action.

Privacy risks

4.11 This report sets out a discussion of the privacy risks identified in these assessments and makes a series of recommendations. While the findings and recommendations relate to the assessed GP clinics, they contain helpful information for all GP clinics using the eHealth system to consider. These recommendations are set out in the body of this report and summarised in Part 2.

Reporting

4.12 This report is a consolidated report of the findings made in assessments of seven GP clinics. Each assessed GP clinic was provided with an individual privacy assessment report which has not been published. This report summarises the findings across those assessment. Individual GP clinics are not identified in this report.

Back to Contents

Part 5 — General observations

5.1 The assessors made the following general observations in relation to the seven assessed GP clinics.

Use of the eHealth system

5.2 In all seven assessed GP clinics, irrespective of their size, only a minority of patients have eHealth records.

5.3 Only one GP clinic had patients with eHealth records that have a PCEHR document or record code in place for locking parts or all of their eHealth record.

5.4 In all assessed GP clinics, authorised staff access the eHealth system by using conformant clinical computer software that is installed on their ICT systems. Four GP clinics used Medical Director, two used Best Practice and one used ZedMed.

5.5 All but one of the assessed GP clinics informed the assessors that they relied heavily on their Medicare Local[4] for assistance on eHealth matters and that was a key factor in the majority of assessed GP clinics participating in the eHealth system. Assistance to the assessed GP clinics involved providing:

  • training for staff on how to use the eHealth system
  • guidance with the development of relevant policies
  • assistance with the registration of consumers.

Governance

5.6 All seven assessed GP clinics have procedures for oversight, accountability and lines of authority for decisions regarding personal information security. In five assessed GP clinics privacy, ICT security and eHealth related matters (including the development of eHealth policies) was mainly the responsibility of the practice manager with some support from a principal GP and/or external ICT consultants.

5.7 In one GP clinic responsibility for these matters was by the principal GP with support from the practice manager. In another clinic the responsibility was split between two staff members.

5.8 In five GP clinics the same individual acts as both the RO and OMO in addition to the other non-eHealth related duties undertaken by these individuals.

5.9 The assessors were informed by all seven assessed GP clinics that they have not received any privacy complaints or are aware of any privacy breaches regarding the eHealth system.

Back to Contents

Part 6 — Privacy issues

6.1 The findings of the OAIC’s assessment raise a number of privacy issues and they are set out below under the following headings:

  • Policies and procedures
  • Access to the eHealth system
  • Monitoring access – lack of audit log capability
  • Regular and ongoing privacy and eHealth access training
  • Risk assessments into eHealth system access

6.2 These privacy issues relate to the OAIC’s consideration of the relevant eHealth system access security policies and procedures used by the seven assessed GP clinics, and the implementation of those policies against the security requirements of APP 11 and the PCEHR Rules.

6.3 For each issue we have outlined the OAIC’s observations, the privacy risks arising from these observations and the OAIC’s recommendations to address those risks.

6.4 The recommendations are based on the observations and risks observed across the seven assessed GP clinics and provide useful guidance for all HPOs using the eHealth system.

Policies and procedures

6.5 Under Rule 25 of the PCEHR Rules, an HPO must have a policy which reasonably addresses the following issues:

  • the manner of authorising persons accessing the eHealth system via or on behalf of the HPO, including the manner of suspending and deactivating the user account of any authorised person:
    • who leaves the HPO;
    • whose security has been compromised; or
    • whose duties no longer require them to access the eHealth system (Rule 25(4)(a))
  • the training that will be provided before a person is authorised to access the eHealth system (Rule 25(4)(b))
  • the process for identifying a person who requests access to a consumer’s eHealth record and communicating the person’s identity to the System Operator so that the HPO is able to meet its obligations under section 74 of the PCEHR Act (Rule 25(4)(c))
  • the physical and information security measures it uses when accessing the eHealth system. This includes user account management measures required under Rule 27. Under Rule 27 an HPO has to uniquely identify individuals using its ICT systems to access the eHealth system (Rule 25(4)(d))
  • mitigation strategies to ensure -eHealth system related security risks can be promptly identified, acted upon and reported to the HPO’s management (Rule 25(4)(e))
  • additional form requirements outlined in Rule 25(6), including:
    • a requirement that each new version of the eHealth system policy needs to contain a unique version number and the date when that version came into effect (Rule 25(6)(b))
    • ensure that the policy is reviewed at least annually and when any material new or changed risks are identified. Rule 25(6)(c)also lists particular factors which the review must consider, for example, any relevant legal or regulatory changes that have occurred since the last review.

