Access security governance for the My Health Record system - St Vincent’s Private Hospital Toowoomba

Part 1: Executive Summary      

1.1          This report outlines the findings of the Office of the Australian Information Commissioner (OAIC) on a privacy assessment of St Vincent’s Private Hospital Toowoomba’s (SVPHT) access security governance for the My Health Record (MHR) system conducted in May 2019.

1.2          All healthcare providers who are registered participants of the MHR system are required to have, communicate and enforce an access security policy under Rule 42 of the My Health Records Rule 2016 (My Health Records Rule). Rule 42 prescribes a number of requirements that must be addressed in the policy, to ensure that staff and contractors’ access to the MHR system is secure.

1.3          The objective of this assessment was to examine how staff and contractors at SVPHT access the MHR system, and whether the hospital has appropriate governance arrangements to manage access security risks in accordance with Rule 42. This involved looking at how staff and contractors are granted access to the MHR system, how that access is controlled and monitored, and how system risks are identified and managed.

1.4          This assessment also considered the reasonable steps taken by SVPHT to protect personal information and implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles (APPs), pursuant to APPs 1.2 and 11.

1.5          This assessment found that SVPHT has taken some steps to address and implement the requirements of Rule 42, including implementing an MHR access security policy.

1.6          The assessment identified some high and medium level privacy risks. The OAIC has made nine recommendations to address these risks. The recommendations, and SVPHT’s responses, are outlined in the Parts 3 and 4 of this report. The OAIC has also made nine suggestions which, if implemented, will assist SVPHT to further reduce privacy risks.

Part 2: Introduction

Background

Overview of the My Health Record system

2.1          The MHR system is the Australian Government’s digital health record system. A MHR is an online summary of a consumer’s key health information including details of their medical conditions and treatments, medicines, allergies, tests and scans.[1] This information can be viewed securely online. As end-users of the system, healthcare providers (such as doctors, specialists and hospital staff) are able to view and add information to a My Health Record when they need to, subject to access controls set by the consumer.

2.2          The MHR system is regulated under a suite of legislation including the My Health Records Act 2012 (Cth) (My Health Records Act) and My Health Records Rule 2016 (Cth) (My Health Records Rule). 

2.3          The Australian Government announced in May 2017 that all consumers would receive a MHR unless they decided to opt-out. The opt-out period occurred from July 2018 to January 2019. Most consumers[2] now have a MHR, which is expected to drive greater use of the system by healthcare providers.

2.4          Private hospitals are required to comply with the APPs in the Privacy Act 1988 (Privacy Act) when handling personal information, which includes handling personal information in the MHR system.

2.5          Private hospitals that handle personal information in the MHR system are also bound by the obligations set out in Rule 42 of the My Health Records Rule. Rule 42 focusses on privacy governance, specifically in relation to end-user access security. Under Rule 42, healthcare providers who are registered participants in the MHR system must have a written policy that addresses a number of prescribed requirements, including:

  • how individuals are authorised to access the MHR system
  • staff training in relating to using the MHR system accurately and responsibly, and the legal obligations involved
  • the process for identifying a person who requests access to a consumer’s MHR
  • physical and information security measures, including user account management (linked to Rule 44)
  • strategies to identify, mitigate and report MHR system risks.

2.6          In many respects, the Rule 42 requirements complement APPs 1.2 and 11. Importantly, however, the Rule 42 requirements do not constitute all the reasonable steps a healthcare provider may need to take for the purposes of the APPs.

2.7          In practice, this means that healthcare providers participating in the MHR system have concurrent obligations to:

  • fulfil the privacy and access security requirements outlined in Rule 42
  • take reasonable steps to protect personal information and implement practices, procedures and systems to ensure compliance with the APPs.

2.8          This assessment examined how SVPHT fulfils the Rule 42 requirements, as well as the steps it takes under APPs 1.2 and 11 when staff and contractors handle personal information in patients’ MHRs.

The OAIC’s role     

2.9          The OAIC provides independent privacy oversight of the MHR system under the My Health Records Act.

2.10       The OAIC has a Memorandum of Understanding (MOU) with the Australian Digital Health Agency to provide dedicated privacy-related services under the Privacy Act and the My Health Records Act. This assessment forms part of the OAIC’s MOU work programme.

2.11       The OAIC had regard to the recent national expansion of the MHR system when deciding to focus on end-user access security in this assessment. The increased adoption and use of MHRs by individuals and organisations increases the privacy risk profile of the MHR system, and heightens the importance of awareness and compliance with MHR access security policies and practices under Rule 42 and the APPs.

St Vincent’s Private Hospital Toowoomba

2.12       SVPHT is located in Toowoomba, Queensland. SVPHT is part of the wider St Vincent’s Health Australia (SVHA) group. SVHA is the largest not-for-profit health and aged care provider in Australia and operates six public hospitals, 10 private hospitals and 15 aged care facilities. SVPHT is a 191-bed facility.

2.13       A number of contractors operate onsite, including a radiology service provider, pathology service provider, and a pharmacy. This also includes Visiting Medical Officers (VMOs) and allied health professionals under contract to SVPHT (discussed further at [3.27]).

2.14       The OAIC selected SVPHT for an assessment based on MHR system data provided by the Australian Digital Health Agency (ADHA), which indicated that the hospital is accessing MHRs.

2.15       At the time of fieldwork (May 2019), there were approximately 599 staff including contractors with access to the MHR system at SVPHT.    

