Personal health records are no more just a bulging family file with scribbled notes kept at the local GP rooms. Whenever we receive some health service, whether it be to test for Covid-19, to get vaccinated, to take out health insurance, to visit the dentist, or just get non-prescription meds at the local pharmacy, personal records are created, updated, and shared amongst the various providers.
Patient data has become a precious commodity in the data-driven empires, including the criminal underground. There is an increasing risk of confidential patient data being stolen, lost, extorted, or exposed, as data and role-players within the health industry increases. Add to that a rather complex supply chain to continuously provide patients with high-level health care, and health workers with an environment that is conducive to providing the best care.
We all know that complexity is the enemy of security (and privacy).
Internal and external data breaches caused by human error or exploited vulnerabilities can expose patient records, lead to unsuccessful treatment, financial ruin, and possible prosecution (violation of SA laws). Breached patient records in turn can be used to submit fake claims to medical aids or gain access to prescriptions for scheduled medicines.
A medical record is in a sense, set in stone, as we are unable to go back in time and change what illnesses or injuries crossed our paths. This means that when such a record makes its way into criminal hands, there is no way of requesting a new one and starting over.
Recent case studies of data breaches within this sector, enable us to follow the data exposure and how privacy is impacted along these virtual arteries. The Life Healthcare Group, the second-largest private hospital group in SA, experienced a breach in 2020 as reported by EWN news. This hack forced doctors to switch all administrative processes to manual operating systems, as the hack affected IT systems.
A SOUTH AFRICAN DATA MAP
The South African health care industry comprises of various organisations, including research laboratories, drug manufacturing facilities, pharmacies, medical treatment centers, and third parties associated with medical care.
Sensitive patient data is collected, transformed, stored, and shared, within and between these organisations in the health industry. The data collected from these entities is presented using a mind map we detailed in Figure 1.
Figure 1: Data collected per sector in Health Industry
This map is our first step in defining the data flow, and ensure privacy along all virtual arteries. We categorise sensitive data into patient, internal and external business data.
Patient data include screening, diagnosis, treatment, demographic, lifestyle choice and also financial data.
Internal business data include patient data used for research purposes, clinical trials, and financial reporting. This data is then used by organisations in the health industry to forecast inventory, identify target market, implement effective marketing campaigns and analyse financial position in the industry.
External business data include patient data used by third-party organisations in the health industry. These organisations include government agencies, law officials, insurance organisations, medical aid facilities, travel agencies and employers.
The digital transformation of the healthcare industry has made it possible to provide easier and accessible treatment at a lower cost. The implementation of information management systems, smart devices, cloud services and the Internet of Medical Things (IoMT) is making it possible to improve patient care and provide effective treatment in a short period of time.
Patient data can be managed through Electronic Health Records (EHR), or Electronic Medical Records (EMR), where individual patient data is stored at a centralized location. These systems focus solely on patient care and contain clinical, lifecycle, demographic, financial and patient preference data. Such records are then shared between medical practitioners and researchers to provide optimum patient treatment.
The ways in which patient data is used to enhance the health care value chain include the following:
- Enhance drug discovery and development
- Optimise effectivity and efficiency of clinical trials
- Ensure accurate patient diagnosis
- Deliver optimum treatment, increase the success rate thereof
- Improve drug delivery and boosters
- Ensure safety, risk management and control
- Gain insight into market and performance
Customer relationships are managed through health care customer relationship management systems (HCRM). These systems are focused solely on the operational side of patient care to improve current communication protocols and ensure informed decision-making processes are implemented.
The implementation of security protocols and security vulnerability detection systems are critical to ensure the effective management of risks associated with cybercrime.
DATA LAWS AND DISCLOSURE
Data management and security is essential in all stages of the health industry and is mainly governed by the implementation of policies and procedures as per compliance with the South African health- and security laws.
Medical health data confidentiality is a basic human right, but authorised access can be granted for appropriate reasons according to South African law. South African laws published in the government gazette that address patient record confidentiality, security and access include the following:
- The National Health Act, [No. 61 of 2003] available at: National Health Act [No. 61 of 2003] (www.gov.za)
This Act states that it is an offense to disclose confidential patient information without their given consent. However, sections 14, 15 and 16 mention valid reasons for disclosures.
As per the National Health Act:
- The user consents to disclosure in writing
- Patient consent is required for sharing with third-party organisations (medical aid, insurance, treatment processes).
- The medical party gathering the data is responsible for its safety.
- Confidential patient data should only be used for the purpose that it is collected for.
- Court order or any law requires that disclosure;
Court order requires no patient consent or notification
- Non-disclosure of the information represents a serious threat to public health.
- Medical practitioners are obligated to report notifiable diseases and conditions, without patient consent.
- Risk of patient harm outweighs confidentiality. Medical practitioners are obligated to thoroughly document steps taken in the event of non-disclosure.
- A medical practitioner has access to confidential patient information and has the right to share that information with a health care team only in interest of the patient.
- No consent is required for clinical research purposes if the data presented is not directly linked to a patient. Patient consent is required when reporting individual patient diagnosis (photographs, symptoms, treatment).
- Health professions council of SA (HPCSA) published ethical guidelines for good practice (available at: MEDICAL AND DENTAL PROFESSIONS BOARD (hpcsa.co.za)). They urge the implementation of security protocols to keep patient HIV results confidential. All clinical data relating to HIV patient results must be disclosed before sharing with professionals and commencing the required treatment processes.
- The Promotion of Access to Information Act, [No. 2 of 2000] available at: Promotion of Access to Information Act [No. 2 of 2000] (www.gov.za) (PAIA)
This Act focuses on the right of access of confidential data to public and private bodies, only for legitimate reasons. The purpose of this act is to promote transparency and accountability. Confidential records and information can be formally requested as in terms of the PAIA.
- The Protection of Personal Information Act, [No. 4 of 2013] available at: Protection of Personal Information Act (www.gov.za)
The purpose of this Act is to ensure the implementation of appropriate business structures to keep confidential health care data safe. The main objective being to secure data through its life cycle of collecting, processing, storage and sharing. Security protocols and policies should be implemented to prevent unauthorised access, data leaks, damage and cyber-crime.
The health professions council of SA (HPCSA) sets out guidelines for policy development and implementation.
As we continue to work with entities in the health sector to design and implement Information Security Management Systems (ISMS), it also enables us to further research into security concerns and solutions in the health sector. This article maps the entities as well as the type of data, so to enable us to provide strategies for securing health records in cyberspace.
Written by: Charne Biermann