6.6 Under APP 11, an HPO should document the internal practices, procedures and systems that it uses to protect personal information when its staff access the eHealth system. An HPO’s documentation should outline the personal information security measures that are established and maintained against the risks and threats to personal information.

Observations

eHealth policies

6.7 All of the assessed GP clinics have to some degree policies and procedures in place which govern information security. There were differences in the extent that these policies and procedures were in writing and communicated to their staff.

6.8 Six of the seven assessed GP clinics provided the OAIC with an eHealth policy (required under the PCEHR Rules) when the fieldwork component of the assessment was conducted. It appears that one GP clinic created and two GP clinics updated their eHealth policy after the OAIC contacted them about the assessment.

6.9 At the time of fieldwork, two assessed GP clinics had not regularly reviewed their policies as required under PCEHR Rule 25(6)(c).

Handling of eHealth system privacy breaches and complaints

6.10 A majority of the assessed GP clinics have some form of written process that deals with privacy breaches and complaints. Some assessed GP clinics have their process stated in their policy and procedure manuals; others have copies of the PCEHR Breach Report template developed by Medicare Locals (see Appendix C) and they advised the assessors of their intention to use it in the event of an eHealth system related privacy breach.

Policy and procedure manuals

6.11 All the assessed GP clinics have extensive policy and procedure manuals which set out all the policies applicable to their practice, including the handling of personal information. The OAIC observed that these manuals often have incorrect or out of date privacy references. For example, several manuals referenced the National Privacy Principles (NPPs) which no longer exist; one manual referred to Victorian legislation even though the practice was based in New South Wales; others referred to the ‘Commonwealth-Privacy Amendment (Private Sector) Act 2000’ where the appropriate reference should be the Privacy Act 1988 (Cth). eHealth system was not mentioned in any of these manuals supplied to the assessors.

ICT security policies

6.12 In addition to their eHealth policies and their general policy and procedure manuals, five assessed GP clinics had separate ICT security policies. Two assessed GP clinics used the RACGP’s Computer and information security template in developing their information security policies. These templates apply the RACGP’s Computer and information security standards (CISS) – which discuss privacy, information security and eHealth matters. However both clinics did not fully fill out the template.

6.13 Another assessed GP clinic noted that it required more specific information security guidance than what was provided in the CISS and, therefore, rather than completing the RACGP’s template developed its own ICT security policy document.

Documenting access levels

6.14 Two GP clinics did not properly document or regularly update registers which set out the levels of systems access granted to individual staff members.

Handling of PCEHR document and record codes

6.15 The assessors were informed by most of the assessed GP clinics that if a patient had a PCEHR document or record code in place for locking parts or all of their eHealth record and it was provided to a doctor to unlock their eHealth record, it would be destroyed immediately. However none of the GP clinics had included in their policies a process for how these codes should be handled by their staff.

Password mechanisms

6.16 Use of strong passwords (and monitoring of their use) was followed in some assessed GP clinics but not all. A small number of assessed GP clinics keep a master copy of passwords (usually with the practice manager).

