COLUMN-How safe our health care info system?
A Caribbean government deploys a health information system (HIS) with the goal of improving the quality and coordination of patient care in the public health system. For all intents and purposes, expert consultants from Europe and the United States are brought down to implement the system, and to ensure that best practices for securing and protecting sensitive clinical data are used. The project is successfully completed, the consultants leave, and hand over day-to-day management of the system to the government’s IT staff.
The government has no overall IT security policies, procedures or guidelines to ensure the system and the data housed in it continue to be secure and protected from malicious threats. There are no trained or experienced IT security experts on the government’s payroll. There are no data security standards enforced by the government.
There is no data protection legislation in place to provide a control framework for protecting highly confidential health care data from being stolen by hackers, or to prevent data from being accidentally lost, or leaked.
Eventually, all these weaknesses together result in persistent compromises of the system by hackers, and all the private clinical data of the citizens of the country are posted on the Internet or otherwise made available for the world to see.
Does the above scenario make you shudder? I know it scares me to death. And the Caribbean region is close to making this a reality.
In the past week, the Government of Barbados informed the public of the launch of its Med Data health care information system and electronic medical records (EMR) scheme. While it is to be commended on this much needed initiative to drive efficiency and improved standards of care in public health care, I have a number of grave concerns about the manner in which this project has been undertaken.
Data protection legislation. First, no data protection legislation has been discussed, ratified, or implemented through Parliament. Simply put, health care data must be processed fairly and with the consent of individuals, especially as it pertains to whom data is shared with and in what context.
Legislation should address key areas such as mandatory data breach notifications, heightened enforcement, heavy penalties for breaches, and expanded patient rights. Moreover, any data protection legislation should have a broader scope and include the management and protection of data in areas outside of health care, namely banking, insurance and law enforcement.
In essence, data protection legislation would hold both private and public institutions accountable and liable for damages in the event of a security breach. It would also make it mandatory that all breaches are reported to the public, so that data owners can take steps to protect their identities. And finally, it allows for heavy fines to be levied on any institution that fails to maintain strong security controls for data.
Data security standards. Secondly, there has been no development of data security standards to accompany the legislation and to provide best practice guidance for accessing, exchanging, transmitting, and storing health care data in a secure manner. On a broader scale, the Government has no risk management framework, no IT governance processes, and from an operational perspective, no procedures for responding to IT security incidents.
There has been an initiative in play for some time now to create a Computer Security Incident Response Team (CSIRT), but it has stalled due to lack of resources (human and financial).
Given the number of security incidents that have occurred in the public sector over the last couple of years, one would think that Government officials would be taking data privacy and security more seriously. Key systems at the Royal Barbados Police Force, Inland Revenue, and the Ministry of Foreign Affairs have been hacked in the last couple of years (and these are only the ones that have been made public or that the Government is aware of).
But enough criticism of the Government; let’s talk about solutions. There is no doubt that IT governance, risk and control (GRC) is an area that requires major attention from the Government of Barbados. The question is: how do we address these deficiencies?
Recommendations. For one, I would suggest that public officials engage local groups such as the Caribbean Cyber Security Centre, Information Systems Security Association (ISSA) Barbados Chapter, Institute of Internal Auditors (IIA) Barbados Chapter, and the Barbados IT Professionals Association (BIPA) to assist them in building the necessary competences to improve the control framework and information security posture of the public sector.
Additionally, an online register of consultants should be established to allow the Government to create a repository of world-class professionals — not only in IT, but across disciplines — who can assist it in delivering critical initiatives such as the Med Data project. All the expertise does not reside in Europe or North America. We have talent pools (of awesome individuals) across the Caribbean region that remain untapped.
Another area for improvement is around developing policy and legislation. There needs to be greater engagement of the general public and other interested parties in such processes — effective dialogue is constructive. Mechanisms such as e-participation or crowdsourcing can provide the Government with a better understanding of the inherent risks, latent issues or knowledge gaps that may exist in program management and project delivery.
Finally, organizational management and intellectual capital development should be foremost on the minds of public officials. The leaders that we have elected need to think more strategically and create organizational structures that are agile and can respond expediently to the needs and demands of the people, and address the key risks that the country is faced with.
Centralized strategic planning and oversight of the tactical and operational aspects of IT are needed. Key positions such as the Chief Information Officer and Chief Information Security Officer must be defined and filled appropriately. Government employees have to be trained in disciplines such as project management, risk management, IT service management, business continuity, and cybersecurity.
The aforementioned recommendations are not meant to be a panacea. They are basic parts of a maturity model; one that will permit the Government’s risk response mechanisms to evolve to better defend against the threats that exist. But more importantly, they are of critical importance to building trust in the e-government systems that the public are expected to use. They hopefully should also foster a risk-oriented philosophy that pervades throughout the public sector.
(Niel Harper is the founder and managing director of Octave Consulting Group, a boutique advisory firm specializing in cybersecurity, IT assurance and information risk management services, with focus on the Caribbean and Latin American markets.)