21 August 2015
Ted Christiansen
Principal Advisor
Health Information Standards
National Health Board
Ministry of Health
PO Box 5013
Wellington 6145
By email: [email protected]
HISO 10029:2015 Health Information Security Framework
Dear Ted
The New Zealand Medical Association (NZMA) wishes to provide feedback on the above
consultation. The NZMA is New Zealand’s largest medical organisation and has a pan
professional membership. We have more than 5,500 members who come from all areas of
medicine. The NZMA aims to provide leadership of the medical profession, and promote
professional unity and values, and the health of New Zealanders. Our feedback has been informed
by input from our advisory councils, Health IT subcommittee, and the Board.
We note that the Health Information Security Framework Standard (HISF) is intended to support
organisations when preparing and maintaining their specific information security policies. We
also note that the HISF provides advice about procedures and technical standards that are
expected to be incorporated in organisational policies. The NZMA is supportive of the need for
standards around health information security. However, it is our view that these standards (and
related policies) must be pragmatic and reflect current practice in order to be useful. We have
concerns that some areas of the HISF may be impractical and/or are lagging behind current
practice with respect to the way information technology is already being used in medicine. We
elaborate on these concerns below.
With respect to the policy requirements for mobile devices, we note that the draft states the
following: “The use of mobile and non-organisation owned equipment for organisation business
is a growing trend that must only be permitted following the development of clear and
unambiguous conditions including rights over the information (including images) stored.” It is
our view that this requirement is unrealistic, given the widespread use of mobile and nonorganisation owned equipment by doctors as part of their work.
Many doctors are already using their personal tablets to write ward notes, access laboratory test
results and imaging data, and reconcile patient plans. Many doctors also use their personal smart
phones to take photographs of patient injuries, skin lesions and fractures, and send these to their
senior colleagues for advice. Patient permission is sought and the images are subsequently
deleted. Personal phones are also used to stay in touch with senior colleagues, and treatment
information is often exchanged by text message or email.
We believe that it is unrealistic to expect users of such devices to stop using them until the
development of clear and unambiguous standards. Rather, we suggest that greater emphasis be
placed on educating users as to how to protect the confidentiality of the data they access/transmit.
We also highlight the need for patients to be allowed to give their permission for their personal
health information to be sent by standard email. We are uncertain as to whether the HISF allows
for this. While secure messaging is obviously the ideal, being able to communicate with patients
using email improves patient care. It is our view that any health information security standards
and policy document needs to enable messaging using even standard email where secure
messaging is not available. Care should obviously be taken to ensure that this practice is
accompanied be policies such as advising patients to not send urgent material via email, and to
always assume that when they have not received a reply, their doctor has not seen their email.
The requirement for management to undertake a bi-annual audit of access logs is likely to pose
significant challenges, particularly for smaller organisations such as many general practices. We
suggest that the timeframes for this requirement could be considerably lengthened to make it
more feasible. We also draw attention to another aspect of health information security that we
suggest should be specifically addressed. Many practitioners use a generic password to access
hospital systems (or laboratory/radiology results) rather than getting their own unique password.
This practice severely compromises security and auditing.
Finally, we are pleased to note that the Code of Ethics for the New Zealand Medical Profession,
developed by the NZMA, is identified as one of the documents that have been used or referred to
in the development of the draft HISF. The issue of patient confidentiality is core to our
profession, and is addressed in points 11 to 15 in the Code of Ethics. We welcome the
development of health information security standards and policies that align with these points.
We believe that measures to improve health information security are vitally important but should
not inadvertently undermine patient care. To this end, we suggest that it is essential for IT experts
involved in developing standards and policies to work closely with clinicians – from house
officers to senior medical officers, in hospitals and in the community – to better understand their
needs and work practices.
We hope that our feedback is helpful and would welcome the opportunity to elaborate on any of
the issues we have raised.
Yours sincerely
Dr Stephen Child
NZMA Chair