Access security governance for the My Health Record system - Midland Private Hospital

Part 1: Executive Summary   

1.1 This report outlines the findings of the Office of the Australian Information Commissioner (OAIC) on a privacy assessment of St John of God Midland Private Hospital’s (Midland Private Hospital) access security governance for the My Health Record (MHR) system conducted in April 2019.

1.2 All healthcare providers who are registered participants of the MHR system are required to have, communicate and enforce an access security policy under Rule 42 of the My Health Records Rule 2016. Rule 42 prescribes a number of requirements that must be addressed in the policy, to ensure that staff and contractors’ access to the MHR system is secure.

1.3 The objective of this assessment was to examine how staff and contractors at Midland Private Hospital access the MHR system, and whether the hospital has appropriate governance arrangements to manage access security risks in accordance with Rule 42. This involved looking at how staff and contractors are granted access to the MHR system, how that access is controlled and monitored, and how system risks are identified and managed.

1.4 This assessment also considered the reasonable steps taken by Midland Private Hospital to protect personal information and implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles (APPs), pursuant to APPs 1.2 and 11.

1.5 This assessment found that Midland Private Hospital has taken a number of steps to address and implement the requirements of Rule 42 but was yet to implement a finalised MHR access security policy.

1.6 The assessment identified a number of high and medium level privacy risks and has made 13 recommendations to address these risks. The recommendations, and Midland Private Hospital’s responses, are outlined in the Parts 3 and 4 of this report. The OAIC has also made eight suggestions which, if implemented, may assist Midland Private Hospital to further reduce privacy risks.

Part 2: Introduction

Background

Overview of the My Health Record system

2.1 The MHR system is the Australian Government’s digital health record system. A MHR is an online summary of a consumer’s key health information including details of their medical conditions and treatments, medicines, allergies, tests and scans.[1] This information can be viewed securely online. As end-users of the system, healthcare providers (such as doctors, specialists and hospital staff) are able to view and add information to a My Health Record when they need to, subject to access controls set by the consumer.

2.2 The MHR system is regulated under a suite of legislation including the My Health Records Act 2012 (Cth) (My Health Records Act) and My Health Records Rule 2016 (Cth) (My Health Records Rule). 

2.3 The Australian Government announced in May 2017 that all consumers would receive a MHR unless they decided to opt out. The opt-out period occurred from July 2018 to January 2019. The majority of consumers[2] now have a MHR, which is expected to drive greater use of the system by healthcare providers.

2.4 Private hospitals are required to comply with the APPs in the Privacy Act 1988 (Privacy Act) when handling personal information, which includes handling personal information in the MHR system.

2.5 Private hospitals that handle personal information in the MHR system are also bound by the obligations set out in Rule 42 of the My Health Records Rule. Rule 42 focusses on privacy governance, specifically in relation to end-user access security. Under Rule 42, healthcare providers who are registered participants in the MHR system must have a written policy that addresses a number of prescribed requirements, including:

  • how individuals are authorised to access the MHR system
  • staff training in relation to using the MHR system accurately and responsibly, and the legal obligations involved
  • the process for identifying a person who requests access to a consumer’s MHR
  • physical and information security measures, including user account management (linked to Rule 44)
  • strategies to identify, mitigate and report MHR system risks.

2.6 In many respects, the Rule 42 requirements complement APPs 1.2 and 11. Importantly, however, the Rule 42 requirements do not constitute all the reasonable steps a healthcare provider may need to take for the purposes of the APPs.

2.7 In practice, this means that healthcare providers participating in the MHR system have concurrent obligations to:

  • fulfil the privacy and access security requirements outlined in Rule 42
  • take reasonable steps to protect personal information and implement practices, procedures and systems to ensure compliance with the APPs.

2.8 This assessment examined how Midland Private Hospital fulfils the Rule 42 requirements, as well as the steps it takes under APPs 1.2 and 11 when staff (and contractors) handle personal information in patients’ MHRs.

The OAIC’s role            

2.9 The OAIC provides independent privacy oversight of the MHR system under the My Health Records Act.

2.10 The OAIC has a Memorandum of Understanding (MOU) with the Australian Digital Health Agency (ADHA) to provide dedicated privacy-related services under the Privacy Act and the My Health Records Act. This assessment forms part of the OAIC’s MOU work programme.

2.11 The OAIC had regard to the recent national expansion of the MHR system when deciding to focus on end-user access security in this assessment. The increased adoption and use of MHRs by individuals and organisations increases the privacy risk profile of the MHR system, and heightens the importance of awareness of compliance with MHR access security policies and practices under Rule 42 and the APPs.

Midland Private Hospital

2.12 Midland Private Hospital is located in Midland, Western Australia. It is part of the wider St John of God Health Care (SJGHC) network which is Australia’s third largest private hospital operator and operates a total of 24 facilities in Australia and New Zealand. Midland Private Hospital is a 60-bed facility.

2.13 Midland Private Hospital is co-located with St John of God Midland Public Hospital. The OAIC was advised during fieldwork that both hospitals are publicly funded and run by St John of God Health Care which is licensed as a private operator. There are no operational differences between the two hospitals except that each hospital has its own CEO.

2.14 A number of contractors operate onsite, including a pathology service provider, pharmacy and medical consultants.

2.15 The OAIC selected Midland Private Hospital for an assessment based on MHR system data provided by the Australian Digital Health Agency, which indicated that the hospital is accessing MHRs.