6.17 All the assessed GP clinics generally have the following password mechanisms for their ICT systems:

  • Firstly, access to a user’s computer requires a unique password made up of a combination of letters and numbers (except for one GP clinic where access to computers generally did not require a unique password, but access to relevant applications on the computer, such as email, did require a password).
  • Secondly, another password is required to access the clinical software system.
  • In the majority of assessed GP clinics, staff authorised to access to the clinical software are not required to regularly update their second clinical software password as this is left to the individual user to update. However in all seven GP clinics, the practice manager or principal GP reminds or prompts staff to do so regularly, though it is unclear how this is enforced.
  • Password strength requirements (combination of numbers, symbols and letters) varies across the seven assessed GP clinics, especially in relation to the second clinical software password, some HPOs requiring stronger passwords others do not.
Confidentiality agreements

6.18 In all seven assessed GPO clinics, doctors have to sign a confidentiality form when they begin their employment. None of the forms viewed by the assessors refer to the eHealth system.

Privacy risks

Meeting PCEHR Rules requirements

6.19 The assessors are of the view that having a policy in place that complies with Rule 25 is one way that the assessed GP clinics can gain some confidence regarding their security practices under APP 11. However, complying with the PCEHR Rules does not of itself mean that the assessed GP clinics have taken reasonable steps to protect personal information. It may be a reasonable step, but an assessed GP clinic may also need to take further action to meet the security obligations under APP 11.

6.20 The assessors are of the view that it is best privacy practice to have a separate eHealth policy (either its own section within an existing policy document or as a new stand-alone document). At a minimum, sections of policies that are intended to meet the requirements of Rule 25 must specifically be identified. A separate note should direct the reader to those sections so that the reader can see that the requirements of Rule 25 are being met.

6.21 There is a high risk that one assessed GP clinic is not meeting the requirements of Rule 25 of the PCEHR Rules as they did not have (at the time of fieldwork) a written policy which reasonably addresses the requirements of PCEHR Rule 25, including setting out the physical and information security measures it uses when accessing the eHealth system (either as a standalone document or by reference to material in its other policies).

6.22 The other six assessed GP clinics have written eHealth policies. These policies appear to be based on an eHealth security and access policy template created by Medicare Locals. Most of these eHealth policies reviewed by the assessors have not made many changes to the template which means the policies use generic language not specific to the particular practice to which they relate. Therefore there is a medium risk that the policy may not properly address all of the issues required under Rule 25 of the PCEHR Rules as the policy may not have been amended to reflect the way a particular GP clinic’s staff access the eHealth system.

6.23 There is also a medium risk that several assessed GP clinics are not meeting the PCEHR Rules requirement to record different versions of the eHealth policy as some were not able to present the assessors with a record that showed when the policy was previously updated. Some practices utilised the PCEHR Version Register developed by Medicare Locals to fulfil this requirement. This also suggests a medium risk that eHealth policies are out of date and therefore may not be meeting the requirements of the PCEHR Rules to regularly update their eHealth policies.

Regularly review and use strong passwords

6.24 There is a medium risk within all the GP clinics assessed that passwords are not regularly reviewed and are not strong enough. Where possible, computers and software should be configured to require passwords to be changed at regular intervals. Having strong passwords that are changed regularly is a relatively simple yet effective protection mechanism. There are numerous websites providing advice on how to create strong passwords or passphrases. For further information see the OAIC’s Guide to securing personal information, ‘Passwords and passphrases’ section (p.30 in pdf version).

6.25 Best practice is that a master copy of passwords should not be retained. If a master copy of passwords is being retained, this file also should be protected with a strong password or passphrase or by strong physical security.

Include a process for handling PCEHR document and record codes in relevant policies

6.26 The lack of a written process setting out how to handle PCEHR document and record codes provided by a patient increases the risk that a patient’s document or record code may be retained and used in the future without the appropriate authorisation. It should be noted that this is currently a low risk considering that only one GP clinic assessed by the OAIC had a patient which locked down parts of their eHealth record. However what is a low risk currently may become a medium or high risk if the use of the eHealth system increases significantly and more patients elect to lock down parts of their eHealth record. As a result, this issue should be dealt with now.

