Privacy and Security in National eHealth Systems - PowerPoint PPT Presentation

1 / 27
About This Presentation
Title:

Privacy and Security in National eHealth Systems

Description:

Canada Health Infoway (EHR $1.1B federal government funding) ... to GPs, Aboriginal Community Health Services and Community Pharmacies nationwide. ... – PowerPoint PPT presentation

Number of Views:141
Avg rating:3.0/5.0
Slides: 28
Provided by: cro90
Category:

less

Transcript and Presenter's Notes

Title: Privacy and Security in National eHealth Systems


1
Privacy and Security in National e-Health Systems
  • Peter R. Croll
  • Professor of Software Engineering Information
    Security Institute Faculty of Information
    Technology
  • Queensland University of Technology (QUT),
    Brisbane, Australia
  • Presentation for IACITS-2007 3rd Indo-Australian
    Conference
  • on Information Technology Security, 9th -10th
    July 2007, ISI QUT, Brisbane

2
National e-health agendas Global
  • UKs NHS priorities is Choose and book
    whole-of-system appointment scheduling, initial
    costs AU17,000 million.
  • Health Insurance Portability and Accountability
    Act (HIPAA) USA some estimates between 3-10
    times cost of YK2. Involves Privacy Rule,
    Security Rule, UPI Rule.
  • Canada Health Infoway (EHR 1.1B federal
    government funding)
  • i2010 e.g. 1,000 million in digital
    technologies for Europeans to age well

3
National e-health agenda - Australia
  • HealthConnect 128 million total, e.g. Broadband
    for Health Program is a 69 million Australian
    Government program to provide broadband Internet
    access to GPs, Aboriginal Community Health
    Services and Community Pharmacies nationwide.
  • Electronic Prescribing/Dispensing of Medicines
    effective 1 Mar 2007
  • HealthInsite web gateway to quality health
    info.
  • Medicare Medical Access Card (1,100 million)
  • NEHTA a single healthcare provider identifier
    (53 million) creating a unique health ID number
    system for all Australians (45 million) and
    developing a common clinical language to support
    the electronic exchange of critical data (32
    million)
  • NCRIS National Collaborative Research
    Infrastructure Strategy 500 million, population
    health (20 million) e-research (70 million)
  • Privacy Law reform (ALRC)

4
NEHTA - National E-Health Transition Authority
  • Standards
  • Interoperability
  • Secure messaging
  • Unique Health Identifiers
  • Privacy of Sensitive Data
  • Shared Electronic Health Record

5
Is there a problem
  • ... about specifying e-health standards that are
    not yet tested and proven internationally?
  • There is intensive work on this and it's moving
    quickly, so we're confident those international
    regimes will be in place. Web services and
    service-oriented architecture are still evolving,
    but there's enough there to give us confidence
    it's the sensible approach.
  • Aus IT, Doing the numbers on e-health, Ian
    Reinecke, CEO, NEHTA

6
Privacy and Related Legislation in Australia
NEHTA states that privacy protection in Australia
is a complex patchwork It is considered
possible to navigate the existing privacy
environment although this is not without some
risk and may require future changes.
7
(No Transcript)
8
The key questions
  • i) Are people overreacting to privacy issues?
  • ii) Do we need to establish a culture of
    compliance (enforced or encouraged)?
  • iii) Does Information Technology significantly
    add to this complexity?
  • iv) What role can IT have with compliance?

9
Are people overreacting to privacy issues?
  • To understand this what do we mean by Privacy?
  • Physical Privacy
  • Communication Privacy
  • Personal Privacy
  • Information Privacy?
  • Focus on Information Privacy Security ?
    Privacy
  • specifically digital electronic information

WHAT YOU STARING AT?
10
Privacy Health Information
Media release Australian Law Reform
Commission Monday 9 October 2006 Computers,
biometrics and Gen Y Is privacy passé? Do
Australians feel that their privacy is adequately
protected? Is it possible for privacy laws to
keep up with technology such as data matching,
facial recognition and even body odour
measurement? Do younger people care as much about
privacy as their elders?
  • More Specifically Health information
    Sensitive Information
  • Erroneous financial transactions are reversible
    unwarranted health disclosure is for life!