2.16 At the time of fieldwork (April 2019), there were 59 employees, 161 contract staff, and 748 doctors at Midland Private Hospital with access to the MHR system. 

Part 3: Findings

My Health Record access security policy

Mandatory written policy

3.1 Rules 41 and 42(1) of the My Health Records Rule requires healthcare providers to have a written access security policy to be eligible to be registered, and remain registered, under the MHR system. The OAIC observed that Midland Private Hospital had a draft MHR access security policy which was yet to be finalised and implemented at the time of fieldwork, although staff had begun using MHRs from December 2018 via WA Health’s portal (iSOFT Clinical Manager), and from January 2019 via the hospital’s internal clinical software (Clinical Information System, CIS). It was planning to implement the draft policy within the next six months.[3]

3.2 The MHR access security policy forms the security governance for end-users of the MHR system, and therefore underpins how Midland Private Hospital protects of sensitive patient information from unauthorised access. It also helps build staff awareness of obligations under MHR legislation, which in turn helps strengthen privacy culture across the hospital. The OAIC considers there is a high risk of breaching Rule 42(1) and APPs 11 and 1.2 if Midland Private Hospital does not immediately implement its draft MHR access security policy.

Recommendation 1

Midland Private Hospital must immediately implement its draft My Health Record access security policy to meet the requirements of Rule 42 and APPs 11 and 1.2.

 

3.3 Having regard to the circumstances, the Privacy Commissioner exercised her discretion to take further regulatory action by opening a Commissioner initiated investigation under section 40 of the Privacy Act. 

3.4 The purpose of the investigation was to inquire about the circumstances in which Midland Private Hospital was accessing the MHR system without an access security policy. In particular, the OAIC sought and received assurance that, despite the absence of an access security policy, there had been no instances of unauthorised access to the MHR system.  

3.5 During the investigation Midland Private Hospital provided further information and submissions including the required assurance.

3.6 The OAIC found that the hospital’s draft policy reasonably addressed the other requirements of Rule 42. The OAIC has, however, identified privacy risks in the hospital’s governance and security practices underpinning the draft policy, which is discussed throughout Part 3 of this report.

3.7 The draft policy references other related and supporting policies such as the data breach response plan, information security and privacy compliance, which provides staff with a coherent picture of the suite of policies applicable to the handling of personal information in the MHR system.

3.8 The draft policy states upfront that it ‘applies to all caregivers, contractors and consultants’. This is a good privacy governance measure that provides transparency about policy scope and enables the hospital to communicate and enforce the policy with contractors and consultants. It also helps ensure all individuals with MHR access are subject to the requirements of Rule 42.

3.9 However, the OAIC notes that the policy content is addressed only to caregivers and not contractors or consultants.[4] For the avoidance of doubt, the OAIC recommends that the draft policy should be amended so that each policy requirement is addressed to caregivers, contractors and consultants. This mitigates the risk of contractors and consultants not following the policy based on a misunderstanding that the requirements do not apply to them.

Recommendation 2

Midland Private Hospital should amend its draft My Health Record access security policy so that the policy content is addressed to caregivers, contractors and consultants.

 

3.10 Once implemented, the draft policy will also be applicable to all relevant organisations within the wider SJGHC network. If, in future, the hospital’s MHR systems, practices and procedures differ from those of the SJGHC network, the OAIC suggests that it should apply a tailored local version of the MHR access security policy to ensure that it remains relevant to the hospital’s individual operational environment.

3.11 Most policies and procedures are developed by the SJGHC group and then applied to Midland Private Hospital. The MHR access security policy is the responsibility of Group Governance and the Group Digital and Technology Project Team. The draft policy was developed with input from other teams such as the Legal and Compliance teams. There is a clear governance structure to support this work as articulated in SJGHC’s Policy Governance Framework, with well-defined roles and responsibilities at Group and local levels. The framework also sets out a process for reviewing policy documents.

3.12 SJGHC has a Policy Committee which is responsible for endorsing policies before these are formally approved by the Executive Committee. Once approved, policies are published and communicated to local staff.

Communication of policy

3.13 SJGHC Group intends to communicate the MHR access security policy via various channels when it is approved. The policy will be published on the SJGHC intranet and all SJGHC staff will receive notifications via Pulse App, a mobile application which broadcasts organisational updates to all staff. It will also be communicated through the Executive Committee and filtered down to Midland Private Hospital staff via emails, posters and staff meetings. This is a good communication strategy and the OAIC suggests that the hospital could also regularly communicate the policy to staff on an ongoing basis, to reinforce staff awareness of their MHR privacy and access security obligations.

3.14 Midland Private Hospital does not have any measures in place to communicate MHR obligations to contractors. This is a significant concern given contractors already have access to the MHR system via CIS, and further underscores the importance of immediately implementing the MHR access security policy.

3.15 Once implemented, the hospital is required under Rule 42(2) to communicate the policy to contractors and ensure that it is readily available. Reasonable steps under APP 1.2 include running an awareness campaign, providing regular email reminders with a soft copy of the policy attached, and providing training (discussed at [3.36 – 3.44]).

Recommendation 3

Midland Private Hospital must communicate its MHR access security policy to contractors (and consultants) when it is implemented.