Create a process for handling privacy complaints

6.27 Those GP clinics assessed that do not have a process for handling privacy complaints face a risk that unauthorised access to the eHealth system may not be properly addressed immediately or not addressed at all. This may result in greater harm to the individual who is making the complaint or whose personal information has been mishandled. GP clinics would benefit from updating policies to reflect how they will receive eHealth or data breach related communication from patients/members of the public and how they will respond to such occurrences.

Review and update relevant policies

6.28 Generally, the GP clinics assessed would benefit from more regular reviews of their policies. There is a risk that staff in many of the GP clinics assessed may not properly be informed about the requirements of the Privacy Act and their privacy obligations when accessing the eHealth system as their policies are out of date. GP clinics should review and update their policies and procedures manuals and other relevant policies to ensure that staff can rely on information which accurately reflects privacy laws and obligations.

Recommendation 1 — review and update policies and procedures

6.29 The OAIC recommends that assessed GP clinics undertake a review of all relevant policies so that they:

  • specifically, in relation to the eHealth policy required under the PCEHR Rules, ensure the policy:
    • clearly sets out the GP clinic’s current security controls and procedures for accessing the eHealth system and reflects requirements under the PCEHR Rules (in particular Rule 25)
    • contains information on when the policy was previously updated (iteration numbers and dates of previous iterations required under Rule 25(6)(c))
  • regularly review the eHealth policy (as required under Rule 25(6)(c)) to ensure the policy’s relevance and accuracy. GP clinics should also review the policy if any new material or changed risks are identified
  • accurately and consistently reflect obligations under the Privacy Act (in particular APP 11), the PCEHR Act and the PCEHR Rules (in particular Rule 25) to protect personal information when staff access the eHealth system
  • set out a process for destroying PCEHR document and record codes
  • record the different levels of individual staff access to their ICT systems including access to the eHealth system
  • set out a policy for regularly reviewing passwords used to access its ICT systems, including the clinical software system and ensure passwords are regularly changed and sufficiently complex. Passwords and passphrases should be complex enough so that others are not able to guess it, for example using a combination of letters, numbers and symbols or using passphrases
  • outline a process for dealing with eHealth system access related privacy breaches and the handling any complaints which may arise from these breaches, if the GP clinic has not already done so. Good privacy practice would involve having a policy which addresses all privacy breaches and complaints not just those which relate to eHealth system access
  • include accurate and up to date references to eHealth legislation, the Privacy Act and other privacy obligations, in relation to their practice manuals and other policies.

6.30 The assessors have identified a number of resources that may assist the assessed GP clinics to understand and meet the above recommendation, and other eHealth legislation obligations. These are set out in Appendix C (Resources). The OAIC does not endorse these resources, though it has provided them as assistance for GP clinics.

Access to the eHealth system

Observations

6.31 Across the assessed GP clinics, generally individual doctors, registered nurses and others may access the eHealth system (through their clinical software access). However, in the majority of clinics only a minority of those doctors with access to the eHealth system were using it. In only one GP clinic were all doctors using the eHealth system.

Levels of access

6.32 Across the seven assessed GP clinics, access to the clinical software and the eHealth system is granted by either the practice manager or the principal GP. A majority of assessed GP clinics record the levels of access granted to individual staff members, with many using the Authorised Staff Register template developed by Medicare Locals. Across the seven assessed GP clinics,the levels of access to ICT systems are generally as follows:

  • Unrestricted access – which means access to all areas of clinical software and typically involves doctors, registered nurses, anyone with an HPI-I[5], anyone authorised by the practice manager or administrator of the practice’s ICT system to access the clinical software
  • Restricted or reception access – involves reception staff accessing billing software only – though in some GP clinics this includes reception and administrative staff accessing the clinical software for limited purposes.
Screensaver settings

6.33 All seven assessed GP clinics use screensavers which are activated on their computers when they remain inactive – the period of time varies from five to ten minutes. To re-access the computer in some assessed GP clinics, staff are required to re-enter their password. However, in some assessed GP clinics when used again, the computer screens revert back to the last screen/page viewed and not to a logon page requiring the user to re-enter their username and password.

