Mismanage Our Health

The very unfortunate fiasco unrolling from a data breach of health records is already generating plenty of finger-pointing, none of which will be a comfort to potential victims of the breach nor to clinical and administrative staff using this particular system and/or others like it.

The really big questions right now are:

• How to fix this breach and prevent widespread leakage. This may require a payment to those who now hold the data concerned. This is a well-trodden road which is routinely denied but frequently followed in both private and public agencies. The technical fixes are not necessarily complex but are in the “horse bolted” category. There may be other negotiable routes to securing the leaked data which may work but I would not bet on it. Any payment will be denied or obscured but this is a well established practice. Not advocating it, but realism is vital in terms of timing and impact.

• How to check other aspects of this service and others like it for their security. There is no certainty in this, it is a constant tug of vigilance. Are there common standards across all health sector internal and outsourced data services? How are they monitored ? How is the risk assessed and valued against costs? Logic would suggest that this is not done by people marking their own work, nor by those with any vested interest other than public data security.

• Establishing future policies and structures which reduce risk of this kind commensurate with its impact (which often becomes much clearer with an active example).

These moves are urgent as the fact of this breach means that not only the current perpetrator but others in the same line of business will have placed health records in this system as an enhanced target of vulnerability.

In addition to this specific area of action the situaton demands some serious consideration of governance and managment of the health information system as a whole. It is very complex with some centralised, some decentralised, some public, some private systems and services with varying levels of integration and sophistication.

There are plenty of people and positions which hold accountability for various aspects of this system, if indeed it deserves a single “system” description. (I don’t know how much progress has been made since I was involved).

As is pretty common but unfortunate and inadequate the first reaction has a fair bit of distancing involved. From the Minister, through Te Whatu Ora, and the Ministry (“steward of the system”) deflection seems the order of the day so far. The fact that this is a privately-run service really should not matter to accountability. The only thing that is shifted is how to be accountable for what is contracted.

What governance systems are in place for such services? Are they adequate given the risks?

We are often told that private provision will be more efficient and just as secure. Whether that is true or not depends on the adequacy of techical assessment, contractual terms and ongoing monitoring. These are all the responsibility of those with governance and monitoring roles. Maybe the large cuts to IT staff went too far or in the wrong places ? Maybe too hasty in terms of impact assessment? Probably rather than maybe?

There is just no escaping the accountability and responsibility.

I don’t write this to simply sledge anyone involved. This issue of data security is as complex as any governnace and management issue those of us involved encounter. We are all learning.

To learn well, and to protect such data, we have to be asking the right questions of the right people at the right time. Which is now.