Part 3: Findings

My Health Record access security policy

Mandatory written policy

3.1          Rules 41 and 42(1) of the My Health Records Rule require healthcare providers to have a written access security policy to be eligible to be registered, and remain registered, under the MHR system. The OAIC observed that there was a MHR access security policy in place at the time of fieldwork. SVPHT advised the policy was implemented in April 2019. Staff at SVPHT were given access to MHRs in May 2017 via the hospital’s clinical system, deLacy. The OAIC notes that, for the period prior to the assessment from May 2017 to April 2019, staff were able to access MHRs without a policy in place.

3.2          The MHR access security policy underpins the security governance for end-users of the MHR system, and is therefore critical to SVPHT’s protection of sensitive patient information. It also helps build staff awareness of obligations under MHR legislation, which in turn helps strengthen privacy culture across the hospital. 

3.3          The OAIC found that the hospital’s policy reasonably addressed the requirements of Rule 42, including outlining staff training, access controls, and physical and information security requirements for the MHR system. However, the OAIC identified some privacy risks in the hospital’s governance and security practices underpinning the policy, which is discussed throughout Part 3 of this report. 

3.4          The OAIC notes that the MHR access security policy places sole responsibility on the Organisation Maintenance Officer (OMO) for:

  • authorising access to MHRs
  • suspending and deactivating MHR access
  • the content of MHR training and the maintenance of the training register
  • monitoring MHR access.

However, the OAIC observed during fieldwork that these responsibilities are often delegated to other officers in practice. Whilst the policy may be intentionally high level, it is important to ensure that what occurs in practice accurately reflects the policy. The OAIC suggests that SVPHT could amend the policy to specify that responsibility is placed on the OMO and delegates of the OMO, if applicable.

3.5          SVPHT’s MHR access security policy references other related and supporting policies such as the privacy policy, SVHA data breach response plan, and information and security policies. This provides staff with a clear overview of the suite of policies applicable to the handling of personal information in the MHR system.

3.6          Under Rule 42, healthcare providers must enforce the MHR access security policy to all its employees and any healthcare providers to whom the organisation supplies services under contract. The policy states that it applies to all ‘SVPHT employees and contractors, who, in the course of their role, may engage with MHRs’. This is a good privacy governance measure that provides transparency about policy scope and enables the hospital to communicate, and enforce, the policy to SVPHT staff and contractors. It also helps ensure all individuals with MHR access, including contractors, are subject to the requirements of Rule 42.

3.7          Whilst most of the policy content explicitly applies to both staff and contractors, the OAIC notes that the policy requirement for reporting security risks is addressed to SVPHT staff only. It is unclear from the information provided by SVPHT, including the policies and procedures relating to the MHR access security policy, whether contractors are obligated to report security risks (including data breaches) to SVPHT. For the avoidance of doubt, the OAIC recommends that the policy, and any other related documents, should be amended to ensure that security risk reporting requirements are obligations placed upon both staff and contractors. This mitigates the risk of contractors not reporting MHR-related security risks, based on a misunderstanding that the requirement does not apply to them.

Recommendation 1

St Vincent’s Private Hospital Toowoomba should amend its My Health Record access security policy so both staff and contractors are obligated to report MHR security risks.

 

3.8          SVPHT has a ‘Policies and Procedures’ policy which sets out the process for reviewing and creating a new policy. Several areas within the SVHA group have input into the development of procedures and policies, including the legal, governance, and audit and risk teams. Each hospital within the SVHA group has a Version Governance Committee, including SVPHT, which is responsible for reviewing all relevant policies that apply to the respective hospital. The SVPHT MHR access security policy was developed in accordance with these processes and procedures.

Communication and accessibility of policy

3.9          Rule 42(2) requires healthcare providers to:

  • communicate the MHR access security policy to all its staff and contractors
  • ensure that the policy remains readily accessible to all its staff and contractors.

3.10       SVPHT communicates its MHR access security policy to staff through ward and department meetings, including any updates or changes to the policy. SVPHT advised that there is an intention to implement a SVHA hospital-wide Quality Report, published on a monthly basis, which will include advising of any updates to the hospital’s policies and procedures. The OAIC supports this initiative and suggests that the substance and reason for any changes to the policy could also be clearly communicated through this mechanism.[3]

3.11       SVPHT could also regularly remind staff of the MHR access security policy, irrespective of whether there have been any changes to the policy. This will ensure that the hospital is compliant with Rule 42(2) and reinforces staff awareness of their MHR privacy and access security obligations.

3.12       During fieldwork, SVPHT advised that the MHR access security policy is provided to contractors as part of the credentialing process. However, the OAIC notes that this practice is not reflected in the SVHA credentialing policy. SVPHT could consider formalising this process in the relevant documentation to ensure that contractors are made aware of their MHR obligations.

3.13       In addition to providing contractors with a copy of the policy, SVPHT could also provide regular reminders to contractors and ensure that any changes to the policy are clearly communicated. This will reinforce awareness of their MHR privacy and access security obligations. Reasonable steps under APP 1.2 may include running an awareness campaign, providing regular email reminders with an electronic copy of the policy attached, and providing training to contractors (further discussed at [3.49 – 3.50]).

3.14       The MHR access security policy is published on the hospital’s intranet which can be accessed by both staff and contractors. The OAIC considers this a satisfactory measure to ensure that the policy is readily accessible to staff and contractors.

Enforcement of policy

3.15       Rule 42(3) of the My Health Records Rule requires healthcare providers to enforce the MHR access security policy in relation to all its staff and contractors who are accessing MHRs through the hospital’s clinical system.

