Cyber Risks - Protecting Patient Information

Posted on Thursday, 22 November 2012
Reading time:
6 minutes

Mr X underwent a simple medical procedure at Hospital A. Mr x was a 42-year old male who also happened to be a practising dentist at Hospital A.  During the procedure Mr X disclosed his HIV-status, that he was HIV-positive, to a nurse and the practicing physician for the purpose of his medical record. When Mr X disclosed his HIV-status he requested that it remained strictly confidential. Within weeks following Mr X’s procedure, one of his colleagues expressed his concern after hearing of Mr X’s HIV-status. Subsequently, Mr X began receiving an increasing number of dental appointment cancellations (due to the knowledge of his HIV-status). Mr X filed for a medical malpractice lawsuit in which the nurse, practising physician and Hospital A were found to be responsible for allowing Mr X’s HIV-status to become public knowledge. Consequently, the lawsuit sought $1 million (R 8 642 135) in punitive damages as a result of the breach of patient confidentiality[1].

THE PROBLEM

A growing concern of cyber risks is the breach of personal information. In today’s world it is virtually impossible to undertake a small procedure without imparting ones’ full personal information, ranging from ones’ residential address to identity number. It is this notion of making use of personal information to provide profitable outcomes for the benefit of others that has led to an increase in the regulation of the manner in which personal information is obtained, used and stored.

Both the USA and EU have implemented more stringent measures on the protection of such information, and South Africa is no different as seen with the drafting of the Protection of Personal Information (POPI) Bill.

POPI serves to promote the protection of personal information processed by companies and therefore ensure that members of the public have their constitutional right to privacy. POPI defines personal information[2] as:  information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:

  1. information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
  2. information relating to the education or the medical, financial, criminal or employment history of the person;
  3. any identifying number, symbol, e-mail address, physical address, telephone number or other particular assignment to the person;
  4. the blood type or any other biometric information of the person;
  5. the personal opinions, views or preferences of the person;
  6. correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
  7. the views or opinions of another individual about the person; and
  8. the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

This definition of personal information is very wide and serves to limit the extent to which businesses can use the personal information of its clients.

In the USA a strong motive for the protection of personal information arose from the increasing security break-ins of medical institutions. A cyber liability claims study conducted by NetDiligence® found that breach of personal health information was the second most common breach of personal information. The issue of personal health information is a sensitive topic, and thus the breach of such information may result in very large cyber liability claims[3]

The patient-doctor relationship by its very nature is confidential. During a consultation the patient is questioned and examined for a range of medical conditions, ranging from one’s HIV-status to their mental state, and it is with confidence and the patient’s consent, that the patient agrees to undertake a medical examination.  Therefore, a medical practitioner is obliged to respect a patients’ autonomy. However, the improvement of medical technology has led to a shift from paper-based medical records to electronic health records (EHR).

While EHRs promote better healthcare practices, improved efficiency and improved quality of care, it operates via the internet. This allows for the transmission of medical information between different medical institutions, healthcare providers, and external billing institutions. Additionally, information which was once only exchanged in one-on-one consultations is now requested and sent via various networks and exchanges. Therefore, the processing, management and storage of patient information is conducted through a decentralised system (the US and EU may use a more centralised EHR system) in which various healthcare providers can obtain access to patient information. Due to the nature of this decentralised system of EHR the security of such a system has become a priority as it immediately becomes more difficult to control which information is transmitted and who has access to such data[4].

Cyber liability exposures can arise from the following violations of personal information:

  • Knowledge of an individual’s health status by an unauthorised person,
  • access to subscriptions,
  • misuse of health information,
  • data management of EHR in the long-run,
  • invasion of personal health information by government or private institutions.

It is with the advancement of medical technology, that a plurality of cyber risk emerges.  While the above mentioned exposures represent only a fraction of exposures that medical institutions stand to face, it has become imperative to ensure medical firms have adequate protection against such risks. This is due to the fact that hackers are increasingly finding new ways to outsmart current data security measures. Thus, the notion of confidentiality and privacy of patients’ personal information is challenged as healthcare is no longer immune to cyber risks[5].

The liability arising from such risks can affect a number of medical institutions namely, hospitals, private practices, medical aid schemes, nursing homes and other such providers of healthcare.  Thus, it is due to these advances which have created the need to improve data security and privacy, hence the introduction of POPI.

THE SOLUTION

The most common causes of loss of personal information arise from hackers, phishers, rogue employees, and/or the loss or theft of equipment[6]. Measures to prevent such losses include[7]:

  • Role-based access: limits the information one can view on a patient’s medical record. That is, a medical practitioner and a medical aid provider are given differing degrees of access to a patient’s record.
  • Encryption: data security measure whereby, a third-person is barred from understanding a patient’s medical record.
  • Authentication: a confirmation system, alerting the necessary parties that certain information has been retrieved by an individual.
  • Location: storage of patient information on a laptop, other mobile device, personal digital assistants or cloud computing poses differing degrees of risks and thus it is essential to have adequate security preventing access to such applications.

By correctly identifying and understanding the financial implications of the cyber risks faced by medical institutions, exposure to cyber risks can be significantly reduced and the privacy of personal information maintained. Furthermore, due to the extent of the cyber liability exposure which exists, costs incurred can be substantial. The need for medical institutions to therefore strongly consider the purchase of cyber liability cover, when taking out medical practices and/or professional indemnity cover, is considerable.


[4] Ensuring the security and privacy of information in mobile health-care communications systems, South African Journal of Science (2011).

[7] Ensuring the security and privacy of information in mobile health-care communications systems, South African Journal of Science (2011).

Stephanie
Fienberg
International Correspondent