Data security concepts and entry reading

Data storage refers to any number of ways that physical recording media are used to retain information read by computer systems so that it can be retrieved when needed. Data can be stored on-premise, co-located, or in public or private ‘clouds’.

• On-premise data storage: data is stored on computer servers that are owned and managed by your organisation.
• Co-location: your data storage equipment is in a ‘data centre’ which is not on your premises (it may be a service provided by another organisation) – but you still retain complete control over the data.
• Public cloud: storing data with a public cloud provider makes it easy to have more storage space, computer resources, and allows the employee to utilise data from almost anywhere. The open nature of the environment makes it difficult to protect sensitive data from unauthorised access. Examples include Dropbox and Google Drive.
• Private cloud access: for companies that cannot afford to take risks, private cloud offers a greater level of security, especially when coupled with encryption protocols. It is a form of co-location but no hardware is involved. Virtual servers can offer companies all the benefits of physical equipment while being much easier to maintain.
• Hybrid and multi-clouds: an approach to network architecture that stores sensitive data in secure private clouds while still taking advantage of the computer power of public cloud services. (Alan Seal, 6 September 2019)

Further reading:

Alan Seal. 4 data storage methods for business. VIRTUS Data Centres (6 Sep 2019)

Anthony Carter. Where is cloud data physically stored? VIRTUS Data Centres (24 April 2019)

healthvital IT. What is the ‘cloud’ and how can we use it? South Eastern Melbourne PHN (no date) 

It’s important to consider where your data is held and transmitted – and there are strong reasons for health professionals to consider Australian-based services for data storage and web conferencing.

The use of offshore web conferencing solutions introduces additional business and security risks, where a website or network-based portal enables interaction among virtual community members. There are both technological components and policy components to these risks. 

For example, laws in other countries may change without notice and foreign-owned service providers that operate in Australia may still be subject to the laws of a foreign country. Also, service providers who are located offshore may be subject to lawful and covert data collection requests, which might lead to external access to your organisation’s data without your knowledge.

Further reading:

Australian Cyber Security Centre. Web conferencing security. Australian Signals Directorate. (June 2020)

Secure messaging is a critical component of digital health care. Secure messaging products are used to make sure that electronic communication and document transfer are reliable and confidential, and they can also streamline workflow and provide seamless audit trails. Secure messaging also: integrates directly with clinical software systems; improves patient matching; makes critical patient information more accessible and readily available; reduces the chances of communication breakdown; has a send/receive audit trail; and lets you receive priority clinical information in real-time.

The Australian Digital Health Agency collaborated with the health community to develop a set of standards that health technology providers must comply with, called SMD (Secure Message Delivery). These specifications mean that messages that contain clinical documents can be delivered between healthcare organisations. Many organisations use an approved messaging service provider to deliver these communications, and the Australian Digital Health Agency maintains a Register listing the suppliers of clinic software and secure messaging solutions which comply with these standards. There is ongoing work to resolve the issue of the continued lack of a consistent approach to secure messaging and information exchange across Australia health care.

Further reading:

Australian Digital Health Agency. Secure messaging. Australian Government. (no date)

Australian Digital Health Agency. Register of conformity. Australian Government. (no date)

Health Vital IT. Secure messaging and electronic clinical referrals. South Eastern Melbourne PHN. (no date)

South Western Sydney PHN. Secure messaging. (no date)

Modern health care systems have moved to collaborative, patient-centred care, where health professionals work in partnership. Digital health plays an important role in sharing confidential patient data between treating professionals.

Health data exchange architectures, application interfaces and standards are required to make sure that data is accessed and shared appropriately and securely across the complete spectrum of care, within all applicable settings and with relevant stakeholders, including by the individual.

Interoperability is how different computer systems can access, exchange, integrate and use data in a co-ordinated manner, so that information is provided in a reliable and timely way, to optimise the health of individuals.

There are four levels of interoperability:

– foundational (how one system connects with another to securely communicate and receive data from each other)
– structural (the format, program language (syntax), and organisation of data exchange)
– semantic (standard variable definition), and
– organisational (governance, policy, social, legal and organisational considerations to facilitate seamless communication and use of data within, and between organisations and with individuals).

Further reading:

Health Information and Management System Society (HIMSS). What is interoperability in health care? (no date)

API is the acronym for Application Programming Interface, which is a piece of software that works like a translator and lets two different applications talk to each other. Each time you use an app like Facebook, send an instant message or check the weather on your phone, you’re using an API. These play a critical role in digital health.

Further reading:

MuleSoft. What is an API? (Application Programming Interface)

Healthcare IT News. What you need to know about healthcare APIs and interoperability (April 2019)

The Privacy Act 1988 (Cth) (Privacy Act), which includes the Australian Privacy Principles (APPs), regulates the way that individuals’ personal information is collected, used and managed. The Act gives people the right to know why their personal information is being collected, how it will be used, and to whom it will be disclosed, and to ask for access to, or correction of, this information.

Further reading:

Google Cloud. Australian Privacy Principles (APPs)

Office of the Australian Information Commissioner (OAIC):

• Australian Privacy Principles
• Australian Privacy Principles guidelines. (updated July 2019)

The Health Insurance Portability and Accountability Act (HIPAA) in the United States sets the standard for sensitive patient data protection which is adopted by most global health software companies. Systems which have HIPAA compliance also usually comply with any subsequent amendments to HIPPA and any related US Federal legislation such as the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Companies that deal with protected health information (PHI) must have physical, technical, and administrative safeguards and process security measures in place and follow them to ensure HIPAA compliance.

In Australia, the Privacy Act (see section above) is the equivalent to HIPAA, and Australia is recognised as having some of the most stringent patient privacy and confidentiality laws in the developed world.  

HIPAA Journal. HIPAA compliance checklist 2019-2020