3.16       SVPHT requires staff to undertake mandatory MHR and privacy training (further discussed at [3.42 – 3.45]) and proactively monitors staff MHR access (further discussed at [3.59 – 3.60]). The OAIC considers that SVPHT is taking reasonable steps to enforce its MHR policy.  

3.17       SVPHT is ultimately responsible for ensuring that contractors are complying with the MHR access security policy. SVPHT has a number of agreements and policies in place to define obligations on contractors of the hospital. The OAIC sighted the hospital’s Service Agreement (SA), SVHA by-laws and the Vendor Remote Access Support Policy. The SA places an onus on contractors to comply with SVPHT and SVHA policies and procedures, including broad references to privacy obligations. The SA also requires that the contractor comply with ‘all of its obligations under the Privacy Act 1988’. The SVHA by-laws require ‘Accredited Practitioners’ to comply with the APPs and the Privacy Act. The Vendor Remote Access Support Policy requires contractors to comply with ‘SVHA policies and procedures as advised by SVHA from time to time’.

3.18       The OAIC observed that these agreements and policies do not explicitly refer to the MHR access security policy, nor do they stipulate the obligations on contractors to comply with MHR legislation.

3.19       While these documents may be intentionally high level, the lack of reference to MHR legislation in principal governance documents makes it difficult for contractors to understand the full extent of their obligations when using the MHR system. To ensure that contractors clearly understand their MHR privacy and access security obligations, SVPHT must update any contractual agreements and related documents to explicitly require:

  • contractor’s compliance with the hospital’s MHR access security policy
  • SVPHT to monitor contractor’s compliance with all aspects of the policy
  • both SVPHT and contractors to use physical and information security measures to ensure that the MHR system is appropriately accessed
  • contractors to have mitigation strategies to ensure that MHR security and privacy related risks can be identified, acted upon and reported
  • contractors to report any suspected or actual MHR data breaches to SVPHT.

3.20       In addition to requiring compliance with the MHR access security policy and relevant legislation under contractual agreements, SVPHT is also required to take reasonable steps under APP 1.2 and 11 to implement practices, procedures and systems to ensure contractors are complying with the policy. Some options that the hospital could consider to meet this responsibility include providing MHR training to contractors (discussed further at [3.49 – 3.50]) and to proactively monitor audit logs for unauthorised access (discussed at [3.59 – 3.60]).

Recommendation 2

St Vincent’s Private Hospital Toowoomba must:

  • update any contractual agreements with contractors and related documents to incorporate specific privacy requirements   
  • enforce its MHR access security policy as it applies to contractors.

Review of policy

3.21       Rule 42(6) of the My Health Records Rule requires healthcare providers to review their MHR access security policy at least annually, and when any material new or changed risks are identified.

3.22       SVPHT’s MHR access security policy indicates that review is undertaken every four years, or with legislative change. The OAIC notes that the policy’s review requirements do not meet all aspects of Rule 42(6). In addition to reviewing the policy annually and with legislative change, SVPHT must review its policy when any material new or changed risks are identified. The review must consider:

  • risks that might result in unauthorised access, use or disclosure of patient information from a MHR
  • any changes to the MHR system that may affect SVPHT 
  • any relevant regulatory changes.

3.23       The OAIC considers there is a high risk of non-compliance if SVPHT does not undertake review of the policy in accordance with Rule 42(6). Conducting an annual review ensures that the policy remains current and compliant with Rule 42(6) and APP 1.2. Regular review of the policy is crucial to the effectiveness and accuracy of the policy.

3.24       As mentioned at [3.5], SVPHT’s MHR access security policy references a number of related policies and procedures. Most of these policies have a review period exceeding one year. While the related policies are not subject to the same annual review cycle as the access security policy under Rule 42(6) of the My Health Records Rule, longer review cycles present a risk that the content in related policies may become misaligned with a the MHR access security policy they are designed to support. The OAIC recommends that SVPHT also reviews any relevant or linked policies at regular intervals, and when there is an update to the MHR access security policy.

Recommendation 3

St Vincent’s Private Hospital Toowoomba must review its My Health Record access security policy at least annually, and when any material new or changed risks are identified. Policies and procedures that relate to the My Health Record access security policy should be reviewed regularly and updated to incorporate any changes to the My Health Record access security policy.

Access to the My Health Record system

Authorising access to the MHR system

3.25       SVPHT staff and contractors can only access the MHR system via the hospital’s conformant clinical software, deLacy.

3.26       Staff access to deLacy is authorised via the SVHA Service Desk. A staff member must be approved for ‘clinical’ access in deLacy to be able to access the MHR system. A staff member’s manager is required to submit an access request through an online portal. Access is approved based on a staff member’s defined IT role. Staff access to deLacy is managed in an active directory which assigns application permissions to user accounts.

3.27       Contractors may be authorised by SVPHT to access the hospital’s clinical system, and therefore MHRs depending on their defined role. This includes VMO’s and allied health professionals. Contractors who provide clinical services to patients at SVPHT must be credentialed in accordance with the SVHA credentialing policy, before they are permitted to access deLacy. As part of the credentialing process, the clinician’s scope of clinical practice is defined. Once a contractor has been credentialed, access to the hospital’s clinical system is approved by the Facility Chief Executive Officer and provided to the IT area for processing.