Review of policy

3.16 The draft MHR access security policy adequately addresses the policy review and version control requirements of Rule 42(6). Once implemented, Midland Private Hospital must review its policy at least annually, and when any material new or changed risks are identified. The review must consider:

  • risks that might result in unauthorised access, use or disclosure of patient information from a MHR
  • any legislative changes
  • any changes to the MHR system that may affect Midland Private Hospital. 

Conducting a review ensures that the policy remains current and compliant with Rule 42(6) and APP 1.2.

Recommendation 4

Midland Private Hospital must review its MHR access security policy at least annually, and when any material new or changed risks are identified.

 

3.17 As noted at [3.7], the draft policy references a number of related policies and procedures. Most of these policies have a review period exceeding one year. While longer review cycles are not in itself an issue, there is a low risk that the content in related policies may become misaligned with a revised MHR access security policy. The OAIC suggests that Midland Private Hospital could consider reviewing any relevant or linked policies (such as the Data Breach Framework and Response Plan) when there is an update to the MHR access security policy.

Access to the My Health Record system

Authorising access to the MHR system

3.18 Midland Private Hospital staff (including contractors) can access the MHR system via the hospital’s conformant clinical software, Clinical Information System (CIS), which has been customised to the hospital’s operations.

3.19 Access to CIS requires authorisation from managers. The hospital has a documented procedure outlining user account activation for CIS. Staff access to CIS is managed in an active directory which assigns application permissions to user accounts.

3.20 Staff can only access CIS and ICM via SJGHC-registered computers at designated workstations. Remote access is not provided.

3.21 Staff access to CIS is role-based, although this is currently limited to two IT roles in the active directory: generic access and clinician access. In practice there is little distinction between these roles from a MHR perspective; users with either role are given default access to the MHR system. This means that anyone who has access to CIS will also have automatic access to MHRs. The hospital is considering refining this set up to introduce more prescribed roles.

3.22 Providing access on a need-to-know basis is a key cornerstone of strong access security and information protection. This is reflected in Rules 42(4)(d) and 44(a), which require Midland Private Hospital to restrict MHR access to staff who require it as part of their duties. The OAIC considers that the current IT role set-up carries a high risk of a breach of these rules and APP 11. The OAIC recommends that the hospital must limit staff access to the MHR system, and note the hospital’s advice that this could occur by tightening IT roles to genuinely reflect staff duties. This would minimise the risk of unauthorised access to personal information.

Recommendation 5

Midland Private Hospital must limit access to the MHR system to staff who require access as part of their duties.

 

3.23 Apart from CIS, doctors can also access the MHR system using a Citrix portal provided by WA Health known as iSOFT Clinical Manager (ICM). The OAIC learnt that some doctors have been using ICM as the preferred alternative to CIS due to greater useability. ICM authenticates users via a unique healthcare identifier issued by WA Health. Midland Private Hospital does not administer access to ICM (this is a matter for WA Health), but staff must obtain their manager’s approval before accessing ICM.

3.24 Midland Private Hospital is responsible for compliance with the APPs and MHR Rules when its employees or contractors access the MHR system. Midland Private Hospital has controls in place, and strengthened controls recommended in this report, relating to access to the MHR system by employees and contractors through the CIS platform. Midland Private Hospital remains responsible for compliance with the APPs and MHR Rules when its staff or contractors access the MHR system for work purposes through the ICM.

3.25 Alternative access to the MHR system via the ICM raises a risk of non-compliance with the access and security requirements of the APPs and MHR Rules in the absence of documented controls. The OAIC recommends that Midland Private Hospital introduce or strengthen controls to either ensure that access to the MHR system by employees or contractors through the ICM meets the requirements of the APPs and MHR Rules, or require staff and contractors to only access MHR through CIS.

3.26 CIS applies access controls to documents held in MHRs. CIS prevents staff from uploading a document to a MHR unless they are a doctor. Staff are unable to extract documents from MHRs and save local copies. Documents can be printed; however, such activity is logged by a printer server. The OAIC considers that these are all good risk minimisation features to support proper handling of personal information. However, these controls are not documented as applying in circumstances where staff access MHR through the ICM.

3.27 It is good privacy practice under APP 1.2 to document the practices, procedures and systems that staff use to access MHRs. Documentation enhances corporate knowledge and provides greater visibility over operational practices. The OAIC recommends that the hospital should update its MHR access security policy, and any other related documents, to reflect the current practice of staff accessing MHRs via WA Health’s portal and the CIS. This includes documenting the requirement to obtain a manager’s approval for accessing ICM. If left unaddressed, there is a medium risk that content gaps in documentation may result in staff not knowing the correct access control procedures.

Recommendation 6

To improve its access security governance, Midland Private Hospital should update its MHR access security policy, and any other related documents, to reflect the current practice of staff accessing the MHR system via WA Health’s portal and the CIS. Midland Private Hospital should also introduce or strengthen controls to either ensure that access to the MHR system by employees or contractors through the ICM meets the requirements of the APPs and MHR Rules, or require staff and contractors to only access MHR through CIS.

Identifying staff access to the MHR system

3.28 Under Rule 42(c), Midland Private Hospital must have a process for identifying a person who requests access to a patient’s MHR, and a process for communicating the person’s identity to the System Operator, ADHA.

3.29 Midland Private Hospital is able to identify staff access to the MHR system through CIS via two main logs:

  • Document Access Audit log: this records all activities associated with each document access, including the user account involved, patient name, document name and action taken
  • User Activity Log: this records all user activities associated with an individual user, including the ‘screens’ accessed, date and time of access and patient involved.

