How to ensure data integrity in the My Health Record era

Overall, Australia’s healthcare system works a treat. But having a load of stakeholders—including Medicare, private health insurers, hospitals, specialists, nursing homes, and more—means the data in this system is siloed and severely fragmented.

The average Australian has numerous medical records floating around in the IT networks (or filing cabinets) of a plethora of healthcare providers. If healthcare organisations aren’t careful, this could have obvious consequences for data integrity, data security, and operational efficiency.

Prep for the digital future of Aussie health data

Data fragmentation isn’t inevitable, though. Anyone who’s ever given their details to a food delivery app that partners with hundreds of restaurants might wonder why the aforementioned healthcare stakeholders can’t establish a similar overarching system. That way, every Australian could have records of their medical conditions, medications, past treatments, blood type, allergies, and so on available to all practitioners.

Federal governments on both sides of the political fence have spent the last two decades trying to get such a system up and running with little success. Now, though, it finally appears Australian healthcare is entering the 21st century. Back in 2016, the government established the Australian Digital Health Agency to encourage the development of “safe, seamless, and secure” digital health services. By the end of 2018, My Health Record, previously known as “Personally Controlled Electronic Health Record,” is switching from an opt-in to an opt-out system. Given only a handful of healthcare customers and providers previously opted in, the expectation is that a similarly small number will go to the trouble of opting out.

Wake up: Data integrity just got real

Moving away from fragmentation, while a smart decision, brings its own challenges. Chief among them is that data integrity and data security have become a lot more important. If a food app transposes some numbers in your home address, the worst that’s likely to happen is your pizza will arrive cold. Poor integrity in someone’s My Health Record data, though, could result in serious harm or death. The potential for healthcare providers, or at least their insurers, to be hit with serious litigation in such situations is clear.

To make it even more challenging for healthcare IT professionals, the usual confidentiality, integrity, and access priority hierarchies need to be different from that of a normal business. Emergency staff aren’t likely to have the time to go through a labourious authentication process while dealing with a patient having a heart attack. Healthcare IT needs to find a balance between ensuring data integrity while making sure it can be quickly accessed and updated.

Just to add a few extra degrees of difficulty, here are some other issues IT pros in the healthcare field need to contend with:

  • Health records must be accessible to a wide range of healthcare professionals. At the same time, they need to be inaccessible to cybercriminals who want to use them for identity theft or extortion.
  • Providers of 24/7 healthcare—notably, hospitals—are reluctant to have their IT systems down for any length of time. This can make undertaking security activities, such as regular vulnerability scanning and patching, a difficult task to coordinate.
  • Medical technology is expensive. Combine that fact with governments and healthcare business owners trying to keep costs under control, and it’s no surprise there’s plenty of outdated software still in use. There’s also a wide range of equipment (think: scanners, monitors, x-ray machines, and computerised drips) potentially running outdated software, which carries both security and performance risks.

Overcome the healthcare network security challenge

The first port of call for healthcare IT pros looking to handle all these challenges is the National eHealth Security and Access Framework. This “provides standards, tools, and guides for the Australian healthcare sector to build and implement secure systems that protect patient data and eHealth-related assets.”

It’s impossible to cover everything addressed in the framework, but there are two aspects that should be an especially high priority for IT departments.

Priority No. 1: Data integrity

Has your organisation implemented procedures and invested in equipment to ensure the accuracy and consistency of a patient’s data is maintained over its entire lifecycle? Fortunately, there’s no need to reinvent the wheel when it comes to data integrity. Similar strategies to what works for a law firm or accountancy business are likely to work for a dental practice or pathology clinic. Some useful approaches include:

  • Validating computer systems
  • Implementing audit trails
  • Installing error-detection software
  • Maintaining backup and recovery procedures
  • Protecting the physical security of systems
  • Properly training users and conducting internal audits
  • Instituting safeguards against data fudging

Priority No. 2: Access control

Does your organisation strictly regulate who can access and alter health data? Fortunately, some degree of access control is built into the My Health Record systems. Both individual healthcare providers and healthcare organisations are given healthcare identifiers, and organisations have to register and obtain digital credentials (e.g., NASH PKI certificates) to use the system.

Nonetheless, it will be down to the IT pro responsible for the network to, in the words of the Pharmaceutical Society of Australia, ” . . . develop and maintain a robust security and access policy that details certain access and security procedures for the organisation, how authorised persons access the system, the training delivered to staff before accessing the My Health Record system, and the physical and information security measures used by the organisation.”

The ability to access health data should be confined to staff who require it. This includes everything from the information contained in electronic health records systems to sensitive printed documents delivered to patients. Those granted access should need to log in to the system with at least two unique pieces of information. Screensaver mode should activate after a page is inactive for more than 60 seconds. Plus, systems should be password protected, and those passwords should be changed regularly.

Invest in cybersecurity that pays off

Given their ageing populations and burgeoning national health costs, many first-world nations are chasing after the cost-saving efficiencies e-health innovations facilitate. That’s entirely appropriate, but the more digitised healthcare becomes, the more important it is to maintain data integrity—and that requires serious network security.

IT leaders in the Australian healthcare industry need to push for sufficient investment in and attention to healthcare network security. If that fails to occur, Australian healthcare providers can expect to face the same threats as their counterparts elsewhere in the world.