3.28       Strict access controls are outlined in the MHR access security policy and are also addressed in related documents, including the SVHA Access Control Policy. The OAIC did not identify any privacy risks in relation to authorising staff or contractors’ access to the MHR system. SVPHT restricts access to staff and contractors who need access as part of their duties, as required under Rules 42(4)(d) and 44(a).

3.29       The OAIC observed that staff and contractors can access deLacy remotely via either their personal device or a SVPHT-issued device. Where staff or contractors access the system via a personal device, multifactor authentication is required. An authentication app is downloaded by staff and contractors to their mobile device which provides the second-factor authentication for access. Multifactor authentication is an appropriate method to ensure that only authorised persons are accessing the MHR system, especially in circumstances that may pose a higher security risk. Where staff or contractors are using a SVPHT-issued device, access to the hospital’s network is provided through a Virtual Private Network (VPN).

3.30       There are a number of policies which govern the use of personal and SVPHT-issued devices to remotely access deLacy. These include the SVHA ICT Mobile Device Policy, Telework Policy, BYOD Policy and Vendor Remote Access Support Policy. The OAIC considers that SVPHT is taking reasonable steps to ensure that all access points, including remote access by staff and contractors, to the MHR system are secure and robust.

3.31       It is good privacy practice under APP 1.2 to document the practices, procedures and systems that staff use to access MHRs. Documentation enhances corporate knowledge and provides greater visibility over operational practices. The OAIC recommends that the hospital should update its MHR access security policy, and any other related documents, to reflect the current practice of staff and contractors remotely accessing MHRs through personal devices and SVPHT-issued devices. For example, SVPHT could link the existing Vendor Remote Access Support Policy to the MHR access security policy. If left unaddressed, there is a medium risk that content gaps in documentation may result in staff not knowing the correct MHR access control procedures.

Recommendation 4

St Vincent’s Private Hospital Toowoomba should update its MHR access security policy to reflect the current practice of staff and contractors accessing the system remotely either via a personal device or a SVPHT issued device. 

 

3.32       Other access controls apply to documents held in MHRs. DeLacy prevents staff from downloading MHR documents to a local system or network. During a demonstration of how staff access MHRs, the OAIC observed that staff were able to print MHR documents, however, the printers were located in a secure area of the hospital. The OAIC considers that there is strong staff awareness of secure information handling practices at SVPHT. These are good risk minimisation features to support proper handling of personal information.

Identifying staff access to the MHR system

3.33       Under Rule 42(c), SVPHT must have a process for identifying a person who requests access to a patient’s MHR, and a process for communicating the person’s identity to the System Operator, ADHA.

3.34       SVPHT is able to identify staff and contractors’ access to deLacy, including MHR access, via audit logs. The audit logs specify:

  • username
  • date and time
  • location
  • type of document accessed.

3.35       Staff accessing deLacy are required to enter their username and password details. In accordance with Rule 44(b), deLacy records individual usernames which also appear in the audit log. Staff members’ Healthcare Provider Identifier – Individual (HPI-I) is not recorded.

3.36       SVPHT’s MHR access security policy sets out a process for communicating a person’s identity to the System Operator on request.

3.37       The OAIC did not identify any privacy risks in relation to identification of staff access to the MHR system, or the process for communicating staff identity to the System Operator. However, in the interest of greater visibility and conformance with the MHR system, SVPHT could consider implementing the ADHA’s recommendation[4] for clinical software to also record a staff member’s HPI-I, if applicable.

Suspending and deactivating staff access

3.38       Under Rules 42(4)(a), 44(d) and 44(e), SVPHT must have a process for suspending or deactivating the user accounts of staff who leave the organisation, whose security has been compromised, or whose duties no longer require them to access the MHR system. SVPHT’s MHR access security policy addresses these requirements.

3.39       The process of on-boarding and terminating staff and contractors at SVPHT is managed via Workday. Workday is cloud-based software that offers a variety of solutions for businesses including financial management and human resources. When a staff member or contractor leaves the organisation, this is recorded in Workday which then triggers automatic termination of the user account, including access to deLacy and therefore, the MHR system.

3.40       Where a user account’s security is compromised, action is taken immediately to deactivate the account. A user account can be manually disabled within 15 minutes by the SVHA IT team. In other circumstances where a staff member or contractor no longer requires access to the MHR system, their manager is responsible for advising IT to deactivate access.

3.41       The OAIC did not identify any privacy risks in relation to suspension and deactivation of staff access to the MHR system.

Training

3.42       SVPHT provides privacy training to staff as part of orientation. The content of this training focusses on the APPs and Privacy Act obligations. There is brief mention of MHR legal obligations in the module, which covers the strict accessibility requirements and security measures for staff accessing MHRs. This includes the requirement for staff to be authorised by the hospital to access MHRs, tracking of MHR access by staff, and that staff are only to collect, use and disclose information in a patient’s MHR if necessary to perform their duties. The training contains direct links to other various MHR related documents, including the MHR access security policy and relevant MHR legislation.

3.43       SVPHT’s Health Information Manager provides short face-to-face privacy/MHR training during orientation to clinical, nursing and administrative staff who have access to the MHR system. A register of staff who attended this training is maintained by the Health Information Manager. 

3.44       SVPHT advised that on the day of fieldwork a separate MHR training module was uploaded to the hospital’s intranet. This training is mandatory for all staff with MHR access and covers:

  • how to use the MHR system accurately and responsibly
  • the legal obligations on SVPHT staff using the MHR system
  • the consequences of breaching those obligations
  • responding to data breaches, although the OAIC notes that the content focuses on the Privacy Act’s Notifiable Data Breach scheme rather than the data breach notification requirements under s 75 of the My Health Records Act (this is discussed further at [3.72]).

