Webinar on Cyber Security and Personal Data Privacy Protection in Electronic Health Record Sharing System
To elucidate the information security issues related to the Electronic Health Record Sharing System (eHRSS) and how healthcare providers (HCPs) could protect patients’ privacy when using the system, the Electronic Health Record (eHR) Office organised the “Webinar on Cyber Security and Personal Data Privacy Protection in Electronic Health Record Sharing System” on 13 August 2020, which attracted the participation of about 200 information technology and administrative personnel from around 70 HCPs.
The guest speakers invited by the eHR Office were Mr Tyler Chan, Inspector of the Cyber Security and Technology Crime Bureau, Hong Kong Police Force (HKPF); Mr Eric Wong, Senior Systems Manager (Application Management) of the Hospital Authority (HA); and Ms Joanna Chan, Senior Personal Data Officer of the Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD); with Mr Tony Leung, Chief Systems Manager (Health) of the Food and Health Bureau giving the welcoming and opening remarks.
Securing Mobile Devices in Healthcare Industry
Mr Chan, the representative of HKPF, shared first. He said that the Internet of Medical Things (IoMT) was formed during data transmission and exchange in electronic medical devices/ appliances of the healthcare industry, while at the same time might increase the risk of data leakages from those devices/ appliances, or the risk of computer virus intruding the IoMT. He pointed out six common mistakes often made by users: using default name of devices/ appliances, enabling all features of devices/ appliances at all times, using default settings on devices/ appliances, insecure router setting, using default or weak passwords in devices/ appliances, and using outdated firmware.
To strengthen the security of IoMT, Mr Chan highlighted seven ways: using strong passwords, choosing devices/ appliances from reputable manufacturers, selecting higher security and privacy settings for devices/ appliances, updating the security setting of devices/ appliances regularly, refraining from using legacy operation systems, performing segmentation of IoMT and intranet by adopting virtual local area networks in order to separate these devices/ appliances, and enabling active monitoring to the operational situation of IoMT.
Keeping eHRSS Safe in the Time of COVID19
Mr Wong, the representative of HA, then introduced the security measures implemented in eHRSS. He emphasised that the system was designed with strict security and privacy control, in which health records could only be accessed by registered HCPs and healthcare professionals (HCProfs) with patients’ consent and authorisation following the “patient-under-care” and “need-to-know” basis. The system was architected based on “defense in depth” principle and engineered with multiple levels of system protection to mitigate cyber attacks risks. According to Mr Wong, security control of eHRSS was regularly reviewed and new security features which required users to use two-factor authentication would be introduced soon to further strengthen the control.
Mr Wong also introduced the newly launched mobile app which provided additional channel for patients to manage the sharing consent given to HCPs conveniently. He also shared a few tips to HCPs and HCProfs to better protect patients’ data particularly in era of Cloud and Internet of Things such as the importance of performing system update regularly and reminded everyone to stay vigilant as cyber attacks could come from different forms and channels. Cyber security tips had been listed on the eHRSS website for HCPs’ and HCProfs’ reference.
Data Breaches and Cybersecurity
Ms Chan, the representative of PCPD, mentioned that the eHRs in eHRSS were personal data protected by the Personal Data (Privacy) Ordinance (PDPO). PCPD would follow up and, if necessary, initiate investigation when complaints of suspected breaches of the PDPO in eHRSS were received. Through case sharing, Ms Chan introduced the provisions of the PDPO and how PCPD ensured data and network security.
In particular, she also mentioned some measures that could strengthen data security in eHRSS. For example, authorised HCProfs should ensure the eHRs shown on the computer screen would not be seen by unrelated third parties when they logged into eHRSS; the download or printing processes of eHRs should be kept secure; HCPs should formulate guidelines on the use of portable storage devices to avoid leakage of personal data and adopt appropriate measures to ensure the HCPs’ data systems were adequately safeguarded and functioned properly.
Ms Chan also introduced the Data Breach Notification mechanism and the steps involved in handling the incident, and shared the development of privacy protection trends and the value of data ethics stewardship management.
Finally, Ms Chan supplemented that PCPD had published online booklets for members of the public as well as HCPs and HCProfs respectively, with a view to reminding all of us the points to note for privacy protection in eHRSS.