Centralisation of healthcare data will help secure it but it will take ongoing close collaboration amongst disparate players to truly protect data in an industry that is “screaming out for” better security, according to the technology head of a major clinical software provider.
“The thing about healthcare is that a there are a lot of really small players that are necessary to make this whole thing come together,” David Higgins, chief technology officer with practice software provider MedicalDirector, told CSO Australia.
“You are only as secure as your weakest link, so the industry is screaming out to make sure that it becomes more integrated.”
That cause had been helped by top-level efforts to develop integrated healthcare standards – CSIRO’s Data61, for one, has been instrumental in this area – but clinical software providers needed to play a role by ensuring they helped extend protections to the front line where data is most vulnerable.
Currently used at over 4000 GPs and specialist practices across Australia, MedicalDirector has been expanding its software roster with the Microsoft Azure cloud-based Helix practice management system and population-health analytical services that draw on deidentified data to provide insights into overall population trends.
These two overarching trends had each posed their own challenges to securing personally identifiable information (PII), Higgins said.
The shift to the cloud promised a higher degree of security over data, for example, because that data was no longer distributed throughout practices where servers often sit both physical and logically exposed behind minimal security protections that were often installed years ago.
“Any time you pull information together into one place, you’re going to make it more of a target,” he said. “Classically, medical systems have been on-premises but the future is moving the data to the cloud so doctors don’t have that responsibility.”
“If you’ve got the right systems in place you can make things very unlikely to get tapped into,” he continued. “That’s why we see the future in having a data centre where we can have complete control over the data: we can use the skills we have internally, and those of outsourced providers of pen-testing and the like, to make sure that data is secure.”
Security has become a significant bugbear for the healthcare industry, whose security has been ravaged by both outside attackers and internal employee errors.
The recent Office of the Australian Information Commissioner (OAIC) report on notifiable data breaches (NDB) noted that there had been 49 breaches of health data during the final quarter of fiscal 2018 – equivalent to one every two days, and comprising 20 percent of all reported breaches.
In another recent end-user study, half of healthcare CISOs admitted they had suffered a data breach in the last 24 months, often due to poor patching and a lack of knowledge about security best-practice.
Although Higgins and others in the industry see cloud-based practice systems helping resolve that issue, the industry’s credibility has been damaged by incidents such as rival HealthEngine’s recently-discovered practice of selling patient details to third parties.
This incident had contributed to a general climate of fear around centralising healthcare data, which had in turn driven a growing movement against the government’s move towards an opt-out situation for its My Health Record (MHR) system.
Such concerns are natural, Higgins said, arguing that the industry needs to be more transparent about its use of data – as well as educating the public about the epidemiological value of aggregated and properly anonymised healthcare information.
Medical Director had wrestled with both issues in creating tools like its MedicalDirector Health Education and Research Tool (MD Heart), which captures deidentified prescription, pathology, immunisation, consultation outcomes, diagnostic information, basic demographics and test outcomes for use by researchers and clinicians.
The data was invaluable in driving public-health policymaking and helping GPs benchmark the health of their patients against regional or national averages, Higgins said, but the “really conservative” company had recognised the importance of transparency and anonymity early on.
“We collect deidentified data for that tool, but we don’t bury the details of what we do in T&Cs,” he said. “We pride ourselves in making that really obvious on our Website in plain English. And if patients don’t want to be involved, we will absolutely respect that. Transparency is super important to us.”