Privacy risks

Access on a ‘need to know’ basis

6.34 A strong principle of personal information security generally is only to provide people with access to information which they need to know (or in this case, which they are going to use).

6.35 In only one of the assessed GP clinics were all doctors with access to the eHealth system through their practice software actively using the eHealth system. This means that in six of the GP clinics doctors had access to a system through their practice software but were not necessarily using it. This is on its face contrary to the general principle of restricting access to information on a ‘need to know’ basis.

6.36 Generally, the GP clinics assessed face a medium risk of unauthorised access to the eHealth system as they have staff members who are capable of accessing the system through their practice software and either do not have an operational need for or have chosen not to use the system.

Recommendation 2 — consider restricting access to users of the PCEHR system

6.37 To minimise the risk of access without a patient’s consent or without other authority, the assessed GP clinics should consider adjusting practice software controls to limit access to personal information in an eHealth record to those staff who are using or intend to use the eHealth system. Each practice should regularly assess staff’s need for access to the eHealth system in light of their use or intended use of the system and clinical needs.

Logon screens and screensavers

6.38 There is a medium risk that unauthorised persons could access personal information on unattended computers which have eHealth records open and do not have screensavers which revert to a logon screen when interrupted.

Recommendation 3 — change screensaver settings on computers

6.39 The OAIC recommends that the assessed GP clinics review the settings on computers used to access the eHealth system so that users are required to enter their user name and password to deactivate screensavers.

Monitoring access — lack of audit log capability

Observations

6.40 Under the PCEHR Rules, the assessed GP clinics must have a policy which reasonably addresses the physical and information security measures it uses when accessing the PCEHR system including how it identifies individuals using its ICT systems to access the eHealth system.

6.41 All of the seven assessed GP clinics have the capability to reactively monitor staff access to the eHealth system as the software used by all the assessed GP clinics showed in the patient’s clinical record which doctor had accessed that patient’s eHealth record. The software currently used by all seven GP clinics, (which is based on National eHealth Transition Authority specifications) appears to satisfy the PCEHR Rules – if the IHI of the affected individual is known, then that patient’s clinical record can be reviewed in the clinical software to determine who accessed their eHealth record.

6.42 However all assessed GP clinics assessed were not fully aware of what their respective clinical software’s capability was in this area and whether more proactive monitoring, which is preventative in nature, could be implemented. This would involve being able to search against a doctor’s activity to see which eHealth records that doctor had accessed and periodically reviewing a record of system activities, such as an audit log to see if any anomalous eHealth activity has occurred.

6.43 From the fieldwork the assessors concluded that the HPOs are not likely to have the capability to proactively monitor, log and audit an individual staff member’s eHealth system access, including access to patients’ eHealth records due to the limitations of their clinical software systems. It appears that proactive monitoring of the rest of the GP clinic’s ICT systems including clinical records can be, and sometimes is, conducted.

Privacy risks

6.44 When considering what reasonable steps to take to secure personal information under APP 11, the OAIC’s Guide to securing personal information (p.31) states that maintaining a chronological record of system activities, such as an audit log is often the best way for reviewing activity on a computer system to detect anomalous activity and investigate privacy incidents.

6.45 Currently there is a low risk of unauthorised access going undetected given the number of patients with eHealth records. The assessors understand that the lack of such technology being available to a GP clinic on a cost effective basis may make it unreasonable for the assessed GP clinics to take further steps in these circumstances. However what is a low risk currently may become a medium or high risk if the use of the eHealth system increases significantly. Therefore the OAIC suggests that the assessed GP clinics consider on an ongoing basis the practicality of implementing a proactive audit log capability, particularly if appropriate commercial software becomes available.