These audit logs would typically be given to ADHA on request.

3.30 In accordance with Rule 44(b), CIS records the individual user’s unique internal identification number which is shown in both audit logs. The staff members’ Healthcare Provider Identifier – Individual (HPI-I) is not recorded.

3.31 The OAIC did not identify any privacy risks in relation to identification of staff access to the MHR system. However, Midland Private Hospital could consider implementing the ADHA’s recommendation[5] for clinical software to also record a staff member’s HPI-I, if applicable.

Suspending and deactivating staff access

3.32 Under Rules 42(4)(a), 44(d) and 44(e), Midland Private Hospital must have a process for suspending or deactivating the user accounts of staff who leave the organisation, whose security has been compromised, or whose duties no longer require them to access the MHR system.

3.33 Staff user accounts in CIS are linked to Midland Private Hospital’s payroll system. When a staff member leaves the organisation and their payroll is terminated, the user account automatically shuts down within two hours.

3.34 Where a user account’s security is compromised, action is taken immediately to deactivate the account. In other circumstances where a staff member no longer requires access to the MHR system, their manager is responsible for advising IT to deactivate access.

3.35 The OAIC did not identify any privacy risks in relation to suspension and deactivation of staff access to the MHR system.

Training

3.36 Midland Private Hospital provides some MHR training that is currently limited to the IT aspects of CIS, such as appropriately accessing MHR documents and suppressing discharge summaries where consent is withdrawn. The training is provided in a one-hour face-to-face session to medical staff during induction, but not to nurses or allied health staff who can request this training from their respective areas.

3.37 Nurses and allied health staff began receiving five-minute ‘toolbox’ sessions from February 2019 but this does not cover MHR training.

3.38 The training officer maintains a register of staff attendance for the MHR training.

3.39 The MHR training does not cover the following topics prescribed in Rule 42(4)(b):

  • how to use the MHR system accurately and responsibly (noting the IT topics discussed at [3.36] may provide some coverage of this area)
  • the legal obligations[6] on Midland Private Hospital and staff using the MHR system
  • the consequences[7] of breaching those obligations.

3.40 Midland Private Hospital is currently developing an online MHR education module that will address the prescribed requirements. The OAIC understands from the draft MHR access policy that staff must complete this module before being granted access to the MHR system, which is in accordance with Rule 42(4)(b).

3.41 Currently, however, staff are already accessing MHRs without having received the mandatory MHR training. The OAIC considers that there is a high risk of breaching Rule 42(4)(b) and APPs 1.2 and 11 if Midland Private Hospital does not immediately finalise and implement the MHR education module. Training is critical to building strong staff awareness of their MHR privacy and access security obligations, from accessing MHRs correctly to identifying and containing data breaches. Insufficient training can result in unsafe information handling practices and increased margin for error. The OAIC notes that human error is the leading cause of data breaches in the Australian health sector.[8]

3.42 Midland Private Hospital also provides mandatory privacy training to all new staff as part of their induction process. The training involves an online module that covers the Privacy Act and data breaches under the Notifiable Data Breaches scheme. The OAIC reviewed copies of the training material.

3.43 Midland Private Hospital does not provide MHR or privacy refresher training, or ad hoc training to address any legislative changes. Instead, the hospital communicates legislative change to staff via privacy awareness campaigns (such as posters) and Pulse App. Communication campaigns and push notification are a good way to enhance staff awareness and overall privacy culture, however, these methods are less likely to be effective where the subject matter is complex or where staff engagement is not compulsory. The OAIC considers there is still a high risk that staff may remain unaware of legislative changes that may impact on information handling in MHRs, or of changes to MHR system functionalities.

3.44 To address these risks, Midland Private Hospital must provide regular refresher training at least annually, in addition to ad hoc training when there are changes to legislation or MHR system functionalities. This would demonstrate reasonable steps under APPs 1.2 and 11 to educate staff to avoid practices that would breach MHR privacy and access security obligations.

Recommendation 7

To ensure Midland Private Hospital satisfies the requirements of Rule 42(4)(b) and APPs 1.2 and 11, it must:

  • immediately finalise and implement its MHR education module
  • conduct MHR training for all staff before they are granted access the MHR system
  • provide regular and ongoing refresher training to all staff annually, in addition to ad hoc training when there changes to legislation or MHR system functionalities.

 

3.45 WA Health provides training on accessing MHRs via ICM. The OAIC did not review the related training materials as WA Health is outside the scope of this assessment.

3.46 Midland Private Hospital currently does not provide MHR or privacy training to its contractors. The OAIC sighted an extract of hospital’s Service Level Agreement (SLA) that applies to contractors. The SLA places an onus on contractors to ensure their staff are made aware of, and comply with, the obligations outlined in the Privacy Act and any other legislation when dealing with personal information. The SLA does not explicitly refer to MHR legislation.

3.47 To ensure that contractors clearly understand their MHR privacy and access security obligations, Midland Private Hospital must update its SLA to explicitly clarify that contractors and their staff must comply with MHR legislation, including the hospital’s MHR access security policy.[9]

3.48 As part of its role in enforcing the MHR access security policy, Midland Private Hospital is ultimately responsible for ensuring that contractors and their staff are sufficiently trained before MHR access is granted. Some options that the hospital could consider to meet this responsibility include providing MHR training to contractors and their staff, or applying contractual terms that require contractors to undertake external training. The hospital could also consider mechanisms to ensure that contractual obligations are being fulfilled, such as sighting training attendance sheets.