3.45       The OAIC considers that the training provided by SVPHT to staff adequately addresses the requirements of Rule 42(4)(b).

3.46       E-learning modules are made available through the program Workday. Workday automatically records when a staff member accesses a training module. The training module is time-logged to ensure that staff have allocated enough time to complete the training to a satisfactory level.

3.47       SVPHT does not provide MHR or privacy refresher training or ad hoc training to address any changes to legislation or MHR system functionalities. The OAIC considers there is a high risk that without refresher training, staff will be unaware of legislative changes that may impact on information handling in MHRs, or of changes to MHR system functionalities.

3.48       To address these risks, SVPHT must provide regular refresher training at least annually, in addition to ad hoc training when there are changes to legislation or MHR system functionalities. This would demonstrate reasonable steps under APPS 1.2 and 11 to educate staff to avoid practices that would breach MHR privacy and access security obligations.

Recommendation 5

St Vincent’s Private Hospital Toowoomba must provide regular and ongoing refresher training to all staff annually, in addition to ad hoc training when there are changes to legislation or MHR system functionalities.

 

3.49       SVPHT currently does not provide MHR or privacy training to contractors who access the MHR system through the hospital’s clinical system. The OAIC sighted multiple documents that apply to contractors of the hospital as discussed at [3.17]. The documents do not explicitly outline obligations on contractors accessing the MHR system, including MHR training requirements.

3.50       As part of its role in enforcing the MHR access security policy, SVPHT is responsible for ensuring that contractors and their staff are sufficiently trained before MHR access is granted. Some options that the hospital could consider to meet this responsibility include providing MHR training to contractors and their staff, or applying contractual terms that require contractors to undertake external training. The hospital could also consider mechanisms to ensure that contractual obligations are being fulfilled, such as sighting training attendance sheets.

Recommendation 6

St Vincent’s Private Hospital Toowoomba must ensure that contractors and their staff are sufficiently trained before MHR access is granted.

Physical and information security related to My Health Record access

3.51       Rule 42(4)(d) requires SVPHT to establish physical and information security measures to address privacy risks associated with unauthorised disclosure and access. This includes user account management measures that must be implemented under Rule 44. Most of the measures relating to access security are discussed in the previous section on Access to the My Health Record system. This section focuses on passwords and physical security.

3.52       The OAIC observed physical security controls at a SVPHT hospital ward during a demonstration of how staff access MHRs through deLacy. The OAIC observed that the computer terminals used by nurses were located in a separate room away from patients’ beds. This is a good privacy protective measure to prevent patient information from being inadvertently disclosed.

3.53       The OAIC also observed password controls for staff logins. After logging into the hospital’s IT system, staff enter their username and password again to access deLacy. Password requirements are outlined in the SVHA Password Policy. While the hospital’s password requirements provide some level of assurance that passwords are secure and robust in accordance with Rule 44(e), the OAIC recommends that the hospital apply the ADHA’s recommended standard[5] of 13 or more characters (involving a combination of letters with upper and lower case, numbers and symbols).

Recommendation 7

To improve password security, St Vincent’s Private Hospital Toowoomba should apply the ADHA’s password standard of 13 or more characters.

 

3.54       Staff are required to change passwords for their hospital user accounts every 90 days. SVHA policies require staff at SVPHT to refrain from sharing passwords and leaving computer systems unattended.

3.55       The OAIC observed automatic timeout locks for staff computers. Staff are locked out of their computers after 15 minutes of inactivity. This timeout lock period may be satisfactory in some circumstances; however, it is best practice under APP 11 to require shorter lockout times in systems that handle sensitive information. SVPHT could consider reducing the current timeout lock period staff computers to reduce the risk of unauthorised access. The timeout lock period should reflect the operational environment of the particular area of the hospital, for example, a shorter timeout lock period can be expected in the emergency ward where there is a high volume of patient and staff traffic, or where multiple users are logging into the same computer. 

Risk management and risk mitigation strategies

3.56       Under Rule 42(e), SVPHT must have mitigation strategies to ensure MHR system-related security risks can be promptly identified, acted upon and reported to management. The OAIC observed that SVPHT has a number of risk management systems and procedures in place to address this requirement, which are discussed below.

Audit logs

3.57       SVPHT can track MHR system access via a deLacy audit log which provides detail of deLacy access by staff and contractors (discussed earlier at [3.34]). The type of document accessed in a patient’s MHR is also captured, such as prescription records or discharge summaries.  

3.58       SVPHT can also track MHR access via security audit logs. These audit logs track access to the hospital’s systems from a staff member’s desktop.

3.59       The hospital mostly relies on either MHR complaints or reported data breaches to identify unauthorised access to the MHR system. The OAIC was advised during fieldwork that SVPHT had recently commenced proactive monitoring of deLacy audit logs. Whilst complaints and data breaches are a useful source of risk intelligence, they typically elicit a reactive response. Audit logs, on the other hand, are key tools to allow the hospital to proactively identify unauthorised access, for example, by individuals who have not been given MHR access, or by authorised staff who may be using the system inappropriately.

3.60       The OAIC encourages SVPHT to continue to proactively monitor audit logs. The OAIC notes that the MHR access security policy requires monitoring of staff access to MHRs. SVPHT could consider implementing a specific and formal process to ensure regular and effective monitoring of unauthorised access. For example, SVPHT could update relevant security policies to stipulate proactive monitoring of MHR audit logs as a mandatory requirement. If unauthorised access is identified, SVPHT should make sure that there is a process in place which triggers the data breach response plan, and any other relevant risk management procedures.

