Healthcare

Overview

• In Australia, healthcare information and security is regulated by the Privacy Act 1988 (Cth) together with issue-specific legislation. Cyber risks remain a key concern for the healthcare sector, heightened by the public health and technological responses triggered by the COVID-19 pandemic.

Background

• Australia’s healthcare systems have increasingly embraced health record digitalisation, enabling them to transition from hospital-focused and specialised approaches to care management, towards more collaborative and distributed forms of patient-oriented care. Consequently, healthcare providers have increasingly begun to store information on complex and diverse operating systems, giving rise to cyber security risks.
• The healthcare industry is well-known for having ‘low security maturity’, with poor cyber security tools compared to other sectors.
  • See 2020 Health Sector Snapshot (Australian Cyber Security Centre, February 2021)
  • See Annual Report on the State of Cyber Security (Security in Depth, 2019)
• Offner et al suggest the reasons for inadequate cyber security infrastructure in healthcare include: budgetary constraints; poor cyber security training and knowledge by healthcare managers; heterogenous and complex healthcare information infrastructure; reactive approaches to cyber defences; and insufficient cyber security professionals working in healthcare.
  • See K L Offner, E Sitnikova, K Joiner and C MacIntyre, 'Towards understanding cybersecurity capability in Australian healthcare organisations: a systematic review of recent trends, threats and mitigation' (2020) 35(4) Intelligence and National Security 556

COVIDSafe App

• In May 2020, the Australian parliament passed the Privacy Amendment (Public Health Contact Information) Act 2020 (Cth), which amended the Privacy Act 1988 (Cth) and sought to protect the privacy of user data related to the COVIDSafe App.
  • COVIDSafe
  • COVIDSafe App, Privacy Policy (16 December 2020)
  • The COVIDSafe Application Privacy Impact Statement (prepared by Maddocks, 24 April 2020)
  • Department of Health's Agency Response to Privacy Impact Statement (25 April 2020)

Legal Framework

National Health Security Act 2007 (Cth)

• The National Health Security Act 2007 (Cth):
  • creates a national system of information exchange and public health surveillance concerning important public health events and situations; and
  • authorises the disclosure of personal information where doing so will assist in a national or international response (including to the World Health Organisation and countries affected by a public health crisis).
• Part 2 Div 6 of the Act contains regulations regarding notification, sharing information and liaising in relation to public health events of national significance and listed human diseases.
• Part 2 Div 8 of the Act regulates the confidentiality of information, including "protected information", authorised use of that information, plus related offences and defences.

My Health Records Act 2012 (Cth)

• The My Health Records Act 2012 (Cth):
  • outlines the roles and functions of the "Systems Operator", which is presently the Australian Digital Health Agency (Part 2);
  • provides a registration framework for people to be involved in the My Health Record system (Part 3);
  • creates a privacy framework which outlines who can collect, use and disclose information on the My Health Record system and associated penalties for improper collection, use or disclosure (Part 4, see also Part 3 Div 6); and
  • specifies that the federal Minister for Health can create additional rules under section 109, which currently include:
    • My Health Records Rule 2016 (Cth)
    • My Health Records (Assisted Registration) Rule 2015 (Cth)
    • My Health Records (National Application) Rules 2017 (Cth)
• The Act creates offences for inappropriate use of My Health Information, including unauthorised disclosure for a prohibited purpose.
  • Section 66 of the Act permits the secondary use of My Health Record Data. However, it does not clearly identify who can access the data on the system for ‘secondary use’, as well as how and when they can receive consent.
• The Act also prescribes authorised use of My Health Information based on legitimate reasons for use - e.g. to provide healthcare, consult with a nominated representative, where there is a serious threat to life or safety, or where the law authorises the use.
• Part 4 Div 4 of the Act regulates the Act's interaction with the Privacy Act 1988 (Cth).
• Part 5 of the Act prescribes the procedure to be followed following a data breach.

Therapeutic Goods Act 1989 (Cth)

• Chapter 4 of the Therapeutic Goods Act 1989 (Cth) regulates 'medical devices', which may include software applications or products (e.g. smartphone apps that detect insulin, x-ray image processing systems, etc). Chapter 4 regulates the safety and proper usage of medical devices, establishes standards and processes to ensure their secure use, and outlines mechanisms for enforcement.
• Schedule 1 of the Therapeutic Goods (Medical Devices) Regulations 2002 (Cth) outlines 15 'Essential Principles' for the use of medical devices, many of which emphasise that cyber security must be achieved to ensure compliance.

Epidemiological Studies (Confidentiality) Act 1981 (Cth)

• The Epidemiological Studies (Confidentiality) Act 1981 (Cth) sets out penalties for divulging or communicating information associated with epidemiological studies and the maintenance of secrecy relating to particular documents.

Regulatory & Policy Framework

• The Australian Digital Health Agency's Cyber Security Centre (part of the Australian Digital Health Agency, established under the Public Governance, Performance and Accountability (Establishing the Australian Digital Health Agency) Rule 2016 ) works with the Australian Cyber Security Centre and the Commonwealth Health Department’s Health Emergency Management Branch to improve the security of national digital health systems and services, and to ensure that there is a proper understanding of cyber security challenges within the cyber security sector.
• The Centre has released the following information:
  • An Information Security Guide for small health care businesses on cyber security
  • A Cloud Services Guide for healthcare organisations
  • A toolkit for choosing secure information technology products and services
  • An Online Telehealth Conferencing Guide for the proper management of data
  • A Guidance Paper for Preparing Backups for Emergencies, such as malware attacks, lost devices or power outages
  • General advice including how a healthcare organisation can respond to a ransomware attack, such as by creating backups and engaging in patch management

Relevant Organisations

• Australian Digital Health Agency
• Cyber Security Centre
• Australian Cyber Security Centre
• Australian Health Protection Principal Committee
• Therapeutic Goods Authority
• Health Informatics Society of Australia
• Hospitals and Healthcare Sector Group of the Trusted Information Sharing Network (TISN)

Inquiries & Consultations

• Submission to the Parliamentary Joint Committee on Human Rights - Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) (Emergency Requirements—Public Health Contact Information) Determination 2020 (Cth) and Privacy Amendment (Public Health Contact Information) Bill 2020 (Cth) (exposure draft) by Professor Lyria Bennett Moses et al (7 May 2020)

Industry Materials

• K L Offner, E Sitnikova, K Joiner and C MacIntyre, 'Towards understanding cybersecurity capability in Australian healthcare organisations: a systematic review of recent trends, threats and mitigation' (2020) 35(4) Intelligence and National Security 556
• C S Kruse, B Smith, H Vanderlinden and A Nealand, 'Security Techniques for the Electronic Health Records' (2017) 41(8) Journal of Medical Systems 127
• M S Jalali and J P Kaiser, 'Cybersecurity in Hospitals: A Systematic, Organizational Perspective' (2018) 20(5) Journal of Medical Internet Research e10059
• L Parker, V Halter, T Karliychuk and Q Grundy, 'How private is your mental health app data? An empirical study of mental health app privacy policies and practices' (2019) 64 International Journal of Law and Psychiatry 198

Related Topics

• Consumer Rights
• Privacy Law
• Security of Critical Infrastructure