HONG KONG, 11 SEPTEMBER 2008 – The Hospital Authority Hong Kong (HA) will implement the Taskforce on Patient Data Security and Privacy's 26 recommendations within two years to improve the protection of patient data.
The HA appointed the taskforce in May 2008 following 10 cases of lost electronic devices (USB flash drives, MP3 player, palm hand-held, digital camera, desktop/removable disc) containing patient data involving 16,000 patients in six local hospitals and clinics since April.
Releasing its review report today, taskforce chairman, Stephen Lau, said the HA has room for improvement in the area of structure, culture and technology.
Although hospitals and the hospital clusters have separate groups protecting patient data, their work is either overlapping or unclear. The HA headquarters also lacks a main office to deal with the matter, according to Lau.
"The authority should set up an office for planning, co-ordinating and following up patient data security," Lau said, adding this will help enhance the monitoring of individual hospitals' work and the procedures concerning privacy protection.
Leadership and governance
As laid down in the taskforce’s report, the HA is recommended to enhance leadership and governance of information security and take the following actions:
1. Appoint a Chief Information Security and Privacy Officer who should report to a senior level and should lead the HA-wide Information Security and Privacy programme, and be responsible for driving forward improvements in a co-ordinated, integrated manner;
2. Establish a HA Head Office committee that has specific responsibility to oversee all HA-wide information security and privacy matters;
3. Revisit relevant cluster/hospital committee structures to ensure a clear role and a specific focus on information security and privacy with appropriate linkages; and
4. Further define, formally document and communicate the role and responsibilities of Data Controllers across HA. This should include explicit responsibility for the people-related aspects of information security and privacy such as education and training.
Lost property definition rejected
On changing corporate culture Lau suggested the authority reinforce staff awareness of safeguarding patients' personal data. He said regarding lost electronic devices as incidents of lost property, instead of important patient data, was insensitive.
He also proposed the implementation of automatic encryption of patient records in various stages, including data processing, transportation and within the authority's main system.
"The authority should formulate policy to minimise staff retrieval and downloading of patient records to reduce risks," Lau said, adding the authority should keep abreast of technology advances to ensure its monitoring and audit systems are effective.
Measures taken
Welcoming the recommendations, the HA’s Chief Medical Informatics Officer, Dr NT Cheung, said a multi-pronged approach has been adopted to enhance patient data security and privacy systems.
He cited some actions that have been taken, including educating staff members, strengthening control systems, implementing automatic data encryption, reducing the use of identity card numbers for data handling, and reviewing the need for data downloading by staff.
The HA will form an action plan in implementing the taskforce's proposals within 18 months.
There have been 10 reported cases of data loss via electronic devices involving six hospitals over a period of some 13 months to 5 May 2008. None have involved personal data leakage and seven involved theft.
