Lessons to be learned from the OAIC’s security assessment of St Vincent’s hospital
Blog IP Whiteboard

Last month the Office of the Australian Information Commissioner (OAIC) issued a privacy assessment report of St Vincent’s Hospital Sydney Limited (St Vincent’s).^[1]

The Privacy Commissioner has the power to carry out assessments under section 33C of the Privacy Act in order to determine whether an organisation is complying with the Australian Privacy Principles (APPs) and other relevant requirements under the Act. Assessments are seen as an educative process as well as a compliance mechanism, and the results reported by the OAIC serve as a useful indication for other organisations as to the Commissioner’s view of the standard of compliance required under the APPs. These assessments supplement the more formal guidance that the Commissioner has already made available, such as guidelines on the APPs and on information security matters.^[2]

The primary purpose of the particular assessment carried out on St Vincent’s was to determine whether St Vincent’s had satisfied the requirement under APP11 to take reasonable steps to protect the personal information in its possession from unauthorised access, modification or disclosure. In particular, the assessment looked in detail at the access security controls used by St Vincent’s in relation to information stored in its electronic health record system (eHealth system). The Commissioner’s report made four key recommendations (all of which were accepted by St Vincent’s), from which other organisations can learn useful lessons:

Recommendation 1 — Update security and access policies

St Vincent’s had a security and access policy in relation to the eHealth system. However, the policy was considered by the Commissioner to be inadequate because it did not include information about St Vincent’s obligations under the Privacy Act and did not include guidance for staff on security measures they should take to protect patient privacy when accessing the eHealth system. This information was available in other documents that St Vincent’s had produced, but was not available in a single consolidated form.

The Commissioner recommended that the security and access policy be updated to reference relevant privacy compliance requirements, and append all relevant compliance guidelines.

Lessons to learn: Organisations should ensure that security and access policies for their key IT systems include information on relevant privacy obligations and that all guidance on security compliance processes are consolidated in a single guide or manual. Ideally staff should have a single “bible” or “authoritative source” in relation to privacy compliance matters, so that they know where to turn for guidance on these issues.

Recommendation 2 — Improve training on staff privacy and security obligations

St Vincent’s gave new staff two days of intensive training on its clinical operating system, including in relation to the use of the eHealth system. However this component of the training was verbal and staff were not provided with written training materials. The Commissioner considered that the training should have been supported with written materials that pointed staff towards applicable policy and procedure documents on information security. The Commissioner also recommended that, in addition to the initial training, St Vincent’s should carry out regular ongoing refresher training on privacy and security compliance.

Lessons to learn: It is critical to ensure that staff members fully understand and comply with their privacy obligations. While in-person training is useful, it is important that any training program be supplemented with appropriate reference materials (which can be provided in hard copy or made available through a corporate intranet or other source). In addition, the Commissioner evidently does not consider it adequate to treat staff training on privacy as a “one time only” affair. Regular refresher training is important to ensure that privacy remains top of mind and that staff are aware of the latest security and compliance practices.

Recommendation 3 — Review and document system access procedures

St Vincent’s had a system in place to control the amount of information that different staff members could access on the eHealth system. This system was automatically configured for each staff member based on their role description and an access form was then sent to a relevant manager for approval. However, the default access rights for each role had not been reviewed for some time. In addition, there were no clear processes in place for reviewing access rights in order to determine whether they were still appropriate for all staff members. For example, in some situations a staff member may be temporarily allowed greater access in order to cover another staff member’s position, but there was no formal process in place to withdraw that access when it was no longer required.

The Commissioner recommended that St Vincent’s review and properly document its internal practices and procedures relating to the granting of access rights, including by reviewing default access settings and ensuring that they are regularly reviewed. In addition, the Commissioner recommended that systems be put in place to manage access rights that were intended to only apply for a temporary period (for example, by configuring the system so that enhanced access rights are given a sunset date).

Lessons to learn: The Commissioner’s assessment illustrates that it is not appropriate to take a “set and forget” approach to information security controls. Relevant control settings should be reviewed on an ongoing basis to ensure that they remain appropriate and that no staff members have access rights that are inappropriate for the role that they are currently fulfilling. If possible, automation should be used in order to assist with this review process (for example, by ensuring that enhanced access settings can be configured to expire after a defined period, following which they need to be reapplied if they are still required).

Recommendation 4 —Update audit log capability

St Vincent’s had a system to keep access logs of usage of the eHealth system, and these logs were automatically backed-up. However, there were some limitations to the logging system. For example, St Vincent’s did not have a user interface to enable St Vincent’s to access logs on site — instead it had to request access from the IT vendor who maintained the back-ups.

In addition, the system did not keep records of when users viewed the metadata (such as user name, type of document, date and location etc) of a record on the eHealth system (as opposed to the contents of the record itself). The Commissioner considered this to be a risk, as it may be possible in some circumstances to discern a significant amount of underlying information from the metadata alone, such as where it reveals that a record was created by a doctor known to specialise in a particular illness or condition. Readers who have followed the debate about the new laws that will be introduced later this year regarding the mandatory retention of telecommunications metadata will be familiar with the potential sensitivity of metadata.

The Commissioner recommended that St Vincent’s upgrade its logging capabilities, so as to enable St Vincent’s to access logs on site (through a new user interface or other mechanism) so as to enable active monitoring of the eHealth system and to track when users viewed metadata on records kept in the eHealth system. Alternatively, the Commissioner said that St Vincent’s could ensure that its external software provider undertake an ongoing monitoring role.

Lessons to learn: It is important for organisations to be able to effectively and actively monitor the use of personal information that they hold in order to be able to detect potentially inappropriate uses of this information and to investigate suspected security breaches. This may require advanced access and logging functions to be designed into important information databases. Organisations should think about this in advance when building any new database, as it will inevitably be more difficult and costly to retrofit this type of capability to an existing system.