Regular and ongoing privacy and eHealth system access training

Observations

6.46 All seven assessed GP clinics provide some privacy and eHealth system access training to new staff as part of their induction process. Initial eHealth system training in all seven HPOs is provided either by the practice manager or a principal GP.

6.47 Generally across the seven assessed GP clinics, privacy and eHealth system induction training involves the following:

  • new staff are given a copy of the GP clinic’s eHealth system policy (if they have one) and are briefly provided with an explanation of the eHealth system, with key elements being identified
  • the practice manager or principal GP showing new doctors how to access an eHealth record through the clinical software and advising them about obtaining consent from the patient to access their eHealth record
  • discussion of general privacy issues involving the handling of health information and the signing of a confidentiality form.

6.48 In at least two GP clinics the principal GP or practice manager also uses their own personal eHealth record to demonstrate to new staff how to appropriately access and interact with the eHealth system.

6.49 None of the seven assessed GP clinics assessed by the OAIC were aware of NEHTA’s online eHealth system training environment (see link in Appendix C (Resources)).

6.50 In the majority of assessed GP clinics, the eHealth system is not specifically mentioned in documentation provided by staff to review when they begin their employment - this typically takes the form of a checklist of information that must be covered and paperwork to be completed by the new doctor. In some HPOs even privacy was not referred to in the induction checklists - though the assessors were informed that in practice this is covered during induction.

6.51 A number of the assessed GP clinics did not keep full records of training undertaken. Some practices use the PCEHR training attendance log template developed by the Medicare Locals for recording all eHealth system training undertaken by its staff. However many of the GP clinics who use this or some other training register document did not consistently maintain it. For example:

  • one log reviewed by the assessors did not reflect all eHealth training undertaken by the assessed GP clinic’s staff as part of their induction training
  • another assessed GP clinic did not record the refresher training provided by the practice manager and the general privacy training provided by the Medicare Local.

6.52 All assessed GP clinics received training assistance from their respective Medicare Local when they began their participation in the eHealth system. One assessed GP clinic noted that they also received general privacy training from their Medical Local.

6.53 Following induction regular privacy and eHealth system access refresher training is not conducted by most assessed GP clinics. Some GP clinics offer subsequent privacy and eHealth system training however this is not formalised and does not occur on a regular and ongoing basis. Other GP clinics have regular meetings or the OMO will run group training for the staff every month which can cover particular issues relevant to the practice such as privacy. One GP clinic advised that their Medicare Local has offered to do refresher training for its staff though this offer was not taken up. This lack of formal refresher training may also explain in part the low usage of the eHealth system observed in some assessed GP clinics.

6.54 In the majority of assessed GP clinics other than the eHealth system policy and induction checklist, no other eHealth system training material is used or provided to staff. One assessed GP clinic had developed a training manual specifically for the eHealth system consisting of material from its Medicare Local, NEHTA and the OAIC.

Privacy risks

6.55 There is a medium risk that the lack of regular and ongoing refresher privacy and eHealth system access training may lead to an assessed GP clinic’s staff not being fully aware of their privacy and security obligations when accessing the eHealth system. This is especially important if new functionality is added or significant changes are made to the eHealth system in the future.

6.56 There is also a medium risk of staff in the assessed GP clinics:

  • missing out on eHealth system and privacy training opportunities; or
  • receiving training when they do not have an immediate need for it, for example staff undertaking training even though they recently completed it.

This is due to a lack of consistent recording by the assessed GP clinics about privacy and eHealth system training undertaken by their staff. Principal GPs and practice managers (who are responsible for ensuring that their staff are adequately trained) may not be fully aware of their staff’s training needs. This could result in wrong decisions being made about which staff members should receive training for the first time or when a staff member is due for refresher training.

6.57 Assessed GP clinics may also want to consider whether they could adapt their current training material so that it specifically relates to their systems and procedures for accessing the eHealth system to ensure corporate memory regarding these issues is retained.