Recommendation 8

The hospital must:

  • ensure that contractors and their staff are sufficiently trained before MHR access is granted
  • update its Service Level Agreement to explicitly clarify that contractors and their staff must comply with MHR legislation.

 

Physical and information security related to My Health Record access

3.49 Rule 42(4)(d) requires Midland Private Hospital to establish physical and information security measures to address privacy risks associated with unauthorised disclosure and access. This includes user account management measures that must be implemented under Rule 44. Most of the measures relating to access security are discussed in the previous section on Access to the My Health Record system. This section focuses on passwords and physical security.

3.50 The OAIC observed physical security controls at Midland Private Hospital’s Emergency Department during a demonstration of how staff access CIS and WA Health’s ICM. The OAIC observed that the computer terminals in the emergency ward were positioned facing away from patients’ beds. This is a privacy protective measure to prevent patient information from being inadvertently read by unauthorised persons.

3.51 The OAIC also observed password controls for staff logins. After logging into the hospital’s IT system, staff enter their username and password again to access CIS. Password requirements are outlined in the Information Systems Access and Security Policy. While the hospital’s password requirements provide some level of assurance that passwords are secure and robust in accordance with Rule 44(e), the OAIC recommends that the hospital apply the ADHA’s recommended standard[10] of 13 or more characters (involving a combination of letters with upper and lower case, numbers and symbols).

Recommendation 9

To improve password security, Midland Private Hospital must apply the ADHA’s password standard of 13 or more characters.

 

3.52 Staff in the emergency department are able to access CIS using individual swipe cards, as an alternative to entering their username and password. This is only available at three terminals to facilitate quicker access under emergency conditions.

3.53 Staff are also able to access the MHR system via the ICM portal using a unique username and password, after logging into the hospital’s IT systems.

3.54 Staff are required to change passwords for their hospital user accounts every 90 days, and likewise every 3 months for ICM. Staff do not share logins. They are also locked out of their accounts after 10 failed logins.

3.55 The OAIC observed automatic timeout locks applied to both CIS and ICM. Staff are locked out of their CIS accounts after five minutes of user inactivity, and the timeout activates earlier when a swipe card is used. The ICM system lockout is activated after two minutes of inactivity. It is best practice under APP 11 to require shorter lockout times in systems that handle sensitive information. The OAIC suggests that Midland Private Hospital could consider configuring CIS to automatically activate a timeout lock after 2 minutes of user inactivity, to align with WA Health’s standard.

Risk management and risk mitigation strategies

3.56 Under Rule 42(e), Midland Private Hospital must have mitigation strategies to ensure MHR system-related security risks can be promptly identified, acted upon and reported to management. The assessors observed that Midland Private Hospital has a number of risk management systems and procedures in place to address this requirement, which are discussed below.

Audit logs

3.57 Midland Private Hospital can track MHR system access via the document access audit log and user activity audit log (discussed at [3.29]). The hospital has the system capability to monitor and review MHR access by staff (including contractors). However, it currently does not have a process in place for reviewing these logs and there is no proactive monitoring of MHR access. The hospital relies on complaints to identify unauthorised access or use.

3.58 Complaints are a useful source of risk intelligence that typically elicit a reactive response. Audit logs, on the other hand, allow the hospital to proactively identify unauthorised access, for example, by staff or other individuals who have not been given access, or by authorised staff who may be using the system atypically or inappropriately. Audit logs can also assist with the forensic investigation of privacy incidents as there is a chronological trail of activity captured.

3.59 Unless audit logs are reviewed, there is a high risk that the hospital’s ability to promptly identify access security risks will remain limited. Given the operational complexity of hospitals and the greater numbers of staff with MHR access, the OAIC expects audit logs to be reviewed regularly as a reasonable step under APP 11. The OAIC therefore recommends that Midland Private Hospital must use audit logs to regularly monitor staff access to the MHR system. The hospital should also implement improvements identified from any review of audit logs.

Recommendation 10

Midland Private Hospital must use audit logs to regularly monitor staff (including contractors) access to the MHR system.

Recommendation 11

The hospital should implement improvements identified from any review of audit logs.

 

3.60 Only certain administrative staff have access to the document access and user activity audit logs. This is a good security measure to protect audit logs from unauthorised access and to maintain the integrity of audit data.

3.61 The hospital retains MHR audit log data indefinitely to meet legal requirements under MHR and other legislation. The data is archived and stored at an offsite location.

Risk management tools

3.62  SJGHC Group uses a risk management tool, Riskman, to monitor, mitigate and report security risks across its network, including Midland Private Hospital. Both cyber security and privacy risks are recorded under the banner of ‘cyber security’, including complaints and data breaches. However, by bundling privacy risks together with cyber security risks, there is a low risk that some privacy risks[11] may not be recorded on the basis that they are not ‘cyber security’ risks. To allow for clearer reporting of privacy and cyber security incidents, the OAIC suggests that Midland Private Hospital could create a separate privacy risk category in Riskman, to specifically capture privacy risks as distinct from cyber security risks.

3.63 SJGHC’s Information Security Team has implemented controls to address access security risks recorded in Riskman, including both Group-wide risks and those specific to Midland Private Hospital. These controls relate to staff credential management and training on security risks.

