Key Challenges in

Implementing Information

Security and Privacy

Policies in Public Sector

1

Presented by

Dickson Wong, Hospital Authority

19 May 2010

Quote fromEx. Privacy Commissioner: Mr KM LAU

Security and Privacy Risks of a Medical Record Database� Besides information of the individual's physical health, a medical

record may include information about family relationships, sexual behavior, substance abuse, and even the private thoughts and feelings that come with psychotherapy.

� Information from a medical record may influence an individual's

2

� Information from a medical record may influence an individual's credit, admission to educational institutions, and employment. It may also affect the ability to get health insurance, or the rates for coverage.

� With the creation of medical databases many individuals have expressed some apprehension as these and other information begin to become computerized. There is a fear that computerized records will allow many more people legitimately accessing medical records. The tendency for "function creep" could lead to authorized users to use the data for unauthorized purposes.

Source: PCPD, 2000

Privacy Complaint Statistics

(1/2)

3 Source : Annual Report 2009, PCPD

Privacy Complaint Statistics

(2/2)

4

� Use or disclosure of personal data beyond the scope of collection purpose and without the consent of the individual (31%);

� Lack of security measures to protect personal data (28%);

� Excessive or unfair collection of personal data (27%); and

� Non-compliance with data access or correction requests (12%).

Source : Annual Report 2009, PCPD

Other Reasons of Data Leak

5

Privacy and Security at Risk:

Hacking

Theft

Backdoor / Trapdoor

Social Engineering etc

Hospital Authority

� Patients’ medical history

� Paper folders

� Electronic Data

6

� Other confidential information

Information Security

Infrastructure

� Layered security in IT infrastructure

� Physical Lock-down of risky

workstations

7

� Application security

� Network security

� Audited patient database accesses

� Secured remote access

Still Security & Privacy Breach

� Lost of USB containing patient data

� Lost of paper medical records

8

� Lost of paper medical records

� HA medical records in Foxy/

Facebook posted by 3rd parties

Policy:

Avoid storing personal data in the

portable devices. If necessary, always

protect with encryption or HA encrypted

9

protect with encryption or HA encrypted

devices.

Incident:

a)Store un-necessary personal data

b)No protection

Paper records

� Thousands of records transacted per day

� Security vs Operational

10

� Security vs Operational efficiency

� Cannot eliminate: Loss during transit

� Minimize by digitization

Social networking web sites

11

The Foxy Challenge

12

Incidents Management

� Hospital Authority:

� Medical events

� Outbreak of infectious diseases

� Safety incidents

� Well defined protocols and procedures

into the system, now including

� Information security / privacy incidents

13

Incident Reporting

14Sveen et. al, 2007

Known factors

� Although policies are clear, mindset

(awareness) needs time to build up

� Convenience vs Compliance

� Weak risk culture

� Reluctance towards changes

15

Learn from Incidents

� Management Focus on Incidents /

events

� Events e.g. near miss cases, are just

one step before incident

� Promulgate the policy and compliance

– usually very effective

16

Prevention

� Ideally, assessment before risk being

exposed

� Cannot rely solely upon a single party,

but the business users to be made

accountable and responsible

17

Privacy Impact Assessment

(PIA)

� PIA Process

Requirement

Phase

18

Privacy Impact

Assessment

(PIA)

Phase

Design

Phase

Deploymen

t

Phase

Maintenance

Phase

(Production

Systems)

Privacy Impact Assessment

(PIA)

� A data flow tracing exercise:

19

Who Conducts PIA ?

� PIA is owned by the Project Manager

� PM knows how personal data are: Use

20

personal data are:• Collected

• Kept

• Used

• Secured

• Accessed

Data

(Kept)

Accessed

Use

PIA Initial Assessment

� Objective:

Highlight Probable Privacy Issues

Through questioning on:

Technologies adopted

21

� Technologies adopted

� Personal Data Identifiers used

� Organizations involved

� Data itself

� Exemptions / Exceptions claimed

PIA Initial Assessment

Technologies

1 Smartcards

2 RFID tags

22

3 Mobile phone/ GPS locators

4 Visual surveillance

5 Biometric data collection

6 Monitoring of electronic communication

7 Data mining & Profiling

PIA Initial Assessment

Personal Identifiers

� Using personal identifiers such as HKID, biometric data, etc ?

23

� Authentication / identity management ?

� Converting anonymous to identified information ?

PIA Initial Assessment

� What are the organizations involved:

� External 3rd parties ?

� Outsourced parties ?

24

� Government agencies ?

� Business partners ?

PIA Initial Assessment

� Personal Data Itself

� New or changed handling?

New or changed amount of data ?

25

� New or changed amount of data ?

� Large group of individuals ?

� Inter-linking or Cross-referencing ?

PIA Initial Assessment

� Claimed Exemptions / Exceptions

� From ordinance / legislation ?

26

� From ordinance / legislation ?

� Other claimed justifications such as

security and safety ?

Completion ?

27

Initial Assessment Result

� “YES” in the answers showing

possible privacy concerns

28

Detail Assessment:-

Privacy & Security

� HIPAA:

Privacy Rule overlaps with Security Rule:

29

Privacy Rule overlaps with Security Rule:

Safeguards / Protection

PIA Detail Assessment

� Who, when, what, how, why, …

� Any way to reduce personal data ?

� Is it legal ? Consent sought ?

30

� Is it legal ? Consent sought ?

PIA Detail Assessment

� System function, provision, controls

� Use of information

31

� Use of information

� Retention

PIA Detail Assessment

� Sharing with internal and external individuals / organizations

� In-line with purpose of collection ?

32

� In-line with purpose of collection ?

� Legal agreement, confidentiality undertaking

� What safeguards in protecting download, transmission etc.

PIA Detail Assessment

� Technical safeguards

� Access control

� Database encryption/ protection

33

� Backup and Recovery

� Auditing

� Training

� etc

PIA Detail Assessment

� Individual’s right to access, correct,

redress

34

PIA Detail Assessment

� Risks identified

� Controls (System / Manual) in place

� Residual risks make known to management

35

management

� PIA is an on-going assessment to address change in system, and change in environment

Ultimate Goals of PIA

� Effectively communicate privacy risks not addressed in conventional project management / system design

36

� Building trust and confidence with public

� Clear accountabilities

� Reduce Risks

Thank You

37