In the wake of a series of major health breaches, the government has released a cyber security policy and action plan to create a national plan to respond to growing cyber threats.
The plan covers New Zealand’s critical infrastructure, from the electricity grid to transport, payment systems and the health sector. The government held consultations with the ministry this week.
We argue that better regulatory oversight is urgently needed in the health sector.
Late last year, more than 120,000 New Zealanders had their medical records compromised when the patient data portal Manage My Health was hacked.
Then in January, prescription app MediMap was taken offline after patient information was found to have been altered in a cyber attack.
These security breaches have destroyed confidence in the entire New Zealand health system. They are being investigated as part of a government review and investigation by the privacy commissioner.
To prevent this from happening again, the government must require all parties that hold, transfer or share health information to be subject to regulatory oversight and mandatory audits, regardless of whether they are in the private or public sector.
A single network security rule is required
From a public perspective, the difference between public health care providers and their private IT service providers is negligible.
This is reinforced by section 11 of the Privacy Act, which states that healthcare providers remain responsible for information processed on their behalf, even if they use IT service providers.
However, the Health Information Privacy Code section also lists IT providers as “health organizations” which can cause confusion as to which organization is ultimately responsible.
Currently, New Zealand does not have a single law prescribing minimum cyber security requirements. There are no clear, mandatory due diligence requirements in the basic rules for choosing IT services, beyond the general obligation of privacy and security.
We argue that this needs to change.
Current information on health issues
When patients change doctors, their old records don’t disappear. They can stay in whatever system they used in the past for many years.
One patient reported that their medical files were still being sent to Manage My Health two years after their doctor stopped using the platform.
Although providers are required by law to protect and manage this information, there is little scrutiny. Patients may not be notified unless or until a serious event occurs.
Section 11 of the Privacy Act should be strengthened to require express contractual obligations between providers and their agents to store or process information.
Government agencies face stricter rules because New Zealand’s security requirements dictate how government departments handle sensitive information. If data needs protection when held by the government, it needs equal protection when held by contractors.
In the UK, any public or private organization that accesses patient data held by the public health system must complete a data security and data protection toolkit each year. In the United States, federal audits of health care providers are conducted under the Health Insurance Portability and Accountability Act.
Another example is Finland, which responded quickly to the 2020 data breach at the private psychotherapy center Vastaamo, which mandates a security audit for all healthcare providers, without exception.
Vastaamo’s system, which holds the records of 33,000 psychotherapy patients, stored sensitive data without encryption. The findings of the Vastaamo patient database were exposed to very limited access control of administrators and insufficient network restrictions, and that the system had not yet been subjected to an effective external security audit.
Since Finland strengthened and expanded mandatory security checks for those handling patient information, no crime has been reported on the same scale. New Zealand should follow suit.
While we await the results of the investigation and examine how these violations occurred, the government should consider the following factors:
Data protection and governance
If data is stored on foreign servers, foreign laws may apply regardless of geographic location. This is particularly important when considering the implications of Māori data.
Due diligence and due diligence
Government agencies must follow clear and transparent procedures before trusting private vendors with patient information.
All private companies that deal with health information are now classified as health organizations and must comply with the standards of the Health Information Privacy Policy 2020. Clear guidance should be given to doctors and health providers to help them know if they should hand over patient information to private companies.
Historical information
Currently, laws regarding the retention and deletion of health information are found across many codes of law. The ability to delete data is limited. We need better transparency and oversight across the system.
We argue that New Zealand needs a mandatory security review for all healthcare data applications. We hope that the government will implement this.
#Public #health #providers #adhere #strict #cyber #security #rules #independent #contractors