3.64 Strategic or high-level cyber security risks are also recorded in SJGHC’s Enterprise Risk Framework, including risks relevant to MHR access. Managed by the Information Security Team, the Framework notes the causes of identified risks, the impacts involved, and the specific actions or controls implemented by Midland Private Hospital to address these risks.

3.65 SJGHC has implemented Security Information and Event Management (SIEM) capability across its network, but this is currently not being used to monitor MHR activity occurring via either CIS or WA Health’s ICM portal. If in future the level of MHR usage is suggestive of elevated privacy and access security risks, SJGHC / Midland Private Hospital may wish to consider configuring SIEM to allow for real time monitoring of MHR access, as a supplement to regular reviews of audit logs. 

3.66 Midland Private Hospital currently does not undertake Privacy Impact Assessments (PIA) as part of privacy management. PIAs help organisations assess privacy risks to personal information by identifying the impact that a project or systematic change may have on the privacy of individuals. This includes changes in the regulatory environment such as new legislation, the implementation of new or amended systems or databases, or changes to how information is stored. PIAs make recommendations for managing, minimising, or eliminating those privacy impacts. To determine whether it will be necessary to conduct a PIA, a threshold assessment could be undertaken. For more information, see the OAIC’s Guide to undertaking privacy impact assessments.

3.67 Conducting a PIA is a reasonable step under APP 1.2 to ensuring that privacy is embedded into an organisation’s systems, practices and procedures. For example, a PIA would have been appropriate for assessing the privacy risks associated with the implementation of the MHR system at the hospital. Midland Private Hospital should conduct PIAs for similar initiatives in the future and integrate PIAs into its overall risk management approach.

Recommendation 12

Midland Private Hospital / SJGHC should integrate PIAs into its overall risk management approach.

Data breaches

3.68 Staff at Midland Private Hospital are required to report data breaches, suspected data breaches and any incidents to their manager. As discussed earlier at [3.62 and 3.64], the hospital has risk management tools to facilitate reporting procedures. There are a series of escalation points within Midland Private Hospital and the wider SJGHC Group, with ultimately the Group Compliance Team deciding whether a data breach needs to be escalated to the Response Team for more serious action and external reporting. The OAIC observed that SJGHC Group’s Data Breach Framework and Response Plan clearly articulates procedures and lines of command, which assists Midland Private Hospital to identify, contain and mitigate data breaches.

3.69 Risks recorded by staff in Riskman are reported to the SJGHC Board.

3.70 Midland Private Hospital is subject to data breach reporting requirements under the MHR Act and Privacy Act. The two data breach schemes operate separately and contain different notification requirements and legal thresholds. The OAIC observed that SJGHC Group’s Data Breach Framework and Response Plan focuses on data breaches under the Privacy Act. There is brief mention of the MHR data breach notification requirements[12], but the distinction between both schemes is often blurred.

3.71 The OAIC considers there is a medium risk of MHR data breaches being mishandled if staff rely on the operational procedures described in the policy. SJGHC / Midland Private Hospital should amend the policy to clearly distinguish MHR requirements from those of the Privacy Act. This distinction should likewise be reflected in current and future privacy training materials (including the upcoming MHR education module).

Recommendation 13

SJGHC / Midland Private Hospital should amend the Data Breach Framework and Response Plan, and any relevant training materials, to clearly distinguish the requirements of the MHR Act from those of the Privacy Act.

Part 4: Recommendations and responses

My Health Record access security policy

OAIC recommendation 1

Midland Private Hospital must immediately implement its draft My Health Record access security policy to meet the requirements of Rule 42 and APPs 11 and 1.2.

Midland Private Hospital response

The draft MHR Policy was amended to cover requirements highlighted by the audit questionnaire and the audit itself. The MHR Policy was approved on 28 June 2019 and implemented on that date. The MHR Policy was also launched on the intranet on 28 June 2019, and follow up communications were sent on 8 July 2019. 

SJGHC already had in place policies and frameworks relating to the application of Australian Privacy Principles (previously supplied).

SJGHC will continue MHR Policy implementation, communication and training.

OAIC recommendation 2

Midland Private Hospital should amend its draft My Health Record access security policy so that the policy content is addressed to caregivers, contractors and consultants.

Midland Private Hospital response

The suggested wording was adopted in the MHR Policy following concerns raised at that the time of the audit. This is now approved and active as discussed above under Recommendation 1. 

OAIC recommendation 3

Midland Private Hospital must communicate its MHR access security policy to contractors (and consultants) when it is implemented.

Midland Private Hospital response

The communication of the MHR Policy shall include contractors as recommended. Relevantly, the Midland CEO has already communicated this policy to contractors and contracted service providers.

OAIC recommendation 4

Midland Private Hospital must review its MHR access security policy at least annually, and when any material new or changed risks are identified.

Midland Private Hospital response

An annual review of the MHR Policy will be scheduled. 

Access to the My Health Record system

OAIC recommendation 5

Midland Private Hospital must limit access to the MHR system to staff who require access as part of their duties.

Midland Private Hospital response

SJGHC has policies and procedures in place to ensure the limiting of access to patient information as part of their duties. This is further being strengthened by the implementation of the MHR Policy as discussed above.

SJGHC is currently reviewing the way in which this is done in practice to ensure that this commitment can be more easily maintained and monitored with respect to all patient information and MHR system access. 