3.61       SVPHT advised that improvements identified from review of audit logs are implemented at the hospital. The OAIC notes that at the time of the assessment, SVPHT had not identified any instances of unauthorised access to the MHR system or received any MHR privacy or access security complaints. 

3.62       Access to deLacy audit logs are locked down to domain administrators across the SVHA group, with only one staff member at SVPHT with access. This is a good security measure to protect audit logs from unauthorised access and to maintain the integrity of audit data.

3.63       The hospital retains deLacy audit log data indefinitely to meet legal requirements under MHR and other legislation. The security audit logs are not permanently retained due to the large size of the data.

Risk management tools

3.64       SVHA group uses a risk management tool, Riskman, to monitor, mitigate and report security risks across its network, including SVPHT. SVPHT retains its own risk register which feeds into Riskman. All staff can access Riskman and report an incident. The incident is categorised within Riskman, with privacy and data breaches as distinct categories. The OAIC notes that there are currently no MHR reported risks or complaints recorded in Riskman.

3.65       SVHA has an internal audit team which supports the various audit and risk committees and teams across the SVHA group by conducting reviews and providing advice in relation to identified risks. In 2017, the internal audit team conducted a privacy and confidentiality audit of multiple hospitals, including SVPHT. The findings of this report were actioned by SVPHT and recorded in Riskman. The OAIC was provided with a copy of the audit report. The OAIC notes that a recommendation was made by the internal audit team and this was unrelated to the hospital’s use of the MHR system. 

3.66       The OAIC was advised during fieldwork that cyber security is treated as a strategic risk which includes privacy risks. By bundling privacy risks with cyber security risks, there is a low risk that some privacy risks may not be captured on the basis that they are not ‘cyber security’ risks.[6] To allow for accurate recording and management of privacy risks, the OAIC suggests that SVPHT could create a separate strategic privacy risk category, to specifically capture privacy risks as distinct from cyber security risks.

3.67       SVHA has Security Information and Event Management (SIEM) capability across its network which is used for performance and uptime monitoring purposes. SIEM is not currently being used to monitor MHR access. If in future the level of MHR usage is suggestive of elevated privacy and access security risks, SVPHT could consider configuring SIEM to allow for real time monitoring of MHR access, as a supplement to regular review of audit logs.

3.68       SVPHT currently does not undertake Privacy Impact Assessments (PIA) as part of privacy management. PIAs help organisations assess privacy risks to personal information by identifying the impact that a project or systematic change may have on the privacy of individuals. This includes changes in the regulatory environment such as new legislation, the implementation of new or amended systems or databases, or changes to how information is stored. PIAs make recommendations for managing, minimising or eliminating those privacy impacts. To determine whether it will be necessary to conduct a PIA, a threshold assessment could be undertaken. For more information, see the OAIC’s Guide to undertaking privacy impact assessments.

3.69       Conducting a PIA is a reasonable step under APP 1.2 to ensuring that privacy is embedded into an organisation’s systems, practices and procedures. For example, a PIA would have been appropriate for assessing the privacy risks associated with the implementation of the MHR system at the hospital. SVPHT should conduct PIAs for similar initiatives in the future and integrate PIAs into its overall risk management approach.

Recommendation 8

St Vincent’s Private Hospital Toowoomba should integrate PIAs into its overall risk management approach.

Data breaches

3.70       Data breaches at SVPHT are handled in accordance with the SVHA’s group-wide Data Breach Response Plan (DBRP). The DBRP was developed by SVHA’s governance and risk teams. Staff at SVPHT are required to report data breaches to the SVPHT privacy team. This team assesses the breach and determines whether the breach needs to be escalated to the SVHA Security and Risk Manager IT. Data breaches are recorded in Riskman which allows for any risks to be reported upwards to the SVHA Group.

3.71       The OAIC notes that the hospital’s data breach response plan is regularly tested by the ICT team. Testing data breach response plans helps ensure that the plan is up to date, and that staff know what actions they are expected to take.

3.72       SVPHT is subject to data breach reporting requirements under the MHR Act and Privacy Act. The two data breach schemes operate separately and contain different notification requirements and legal thresholds. The OAIC observed that the SVHA DBRP focuses on data breaches under the Privacy Act. The plan contains a data breach reporting map which attempts to outline the distinction between the two schemes. However, the reporting map incorrectly applies the legal threshold for reporting data breaches under the Privacy Act to MHR data breaches.

3.73       The OAIC considers there is a medium risk of MHR data breaches being mishandled if staff rely on the operational procedures described in the policy. SVPHT should amend the policy to clearly distinguish MHR requirements from those of the Privacy Act. This distinction should likewise be reflected in current and future privacy training materials.

Recommendation 9

St Vincent’s Private Hospital Toowoomba should amend its Data Breach Response Plan and any relevant training materials, to clearly distinguish the data breach notification requirements of the MHR Act from those of the Privacy Act.

Part 4: Recommendations and responses

My Health Record access security policy

OAIC recommendation 1

St Vincent’s Private Hospital Toowoomba should amend its My Health Record access security policy so both staff and contractors are obligated to report MHR security risks.

St Vincent’s Private Hospital Toowoomba response

SVHA MyHR Security and Access Policy has been developed further for group wide use, and includes reference to both staff and contractors and their obligations to report MyHR security risks.

