Securing healthcare records and privacy in Australia

A need for standardised patient information security

As the world of technology pushes the boundaries and possibilities within healthcare, a standardised approach to handling, storing and accessing medical data needs to move at the same pace. Information security practices in healthcare is a legal requirement when implementing and maintaining digital health systems. 

ISO & IEC Standards in healthcare security 

The Information technology - Security techniques series of Standards provide guidance for information security management systems and play an important role in guiding healthcare providers on safe and reliable information security systems and management. These documents outlining best practice approaches allow organisations to manage information risks through security controls.  

AS ISO/IEC 27001:2015 provides requirements for establishing, implementing and maintaining an information security system. It also aims to guide organisations to continually improve their systems and includes tailored assessment & treatment of security risks. 

AS ISO/IEC 27002:2015 relates to the code of practice for information security controls and gives guidelines for organisational information security standards and information security management practices. AS ISO/IEC 27003:2017 provides explanation and guidance for implementing AS ISO/IEC 27001:2015. 

To view the entire range of information technology Standards, click here. 

Healthcare providers, or other organisations that house sensitive and personal medical data, must ensure risks to their technical infrastructure and information management systems are well managed. AS ISO 27799:2011 Information security management in health using ISO/IEC 27002 was created to provide security controls and measures to protect health information. It is a companion to the AS ISO/IEC 27002 Standard, but related and adapted to the healthcare industry. 

AS ISO/IEC 27799:2016 list 25 specific risks for the healthcare industry, some of which include: 

• Unauthorised use of a health information application
• Introduction of damaging or disruptive software
• Communications infiltration 
• Technical failure of the host, storage facility or network infrastructure 
• System or network software failure 
• Maintenance error 
• User error 
• Terrorism 

Australian Standards in digital healthcare security 

There is an array of Standards published by the national Standards body in Australia that aim to provide best practice guidance for all aspects of the healthcare industry. At the time of publishing, Standards Australia created a world-first handbook for digital hospitals and healthcare. A digital hospital being one that utilises information management to support clinical processes. 

This handbook (SA HB 163:2017 Digital Hospitals Handbook) developed a set of principles to inform the design and implementation of digital hospitals, including new and refurbished. Its aim is to provide guidance and positive outcomes for all involved in the digital hospital supply chain, aiding a transition to digital health systems. 

Standards Australia have implemented guidance from the Health Level Seven International (HL7) who work to provide a comprehensive framework and related Standards for the exchange, integration, sharing, and retrieval of electronic health information that supports clinical practice and the management, delivery and evaluation of health services. 

Some of these essential Standards include: 

• AS 4700.6-2013 Implementation of Health Level Seven (HL7) Version 2.5 Referral, discharge and health record messaging
• SA TS 90005.1:2014 Collaborative care Logical content model
• AS 4700.7-2005 Implementation of Health Level Seven (HL7) Version 2.3.1 Diagnostic imaging orders and results
• HB 262-2012 Guidelines for messaging between diagnostics providers and health service providers
• SA HB 137-2013 E-health Interoperability Framework
• SA HB 138-2013 E-health architecture principles 
• AS 2828.2:2019 Health records Digitized health records
• HB 304-2007 Guide to Australian electronic communication in health care 

Healthcare records kept safe and sound 

Standards provide best practice guidance for all healthcare and medical data systems, helping to ensure IT systems and infrastructure are following both national and international recommendations. A standardised approach to healthcare records helps both the patients and providers safe from IT security risks.