OAIC recommendation 6

To improve its access security governance, Midland Private Hospital should update its MHR access security policy, and any other related documents, to reflect the current practice of staff accessing the MHR system via WA Health’s portal and the CIS. Midland Private Hospital should also introduce or strengthen controls to either ensure that access to the MHR system by employees or contractors through the ICM meets the requirements of the APPs and MHR Rules, or require staff and contractors to only access MHR through CIS.

Midland Private Hospital response

SJGHC will review and investigate the implementation of improvement opportunities (including by way of amendments to its policies and the introduction of other possible controls) with respect to access to the MHR system via WA Heath's portal, ICM. Where appropriate, it will introduce or strengthen controls.

In the interim, and until SJGHC has concluded its review and investigation, SJGHC will require its staff and contractors to only access MHR through CIS. SJGHC will implement this change through an immediate amendment to its MHR access and security policy in conjunction with appropriate communications to staff and contractors. 

Training

OAIC recommendation 7

To ensure Midland Private Hospital satisfies the requirements of Rule 42(4)(b) and APPs 1.2 and 11, it must:

  • immediately finalise and implement its MHR education module
  • conduct MHR training for all staff before they are granted access to the MHR system
  • provide regular and ongoing refresher training to all staff annually, in addition to ad hoc training when there changes to legislation or MHR system functionalities.

Midland Private Hospital response

The training modules were made available at MPH and Midland Public Hospital by 9 July 2019. All employees must complete the training module before they are granted access. MPH will also ensure annual refresher training is provided. 

OAIC recommendation 8

The hospital must:

  • ensure that contractors and their staff are sufficiently trained before MHR access is granted
  • update its Service Level Agreement to explicitly clarify that contractors and their staff must comply with MHR legislation.

Midland Private Hospital response

Recommendation to be implemented in part. 

SJGHC will make its training modules with respect to the MHR Policy available to its contractors who require MHR access. SJGHC will continue to ensure that whoever requires access to MHR will be appropriately trained as per the MHR Policy.  

It would be impractical to vary all existing service contracts to recognise the MHR legislation. In SJGHC's view, the wording of existing contracts is sufficient despite not specifically and expressly referencing the MHR legislation specifically. Extracts of the current obligations imposed on contractors are set out in Annexure A.  

However, and nonetheless, SJGHC will endeavour to include specific reference to compliance with MHR legislation in future agreements and when existing agreements next come up for renewal and will otherwise retain current clauses which require that contracting parties comply with their respective legal obligations (which would, in any event, extend to obligations under the MHR legislation).

Physical and information security related to My Health Record access

OAIC recommendation 9

To improve password security, Midland Private Hospital must apply the ADHA’s password standard of 13 or more characters.

Midland Private Hospital response

SJGHC is currently updating its password policy in line with NIST standards.

Risk management and risk mitigation strategies

OAIC recommendation 10

Midland Private Hospital must use audit logs to regularly monitor staff (including contractors) access to the MHR system.

Midland Private Hospital response

SJGHC has begun implementing a monitoring facility using its cybersecurity SIEM.

OAIC recommendation 11

The hospital should implement improvements identified from any review of audit logs.

Midland Private Hospital response

MPH will implement a process for any improvement opportunities relevant to MHR access which arise from reviews of audit logs to be identified and evaluated. If deemed appropriate, those improvement opportunities will be acted upon. 

OAIC recommendation 12

Midland Private Hospital / SJGHC should integrate PIAs into its overall risk management approach.

Midland Private Hospital response

SJGHC has committed to implementing a PIA process for applications and in the discovery process for all projects and major changes.

OAIC recommendation 13

SJGHC / Midland Private Hospital should amend the Data Breach Framework and Response Plan, and any relevant training materials, to clearly distinguish the requirements of the MHR Act from those of the Privacy Act.

Midland Private Hospital response

SJGHC has already completed this action as suggested at the time of the audit.

Part 5: Description of assessment

Objective and scope of the assessment

5.1 The objective of the assessment was to examine how staff at Midland Private Hospital access the MHR system, and whether Midland Private Hospital has appropriate governance arrangements to manage security risks in accordance with Rule 42 of the My Health Records Rule 2016.

5.2 Rule 42 requires that all healthcare provider organisations have, communicate and enforce, an access security policy for accessing the My Health Record system. Rule 42 sets out a number of matters that the access security policy must address.

5.3 The assessment also considered how Midland Private Hospital meets the following obligations under the Privacy Act:

  • APP 1.2 requires an entity to take reasonable steps to implement practices, procedures and systems to ensure that it complies with the APPs.
  • APP 11 requires an entity to take reasonable steps to protect personal information it holds from misuse, interference and loss, as well unauthorised access, modification or disclosure.

Privacy risks

5.4 The OAIC makes recommendations to address ‘high’ and ‘medium’ privacy risks. For more information about these privacy risk ratings, see the OAIC’s ‘Privacy risk guidance’ at Appendix A. Further detail on this approach can be found in Chapter 7 of the OAIC’s Guide to privacy regulatory action.

5.5 OAIC assessments are conducted as a ‘point in time’ exercise. That is, our observations and analysis are only applicable to the time period during which the assessment was undertaken.

Timing, location and assessment techniques

5.6 The OAIC reviewed the results of a self-administered questionnaire submitted by Midland Private Hospital. The questions were based on the prescribed requirements under Rule 42 and the reasonable steps to protect personal information (APP 11) and implement practices, procedures and systems in order to comply with the APPs (APP 1.2).