OAIC recommendation 2

St Vincent’s Private Hospital Toowoomba must:

  • update any contractual agreements with contractors and related documents to incorporate specific privacy requirements   
  • enforce its MHR access security policy as it applies to contractors.

St Vincent’s Private Hospital Toowoomba response

SVPHT and the wider Private Hospitals Division are undertaking an audit of all current Service Level Agreements (SLAs) with 3rd Party Contractors. The SLAs will be amended with assistance from the SVHA Legal Team who are currently preparing the appropriate clauses to reflect the MyHR requirements. Communication will also be issued to the relevant managers across the whole of SVHA advising of the appropriate information to be contained in the SLAs.

OAIC recommendation 3

St Vincent’s Private Hospital Toowoomba must review its My Health Record access security policy at least annually, and when any material new or changed risks are identified. Policies and procedures that relate to the My Health Record access security policy should be reviewed regularly and updated to incorporate any changes to the My Health Record access security policy.

St Vincent’s Private Hospital Toowoomba response

The SVHA MyHR Access & Security Policy has been recently revised and will be reviewed at least annually. SVHA Records Management System will include an automated alert to be sent six months prior to the Policy revision date. In addition, SVHA have implemented the Health Legal Comply Online legislative compliance management system which includes regular updates of legislative changes which will also assist to identify the additional need to review the Policy on an ad hoc nature as required.

SVHA information contained within the MyHR system is adequately protected under SVHA’s existing definition, i.e. the SVHA Privacy Policy identifies information in healthcare records as personal and sensitive health information. Generally, SVHA Policies are developed to be system agnostic to ensure they encompass all clinical IT systems in use in SVHA. This minimises the potential for systems to be inadvertently excluded from one policy to the next. However relevant associated SVHA Policies will also be reviewed as required in the event of any MyHR changes.

Access to the My Health Record system

OAIC recommendation 4

St Vincent’s Private Hospital Toowoomba should update its MHR access security policy to reflect the current practice of staff and contractors accessing the system remotely either via a personal device or a SVPHT issued device. 

St Vincent’s Private Hospital Toowoomba response

As above, SVHA MyHR Security and Access Policy has been developed for group wide use, and includes staff and contractors accessing the system remotely. In addition, SVHA IT Policies have been recently revised, including use of personal devices and remote access.

Training

OAIC recommendation 5

St Vincent’s Private Hospital Toowoomba must provide regular and ongoing refresher training to all staff annually, in addition to ad hoc training when there are changes to legislation or MHR system functionalities.

St Vincent’s Private Hospital Toowoomba response

SVHA are currently in the process of extending the current MyHR education by developing Online education which will be included in Workday and covers appropriate use of MyHR information, i.e. SVHA Group-level Privacy and Confidentiality course. The Course will be for SVHA staff and Contractors and it will be available in Workday in late 2019. Once available, the Course can be set to be required for completion annually or as required.

SVHA note that this is a significant logistical issue particularly with Contractors. We are currently reviewing the most effective and efficient way to meet this requirement including discussing it further with other health networks. We are also reviewing this as part of the Gap Analysis we are conducting in compliance with the ACSQHC Advisory AS 18/11 (V2): Implementing Systems that can provide clinical information into the My Health Record System, including assessing Learning and Development needs and developing an Action Plan.

OAIC recommendation 6

St Vincent’s Private Hospital Toowoomba must ensure that contractors are sufficiently trained before MHR access is granted.

St Vincent’s Private Hospital Toowoomba response

As noted above, this is a logistically challenging area that SVHA is working towards addressing. Contractors, including VMOs are not all SVHA employees and while they must comply with SVHA Policies, we don’t necessarily have the same level of engagement with Contractors as with our staff. However, education will be made available for Contractors as above.

SVHA have contacted ADHA and ACSQHC to assist us in conducting widespread MHR education to as many SVHA employees as possible in the short term. In addition, we are developing a MHR Education Plan with a multifaceted approach, including development of a SVHA online MHR course, and utilising existing ADHA and ACSQHC resources including posters, brochures, Clinicians Guides, Rapid Reference Tools, etc.

Physical and information security related to My Health Record access

OAIC recommendation 7

To improve password security, St Vincent’s Private Hospital Toowoomba should apply the ADHA’s password standard of 13 or more characters.

St Vincent’s Private Hospital Toowoomba response

SVHA are in the process of adopting a Password Standard of 13 characters or more. This will commence in Queensland and Victorian Hospitals in October 2019. The rollout to New South Wales will commence at a later date pending changes to the authentication procedure in that state.

Risk management and risk mitigation strategies

OAIC recommendation 8

St Vincent’s Private Hospital Toowoomba should integrate PIAs into its overall risk management approach.

St Vincent’s Private Hospital Toowoomba response

Further to the SVHA IT Security Management Systems Framework, IT has recently established an architectural and security review process for all new IT systems. As part of the process SVHA looks at the intended use of the platform, the systems architecture and security controls to determine potential risks to SVHA and the appropriate mitigation measures. This can also be applied to existing systems as relevant.

OAIC recommendation 9

St Vincent’s Private Hospital Toowoomba should amend its Data Breach Response Plan, and any relevant training materials, to clearly distinguish the data breach notification requirements of the MHR Act from those of the Privacy Act.