11
In US one report a week on health privacy /
security concerns
GAO Health care privacy breaches
widespread But the frequency and severity of the
breaches is unclear Linda Rosencrance   Todays
Top Stories    or  Other Privacy Stories  
September 06, 2006 (Computerworld) -- More
than 40 of U.S. Medicare contractors and state
Medicaid agencies have experienced a privacy
breach involving personal health information --
although the frequency or severity of the
breaches remains unclear, according to report
released yesterday by the U.S. Government
Accountability Office (download PDF).
  • In Australia the Medical Access Card received 72
    submissions many concerned about privacy

12
Do we need to establish a culture of compliance
(enforced or encouraged)?
  • Case studies show a mixed response
  • Each organization differs in its approach to
    quality assurance
  • State laws differ - as does their interpretation
  • The individuals responsible differ in their
    training, knowledge and approach
  • A generic analysis would be challenging and
    often inappropriate (based on international
    risk standards)

13
What are the risks of non or partial compliance?
  • Risk analysis identified following consequences
  • Data not supplied by patients/custodians
  • Patients offended take legal action
  • Research rejected by HREC (ethics)
  • Screening and prevention programs halted
  • Loss of reputation and/or income
  • Medical knowledge not advanced
  • Incorrect treatment

14
UK Council for Science and Technology Personal
Information Risks identified
  • loss of confidence and trust in privacy
  • unauthorised use of personal data
  • exploitation of individual citizens for
    commercial gain
  • statistical discrimination (e.g. creating a
    sub-culture of non-participation by individuals)
  • technical risks such as database failure or
    incapacitation (e.g. by spam or unmanageable
    volumes of data)
  • poor data quality
  • cyber-terrorism

15
Undertake a Privacy Impact Assessment?
  • A PIA can be a valuable tool to help identify
    what needs to be done to ensure a projects
    compliance with privacy legislation

Key questions to be answered through analysis
phase of the PIA Q1 Does the project comply
with privacy legislation and agency-specific
legislative requirements?
16
Does Information Technology significantly add to
this complexity?
  • Consider PIAs identified privacy risks
  • Collecting unnecessary or irrelevant personal
    information, or intrusive collection.
  • Bulk collection of personal information, some of
    which is unnecessary or irrelevant.
  • Individuals unaware of collection or its purpose.
  • Covert collection is generally highly privacy
    invasive, and should only occur under prescribed
    circumstances.
  • Using personal information for unplanned
    secondary purposes.
  • Unnecessary or unplanned data linkage.
  • Disclosures not originally planned can lead to
    privacy complaints
  • Inaccurate information can cause problems for
    agencies and individuals.
  • Unauthorised internal and external access and
    use.
  • Retaining personal information unnecessarily.
  • Making decisions based on poor quality data.

17
What role can IT have with compliance?
  • US corporations today face a large and expanding
    regulatory compliance regime that affects
    corporate governance, one of the most significant
    obligations being the Sarbanes-Oxley Act of 2002.

Leaders4, 80-20 Software Pty Ltd,
http//www.80-20.com/
Questionnaire based risk assessment software has
been commercially developed for principal
executive and financial officers allowing easy
visibility of compliance processes and can
therefore demonstrate a commitment to good
governance
18
P-health Demonstrator
  • Certs containing
  • Data Source
  • Expiry dates
  • User details
  • Access Control
  • Types of usage, e.g. PPA
  • Expansion

Digital Certificates
UsersWeb Interface
Reports / Text files
JSP / Java engine
List of Questions
Navigation Rules
Certificate Details / Project Spec
Admin Interface
19
(No Transcript)
20
Based on text files - simple to add to and
maintain
  • ---Project Default Project
  • Page1
  • _at_Text
  • Size 40
  • Title of Your Research Project
  • QH
  • _at_Text
  • Size 8
  • Start Date of Your Project
  • 01/01/06
  • _at_Text
  • Size 8
  • End Date of Your Project (2 Years Max.)
  • 31/12/07
  • _at_Checkbox
  • Name States

_at_Radio Does the project have ethical
clearance? Yes lt- No _at_Text Size 11 What is the
approval number? 9999-999-99 _at_Checkbox On
Other item sources Which of the following
sources do you wish to access? Cancer
Registry Perinatal Statistics Collection Pap
Smear Register Breast Screen Registry Hospital
Admitted Patient Data Ambulance Electoral
roll Other
21
Report and Certification
Report can be exported into a standard form to
suit
Digital Signature certificate can include
end dates to terminate access, etc.
22
many stakeholders many viewpoints
  • Clinicians
  • Managers
  • Data Custodians
  • Legal / Policy Officers
  • IT technicians
  • Clients (patients)

23
Static Risks
24
Dynamic Risks
25
Calculated Risks
26
Perceived Risks
27
Questions?
Write a Comment
User Comments (0)
About PowerShow.com