HONG KONG – The Hospital Authority here has earmarked HK$35 million (US$4.4 million) to improve patient data security and privacy based on recommendations by the privacy commissioner and authority’s own taskforce.
The HA said last week a budget of HK$10 million has been allocated for the remainder of the financial year and HK$25 million next year. The fund will be spent on setting up the new information security and privacy office and upgrading data security infrastructure.
Stephen Lau, chairman of the taskforce said that 26 recommendations were made in a taskforce report and presented to the Hospital Authority Board covering improvements in four major areas — policy; structure and people; procedures and guidelines; and technology.
The taskforce studied 10 reports of data loss cases involving 16,000 patients in six hospitals and clinics since April. The authority said all patients had been notified and no data had been leaked.
The taskforce suggested the appointment of a chief information security and privacy officer for leading HA-wide information security and privacy programs in a coordinated manner.
It added in the report that data security and privacy should be integrated into organizational performance objectives and for which chief executives have an explicit accountability within their clusters and should be required to make an annual report on information security and privacy.
The taskforce also made recommendations for adoption in the short term to minimize risk of further patient data loss. These include: automatic encryption of downloaded data; whole disk encryption for portable electronic devices; physical restriction of the use of devices; and storage and sharing of data on secure file servers.
In addition, it has come up with several principles for ongoing enhancement of data protection. They include: minimizing access to and use of personally identifiable information; minimizing transport of such information; guarding the systems containing such information against external threats; and providing concrete procedures and handling guidelines.
Andre Greyling, CIO of the Hospital Authority, said it has already implemented some of the recommended measures including automatic encryption of patient data downloaded from its clinical systems.
He added that the organization will study the report in detail, together with recommendations made by the Privacy Commissioner for Personal Data (PCPD) in its inspection report earlier this year.
“We are in the process of drawing up an action plan to implement practicable measures as recommended in both reports to enhance patient data security and privacy,” said Greyling. “A dedicated team is also being set up to work solely on improving data security within the authority.”
He added that the HA will provide PCPD with quarterly progress reports and a full report, at the end of 12 months, on the implementation of the 39 recommendations in the inspection report, together with the 26 enhancement measures recommended by the taskforce.