Recommendation 4 — regular and ongoing privacy and eHealth system access training

6.58 The OAIC recommends that assessed GP clinics implement a formal training program where all staff requiring eHealth system access undergo regular and ongoing privacy and eHealth system access training.

Recommendation 5 — record all eHealth system training

6.59 The OAIC recommends that assessed GP clinics establish and maintain a record of instances where individual staff members have received and completed internal or external privacy and eHealth system access training.

Risk assessments into eHealth system access

Observations

6.60 There was a lack of certainty on the part of the assessed GP clinics whether they had conducted risk assessments of their use of the eHealth system and their ICT systems generally.

6.61 Six of the assessed GP clinics stated that they may have completed a risk assessment (which included an assessment of the practice’s ICT systems) as part of their practice accreditation (which occurs every three years). One confirmed that it had carried out a risk assessment as part of its accreditation.

6.62 The seven assessed GP clinics do not all use the same practice accreditation process. However the six assessed GP clinics which advised that they may have completed a risk assessment as part of their accreditation informed the OAIC that their accreditation:

  • involved demonstrating adherence to RACGP’s Standards for general practices (which has a privacy and information security component)
  • did not contain any eHealth system specific material
  • only briefly mentions the RACGP’s CISS (which does refer to eHealth system).

6.63 One assessed GP clinic informed the OAIC that they regularly rely on external ICT consultants to undertake a risk assessment of their ICT systems, while another said that it does this on an ad hoc basis.

6.64 Two assessed GP clinics used the RACGP’s Computer and information security template to develop its information security policies, which includes a risk assessment component and refers to the eHealth system. However neither assessed GP clinic had fully completed the template including the risk assessment component.

Privacy risks

6.65 As stated earlier, Rule 25(4)(e) states that a GP clinic’s eHealth system policy needs to reasonably address mitigation strategies to ensure PCEHR-related security risks can be promptly identified, acted upon and reported to the GP clinic’s management. This includes undertaking risk assessments and/or other similar reviews.

6.66 Assessed GP clinics may not be conducting appropriate risk assessments of their access of the eHealth system and generally of their ICT systems properly, regularly or at all. Given the dynamic nature of ICT systems and the security risks associated with such systems, it may also be prudent for GP clinics to conduct regular risk assessments. There is a possibility that assessed GP clinics may not be aware of all relevant security risks they face, including threats and vulnerabilities, along with the possible impacts, when staff access the eHealth system. As security risks may change very quickly, there is a medium risk that an assessed GP clinic’s security controls may become out of date.

6.67 A risk assessment into eHealth system access should consider the specific information security risks faced by the assessed GP clinic and then suggest steps and strategies for mitigating these risks. Further information on ways in which an assessed GP clinic can assess their personal information security risks can be found in the OAIC’s Guide to securing personal information (p.9 in the pdf version).

Recommendation 6 — annual risk assessments into eHealth system access

6.68 The OAIC recommends that assessed GP clinics:

  • confirm whether through their accreditation or some other method that they undertake a risk assessment into their ICT systems and that it includes an examination of privacy and security risks associated with eHealth system access
  • consider conducting a risk assessment into ICT security and eHealth system access every year to complement the risk assessments that may be undertaken, including as part of the practice accreditation process
  • document all risk assessments appropriately.

Back to Contents

Appendix A — Assessment information request

  • Any internal security, privacy or governance protocols, policies, procedures and access controls applicable to staff or doctors or contractors or other visiting health professionals relating to access to or use of the PCEHR system, including password controls or other access controls. This includes:

    • any policy created in response to Rule 25 of the PCEHR Rules 2012 (Rules)

    • any documents supporting or referred to in that policy

    • any documents that describe the management account practices adopted by you to meet in Rule 27 of the Rules.

  • Details of any instructions, memorandums, briefs or advices to your staff or doctors or contractors or other visiting health professionals addressing the legal or privacy obligations associated with access to or use of the PCEHR system.

  • Details of staff or doctors or contractors or other visiting health professionals that have access to the PCEHR system.

