Health Information Strategy Action Committee, “Public Comment Draft: Authentication and Security Framework – Essentials and Recommendations”, draft number 10029.1/vPC, Ministry of Health, New Zealand, 48 pp., 9 July 2008. Available: http://www.hisac.govt.nz/moh.nsf/pagescm/7442/$File/10029.1PC20080709.pdf, 28 July 2008. Foreword The problem this committee faced was to find the right balance of policies, procedures and technical controls to ensure an across-the-board improvement in health sector security. It is time to lift the bar for every health organisation and practitioner. A sector-wide security system is only as good as its weakest link and whilst there are some strong points in the NZ health sector, there are also some vulnerabilities and weaknesses of which people are perhaps not even aware. For the secure sharing of information, all health organisations must follow common minimum standards of security so that information can be passed knowing that each party handles it with equal care. The sheer quantity of information about security, the different approaches on offer, the existing security codes of practice, the array of threats: technical, legal, and people oriented, mean that the committee was faced with a range of options. Our problem was one of selection rather than creation of new material. There is an old adage standards are good – there are so many to choose from. Our approach was therefore to adopt an international standard which we believe is future proof, will continue to develop independently, and is already widely used by other organisations wanting to maintain good security practices. We wanted to design a standard that is practical and understandable especially by the small healthcare businesses that make up the bulk of health sector organisations. This meant pruning the available controls and options down to those which are absolutely essential and which every organisation from the sole practitioner to the large healthcare provider must follow. We have also identified a number of recommended controls for those who wish to follow best practice or for organisations of greater size or for those with a greater need to reduce their risk. We provide a selection of “out of the box” tools for practitioners and organisations to use and adapt without having to undergo a detailed risk assessment of their own. Of course, this does not prevent any organisation from performing its own risk assessment or from delving deeper into the standard methodology which is a publicly available document. We advise that large organisations (>100 staff) take the ISO 17799 methodology and develop their own organisational security policy, on the proviso that they don’t contradict or undermine any of the essential policies outlined in this standard. Our audience is all health organisations or organisations which hold individuals’ health care records. Our target audience for this standard is small organisations of less than 20 staff, and medium sized organisations of between 20 and 100 staff. We have tailored this standard for both these groups by listing the essential components for all health organisations and then including recommended components where a greater level of stringency (for medium sized organisations) is indicated. Why is privacy not included in this standard? The matter of privacy is not so much about the protection of an individual’s information, but about what information will be shared with others, and how much the individual feels in control of it. What information is shared is a decision determined by several factors, namely, the patient’s wishes, advice from their practitioner, good clinical practice, and obligations under New Zealand legislation which in some instances, eg notifiable diseases, requires it to be shared or reported to others. This standard assumes that some health information will be shared – it does not say what information should be shared or under what circumstances. These matters are outside the control of the committee and are best left to be debated in other forums. The view of the committee is that all health information is confidential and should be given an equal level of protection. Health information is therefore classified as Medical-in-Confidence”. It is not useful to classify health information into different levels of sensitivity because such classifications are context dependent, often subjective and can change over time. The application of security controls to health information is a balancing act. Too much security and the information becomes of no practical use or is inaccessible to those who should have access to it. Furthermore, with controls comes the cost of compliance – too much cost and controls will inevitably be avoided. Conversely a lack of security controls means that information becomes devalued in the minds of users and confidence in healthcare can be easily eroded. It was this committee’s job to find the right balance for the health sector today, by pushing the barriers in some areas, while allowing a range of options in other areas by not being too prescriptive. The committee has defined a set of principles in its development of the standard to best enable organisations to safeguard health information. We hope that this standard adheres to these principles or at least stimulates debate and discussion to allow further development. A good standard will be one that: • is accessible to all parties in the health sector; • provides practical guidance and samples (of policies, for example); • is tailored to the various sizes of organisations and audiences; • covers a broad range of security areas; • is manageable, cost effective and practical to implement; • provides governance, a support structure and compliance audits; • evolves over time with regular reviews. We believe such a standard will be quickly adopted by the health sector so that the public can be confident that their health information is maintained securely on their behalf. Tony Cooke Chair of HISO Expert Advisory Committee 10029