5.7 The OAIC also conducted a desktop review of Midland Private Hospital’s MHR access security policy and other relevant policy and procedure documents. The OAIC also reviewed an extract of a Service Level Agreement and a copy of the hospital’s Medical Practitioner By-Laws that apply to contractors.

5.8 The OAIC conducted the fieldwork component of the assessment at Midland Private Hospital in Perth on 30 April 2019, where we interviewed Midland Private Hospital staff.

5.9 The fieldwork also included demonstrations of clinical systems used to access the MHR system.

Reporting

5.10 To the extent possible, the OAIC publishes final assessment reports in full or in an abridged version on its website. All or part of an assessment report may be withheld from publication due to statutory secrecy provisions, privacy, confidentiality, security or privilege. This report has been published in full.

Appendix A: Privacy risk guidance

Privacy risk rating

Entity action required

Likely outcome if risk is not addressed

High risk

Entity must, as a high priority, take steps to address mandatory requirements of Privacy legislation

 

Immediate management attention is required.

This is an internal control or risk management issue that if not mitigated is likely to lead to the following effects

  • Likely breach of relevant legislative obligations (for example, APP, TFN, Credit) or not likely to meet significant requirements of a specific obligation (for example, an enforceable undertaking)
  • Likely adverse or negative impact upon the handling of individuals’ personal information
  • Likely violation of entity policies or procedures
  • Likely reputational damage to the entity, such as negative publicity in national or international media.
  • Likely adverse regulatory impact, such as Commissioner Initiated Investigation (CII), enforceable undertakings, material fines
  • Likely ministerial involvement or censure (for agencies)

Medium risk

Entity should, as a medium priority, take steps to address Office expectations around requirements of Privacy legislation

 

Timely management attention is expected.

This is an internal control or risk management issue that may lead to the following effects

  • Possible breach of relevant legislative obligations (for example, APP, TFN, Credit) or meets some (but not all) requirements of a specific obligation
  • Possible adverse or negative impact upon the handling of individuals’ personal information
  • Possible violation of entity policies or procedures
  • Possible reputational damage to the entity, such as negative publicity in local or regional media.
  • Possible adverse regulatory impacts, such as Commissioner Initiated Investigation (CII), public sanctions (CII report) or follow up assessment activities.
  • Possible ministerial involvement or censure (for agencies)

Low risk

Entity could, as a lower priority than for high and medium risks, take steps to better address compliance with requirements of Privacy legislation

Management attention is suggested.

This is an internal control or risk management issue, the solution to which may lead to improvement in the quality and/or efficiency of the entity or process being assessed.

  • Risks are limited, and may be within acceptable entity risk tolerance levels
  • Unlikely to breach relevant legislative obligations (for example, APP, TFN, Credit)
  • Minimum compliance obligations are being met

 


[1] In this report, ‘consumers’ is used to describe individuals as recipients of healthcare. This is consistent with terminology in the My Health Records Act 2012.

[2] The ADHA announced that nine out of ten Australians have a My Health Record following the conclusion of the opt-out period on 31 January 2019: https://www.myhealthrecord.gov.au/news-and-media/australians-to-have-my-health-record

[3] Midland Private Hospital further advised the OAIC after fieldwork that its draft policy had since been endorsed by the SJGHC Policy Committee.

[4] For example, see paragraph 5.5: ‘Caregivers who have been authorised to access the My Health Record system must not access records that they are not entitled access’.

[5] See the ADHA’s Security Practices and policies checklist for the MHR system: https://www.myhealthrecord.gov.au/for-healthcare-professionals/howtos/security-practices-and-policies-checklist.

[6] There is no right or wrong approach to the prescribed training. The following are some suggested topics that could apply as part of a best practice approach: requirements relating to Rule 42; collection, use and disclosure of health information in a patient’s MHR (see Part 4 of the MHR Act); data breaches (see s 75 of the MHR Act); other relevant obligations under Part 5 of the MHR Act; and the APPs where relevant.

[7] As per above footnote, the following are suggested topics that could be covered as part of best practice: civil and criminal penalties under the MHR Act, and the financial, physical and psychological potential harms arising from a data breach.

[8] See the OAIC’s Notifiable Data Breaches Scheme 12-month Insights Report published in May 2019, available at: https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme/quarterly-statistics-reports/notifiable-data-breaches-scheme-12-month-insights-report.

[9] The OAIC was advised during fieldwork that doctors and specialists are also bound by Midland Private Hospital’s By-Laws, which outline standards of conduct for Visiting Medical Officers. The OAIC noted a similar requirement for practitioners to comply with ‘all laws and rules, policies and procedures in relation to confidentiality, privacy and the management of personal and health information’ (Schedule 4, clause 3(c)). While the By-Laws may be intentionally high level, the lack of reference to the Privacy Act and MHR Act in principal governance documents may make it difficult for practitioners to understand the full scope of their privacy obligations.

[10] Please see the ‘Security practices and policies checklist’ on ADHA’s website: https://www.myhealthrecord.gov.au/for-healthcare-professionals/howtos/security-practices-and-policies-checklist.

[11] For example, a privacy breach resulting from a doctor uploading a discharge summary to the wrong patient’s MHR is a privacy and not a cyber security risk.

[12] See section 75 of the MHR Act. For more information, see the OAIC’s Guide to mandatory data breach notification in the My Health Record system. The RACGP’s flow chart on managing data breaches under both the Privacy Act and MHR Act is a useful resource.

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au