St Vincent’s Private Hospital Toowoomba response

The SVHA Data Breach Response Plan is in the process of being updated to distinguish between Data Breaches from MyHR as distinct from those related to the Privacy Act, i.e. it will clarify that where there is a breach of MyHR the Responsible Officer (RO) and Organisation Maintenance Officer (OMO) will be included as relevant.

 

Part 5: Description of assessment

Objective and scope of the assessment

5.1          The objective of the assessment was to examine how staff at SVPHT Private Hospital access the MHR system, and whether SVPHT has appropriate governance arrangements to manage security risks in accordance with Rule 42 of the My Health Records Rule 2016.

5.2          Rule 42 requires that all healthcare provider organisations have, communicate and enforce, an access security policy for accessing the My Health Record system. Rule 42 sets out a number of matters that the access security policy must address.

5.3          The assessment also considered how SVPHT meets the following obligations under the Privacy Act:

  • APP 1.2 requires an entity to take reasonable steps to implement practices, procedures and systems to ensure that it complies with the APPs.
  • APP 11 requires an entity to take reasonable steps to protect personal information it holds from misuse, interference and loss, as well unauthorised access, modification or disclosure.

Privacy risks

5.4          The OAIC makes recommendations to address ‘high’ and ‘medium’ privacy risks. For more information about these privacy risk ratings, see the OAIC’s ‘Privacy risk guidance’ at Appendix A. Further detail on this approach can be found in Chapter 7 of the OAIC’s Guide to privacy regulatory action.

5.5          OAIC assessments are conducted as a ‘point in time’ exercise. That is, our observations and analysis are only applicable to the time period during which the assessment was undertaken.

Timing, location and assessment techniques

5.6          The OAIC reviewed the results of a self-administered questionnaire submitted by SVPHT. The questions were based on the prescribed requirements under Rule 42 and the reasonable steps to protect personal information (APP 11) and implement practices, procedures and systems in order to comply with the APPs (APP 1.2).

5.7          The OAIC also conducted a desktop review of SVPHT’s MHR access security policy and other relevant policy and procedure documents.

5.8          The OAIC conducted the fieldwork component of the assessment at SVPHT in Toowoomba on 9 May 2019, where we interviewed SVPHT staff.

5.9          The fieldwork also included demonstrations of clinical systems used to access the MHR system.

Reporting

5.10       To the extent possible, the OAIC publishes final assessment reports in full or in an abridged version on its website. All or part of an assessment report may be withheld from publication due to statutory secrecy provisions, privacy, confidentiality, security or privilege. This report has been published in full.

Appendix A: Privacy risk guidance

Privacy risk rating

Entity action required

Likely outcome if risk is not addressed

High risk

Entity must, as a high priority, take steps to address mandatory requirements of Privacy legislation

 

Immediate management attention is required.

This is an internal control or risk management issue that if not mitigated is likely to lead to the following effects

  • Likely breach of relevant legislative obligations (for example, APP, TFN, Credit) or not likely to meet significant requirements of a specific obligation (for example, an enforceable undertaking)
  • Likely adverse or negative impact upon the handling of individuals’ personal information
  • Likely violation of entity policies or procedures
  • Likely reputational damage to the entity, such as negative publicity in national or international media.
  • Likely adverse regulatory impact, such as Commissioner Initiated Investigation (CII), enforceable undertakings, material fines
  • Likely ministerial involvement or censure (for agencies)

Medium risk

Entity should, as a medium priority, take steps to address Office expectations around requirements of Privacy legislation

 

Timely management attention is expected.

This is an internal control or risk management issue that may lead to the following effects

  • Possible breach of relevant legislative obligations (for example, APP, TFN, Credit) or meets some (but not all) requirements of a specific obligation
  • Possible adverse or negative impact upon the handling of individuals’ personal information
  • Possible violation of entity policies or procedures
  • Possible reputational damage to the entity, such as negative publicity in local or regional media.
  • Possible adverse regulatory impacts, such as Commissioner Initiated Investigation (CII), public sanctions (CII report) or follow up assessment activities.
  • Possible ministerial involvement or censure (for agencies)

Low risk

Entity could, as a lower priority than for high and medium risks, take steps to better address compliance with requirements of Privacy legislation

Management attention is suggested.

This is an internal control or risk management issue, the solution to which may lead to improvement in the quality and/or efficiency of the entity or process being assessed.

  • Risks are limited, and may be within acceptable entity risk tolerance levels
  • Unlikely to breach relevant legislative obligations (for example, APP, TFN, Credit)
  • Minimum compliance obligations are being met


[1] In this report, ‘consumers’ is used to describe individuals as recipients of healthcare. This is consistent with terminology in the My Health Records Act 2012.

[2] The ADHA announced that nine out of ten Australians have a My Health Record following the conclusion of the opt-out period on 31 January 2019: https://www.myhealthrecord.gov.au/news-and-media/australians-to-have-my-health-record

[3] For example, if the physical and information security section of the policy is updated due to known incidents of unauthorised access to the MHR system, this could be clearly communicated to staff and contractors as the reason for the update of the policy.

[4] See the ADHA’s Security Practices and policies checklist for the MHR system: https://www.myhealthrecord.gov.au/for-healthcare-professionals/howtos/security-practices-and-policies-checklist.

[5] Please see the ‘Security practices and policies checklist’ on ADHA’s website: https://www.myhealthrecord.gov.au/for-healthcare-professionals/howtos/security-practices-and-policies-checklist.

[6] For example, a privacy breach resulting from a doctor uploading a discharge summary to the wrong patient’s MHR is a privacy risk, not a cyber security risk.

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au