  • Copies of all training materials relating to access to or use of the PCEHR system.

  • Details of:

    • privacy or security audits, assessments or similar reviews

    • risk assessments/risk registers, threat assessments and privacy impact assessments

    in relation to your use of the PCEHR system.

  • Details of any audit system that logs or records use or access to the PCEHR system, including logs or records relating to access to the PCEHR system (eg audit logs, tracking records, incident records etc).

  • Any other information you consider relevant to this assessment (for example, details of any privacy/security breaches involving access to the PCEHR system in the last 12 months or details of any privacy or security audits relevant to your use of the PCEHR system).

Back to Contents

Appendix B — Risk based assessments — privacy risk guidance

Privacy risk rating

Entity action required

Likely outcome if risk is not addressed

High risk

Entity must, as a high priority, take steps to address mandatory requirements of Privacy legislation or other relevant legislation

Immediate management attention is required.

This is an internal control or risk management issue that if not mitigated is likely to lead to the following effects

  • Likely breach of relevant legislative obligations (for example, APP, TFN, Credit) or not likely to meet significant requirements of a specific obligation (for example, an enforceable undertaking)
  • Likely adverse or negative impact upon the handling of individuals’ personal information
  • Likely violation of entity policies or procedures
  • Likely reputational damage to the entity, such as negative publicity in national or international media.
  • Likely adverse regulatory impact, such as Commissioner Initiated Investigation (CII), enforceable undertakings, material fines
  • Likely ministerial involvement or censure (for agencies)

Medium risk

Entity should, as a medium priority, take steps to address Office expectations around requirements of Privacy legislation or other relevant legislation

Timely management attention is expected.

This is an internal control or risk management issue that may lead to the following effects

  • Possible breach of relevant legislative obligations (for example, APP, TFN, Credit) or meets some (but not all) requirements of a specific obligation
  • Possible adverse or negative impact upon the handling of individuals’ personal information
  • Possible violation of entity policies or procedures
  • Possible reputational damage to the entity, such as negative publicity in local or regional media.
  • Possible adverse regulatory impacts, such as Commissioner Initiated Investigation (CII), public sanctions (CII report) or follow up assessment activities.
  • Possible ministerial involvement or censure (for agencies);

Low risk

Entity could, as a lower priority than for high and medium risks, take steps to better address compliance with requirements of Privacy legislation or other relevant legislation

Management attention is suggested.

This is an internal control or risk management issue, the solution to which may lead to improvement in the quality and/or efficiency of the entity or process being assessed.

  • Risks are limited, and may be within acceptable entity risk tolerance levels
  • Unlikely to breach relevant legislative obligations (for example, APP, TFN, Credit)
  • Minimum compliance obligations are being met

Back to Contents

Appendix C — Resources

A number of resources are also available on the OAIC website that may assist you to understand and meet your eHealth system obligations. They are as follows:

In addition, the assessors have identified a number of resources external to our website that may assist Healthcare Provider Organisations to understand and meet their eHealth system obligations. The OAIC is not endorsing the following resources, which have been found in the course of our assessment and have not reviewed in detail:

Back to Contents

Footnotes

[1] The Personally controlled Electronic Health Records Act 2012 and the PCEHR Rules 2012 refer to the ‘PCEHR system’. This report generally uses the term eHealth system, only when reference is made to legislation is the term PCEHR used.

[2] Further information on ROs and OMOs can be found in the Department of Health’s Participating in the personally controlled electronic health record system: a registration guide for healthcare organisations.

[3] Further guidance on the APPs can be found in the OAIC’s APP guidelines. Further guidance on information security matters can be found in the OAIC’s Guide to securing personal information.

[4] Medicare Locals were funded by the Australian Government up until 30 June 2014 to undertake eHealth related work.

[5] Sometimes this can include allied health professionals but this differs across each HPO – some lease rooms to allied health professionals but they do not access the HPO’s ICT systems

Back to Contents