Australia's Efforts to Keep Health Data SecureFarah Magrabi of Macquarie University Highlights Key Issues
As the healthcare industry in Australia embraces the advantages of digitization, there's a dark side: Electronic health records can be stolen, networked medical devices can be hacked and mission-critical systems can be locked up by ransomware.
Australian healthcare organizations are catching onto the dangers, but there's a long way to go to ensure the safety of patients and their data, says Farah Magrabi, associate professor of health informatics at Macquarie University in Sydney.
Magrabi leads the Center for Health Informatics within the Australian Institute for Health Innovation. Her work focuses on the safe and effective use of information technology with the aim of improving patient safety. Her research has resulted in some of the first identified causes and consequences of incidents rooted in IT healthcare systems.
Following is an edited transcript of Information Security Media Group's interview with Magrabi at the recent AusCERT information security conference near Brisbane.
Electronic Health Records
Jeremy Kirk: You gave an interesting talk about what's happening in the Australian healthcare industry as far as digitization, electronic health records and how that potentially has a lot of security implications. Can you describe for me how hospitals and clinics are using technology?
Farah Magrabi: When we talk about the use of technology in hospitals and clinics, I start off with general practice first. So our GPs [general practitioners] are highly computerized in Australia. You have 97 percent using electronic records ... to write prescriptions, order tests, keep records of their patients. All of the clinical work is being supported by IT, and increasingly, practices are more willing to pay for the systems. So you can imagine everything is electronic. You have systems being put in for medication management, and these systems have tremendous benefits in terms of improving patient safety, preventing medication errors.
One of the areas where the benefits of IT have been demonstrated is with medications. We can alert clinicians and provide them with decision support when you are prescribed medication that you're allergic to. So we're providing clinicians with information to make decisions, order tests and keep records.
Data Security Issues
Kirk: How are hospitals dealing with the security aspect of this?
Magrabi: We don't really know a lot about what are the current security practices in Australia specifically. What we do know is that the college of GPs has information data protection and information security standards that GPs are required to comply with. In a study that we did about two years ago, compliance with these procedures was pretty high.
Value of Records
Kirk: Can you tell me a little bit about how the value of a medical record compares to other data that we see leaked?
Magrabi: It has been estimated that the value of a medical record is about 10 times more than credit card information because this information is being used to commit fraud. One of the obvious areas where patient information is being used is to purchase medical devices and also drugs. And the other area is where this information is being combined with provider information to make false claims. So you can wrack up a huge number of claims in the name of the patient.
Kirk: We've seen numerous hospitals affected by ransomware. Can you tell us how that impacts hospitals from a patient care perspective?
Magrabi: All of the data is locked up. You're talking about critical information that is needed to treat patients not being available. Records not being accessible, clinicians not being able to communicate with each other. ... So you're not having all of the good stuff that IT brings, the decision support. ...
Volume of Data
Kirk: Another thing that you mentioned that differentiates healthcare information from other kinds of information is the volume and variety of data. Can you explain a little bit more about this?
Magrabi: So you're talking about patients from birth to death. Everyone has an encounter with the health system, so by definition you should be able to steal the records of all of the systems on the server if you have digitized the whole system. There's more and more data because we're getting it from different sources, and that kind of ties into the variety as well. And you're combining that now with consumer information as well - activity trackers, diet trackers - all of that information as well. Everything is getting on the network. There's an explosion in the amount of health data that's available.
Kirk: I thought it was particularly interesting that you talked about some of the security controls in use now, like two-factor authentication. But when you apply that to the healthcare industry and time-sensitive situations, those controls may not work well in certain scenarios. Can you explain a little bit more about that?
Magrabi: Look at a scenario in an emergency room where a clinician is treating a patient and needs to access information in a timely manner. Now, if that information is not available, then basically it's slowing that treatment of the patient. It's as simple as that. If you're slowing a doctor down, they have to continue the treatment and make a decision without that information.