Securing health information: What can we learn from the OAIC’s assessment of Healthscope?

In November 2020, the OAIC released its report into Healthscope’s security and privacy processes.  According to the OAIC, these assessments are done for educative purposes, so what can we learn?  Not much really ….

OAIC’s assessment powers

The OAIC can conduct assessments to determine if personal information is being maintained and handled in accordance with the Australian Privacy Principles (APPs).[1]

According to the OAIC, it approaches assessments as an educative process, and compliance with the Privacy Act is seen as part of good management practice.[2] The assessment is, by necessity, a snapshot of personal information handling practices relating to an assessed entity at a certain time and in a particular location.

As part of the educative benefits of its assessments, the OAIC encourages APP entities to consider findings broadly and not limit issues identified in the assessment to the program that was the subject of assessment.

OAIC assessment into Healthscope

Although very useful, this is a power that has been exercised sparingly over the years.   So why this assessment of Healthscope?

The OAIC has an understanding (recorded in a Memorandum of Understanding (MOU)) with the Australian Digital Health Agency (ADHA). This understanding requires that the OAIC conduct at least two assessments during the period 1 July 2016 to 30 June 2017, with one assessment in relation to Healthcare Identifiers.

Because of this MOU, OAIC assessed the security controls Healthscope had in place to protect Healthcare Identifiers. The assessment was undertaken in September 2017.

More than three (3) years later, the OAIC published a summary of its assessment (in November 2020).

Why Healthscope?

According to its website, Healthscope is Australia’s only national private hospital operation and healthcare provider with a network of 43 hospitals that service every state and territory.

As well as managing a network of regionally diverse hospitals Healthscope is a big employer, responsible for over 19,000 people. Given its status and size, Healthscope was an ideal candidate for privacy check up from the OAIC.

Purpose of assessment of Healthscope

The report specifies the objective of the assessment was to establish whether Healthscope is taking reasonable steps to:

  • secure IHIs and the associated personal information collected and held in its systems and databases in accordance with APP 11, and
  • protect the IHIs it holds in accordance with the requirements prescribed by the Healthcare Identifiers Act (HI Act)and Healthcare Identifiers Regulations.

However, the scope of the assessment was significantly limited. This  was no far-ranging consideration of the systems used by the hospital network to secure and protect all the personal data it holds, including information about diagnoses, therapies, symptoms and treatments.  Instead, it was limited to the processes for uploading admission and discharge summaries.

The assessment is said to include an examination of Healthscope’s policies, procedures and practices, two site visits (to the Healthscope Head Office and the Nepean Private Hospital) and interviews.  There are no details of what happened in the site visits: what interviews were conducts or systems assessed, so the real extent of the assessment is not entirely clear.

Findings from Healthscope assessment

What can we learn from the summary report, handily published some 3 years after the actual assessment? Well, not all that much ….

The summary report provides the most general information only.  However, the published findings indicate some very serious issues.  They include that:

  • There was little security or privacy awareness training in place with a note that there ‘was significant work to be done in this area,’
  • There was no access security policy and a need to improve access controls to address privacy risks;
  • There was limited awareness of data breach reporting obligations.

This suggests a very low maturity of security and privacy controls.  Security and privacy training and access controls are the most rudimentary security and privacy measures that any organisation should have in place, let alone Australia’s only national privacy hospital operator.

So what did the OAIC do?

Well, we know the OAIC made four recommendations.  According to the report, Healthscope has taken steps to implement the recommendations, and is continuing to implement the recommendations.  Good news for the patients and the over 19,000 employees.  But we are none the wiser as to what those recommendations might have been.

What can we learn from the OAIC’s assessment of Healthscope?

One of the major lessons could be that there’s not much to be worried about if the OAIC decides that you might be a good candidate for an assessment.

One might also question the educative value of this sort of assessment.

The summary report provides such limited information as to be of little value to the regulated community generally, although it was no doubt of interest to Healthscope.

No information is provided on the steps taken to address the issues identified or even the recommendations made.

There also seems to have been little use of the findings by the OAIC in supporting the development of more educative resources, guidance or other resources that could be of use to other healthcare providers.

It makes one question the value of assessments and their educative purposes.

This seems to be a case where the most sensitive of information has been processed without the most basic of security control but with no real adverse findings from the OAIC.  It also makes one wonder at what point might the OAIC consider using its power to issue penalties?

[1] s 33C(1)(a) of the Privacy Act

[2] Privacy assessments — OAIC