Louise Cantrill & Mathew McMillan - Henry Davis York
-
Upload
informa-australia -
Category
Law
-
view
58 -
download
1
Transcript of Louise Cantrill & Mathew McMillan - Henry Davis York
Health in the Age of the Data
Revolution
Matthew McMillan, Partner
Louise Cantrill, Partner
10 March 2017
What has changed in the last 10 years?
Data revolution – what is it?
Real life examples in health
Key challenges
Key risks
Managing the challenges and risks
What we will cover
Electronic health record (EHR) systems
Smartphones become ubiquitous
Tele-medicine
Emerging technologies on the rise
artificial intelligence: accelerate R&D efforts
augmented reality: fitness apps
drones: emergency response
Internet of Things: remote patient monitoring
3D printing: customised implants
What’s changed in the last 10 years?
Big data revolution
5 billion gigabytes of data every 2 days
Structured, unstructured, semi-structured
Volume, velocity, variety
Disruptive, transformative
Big data + analytics = data-driven insights = value
Big data revolution - what is it?
10% are using big data
45% are investigating how they use big data
25% do not see a need for big data
20% see a need but are not investigating how to use big data
Big data matters!
Current state of play in Australia
Personal information issues are becoming more prominent
97% of Australians don’t like their personal information being used for
secondary purpose
Dissonance between what we want vs what is possible
Data-driven innovation needs a strong foundation in privacy
Privacy underpins security – “two sides of the same coin”
Privacy and security matters!
Breadth of personal information subject to regulation:
capable of identifying individual, or rendering individual reasonably identifiable
combination of data sets
Sensitive information includes:
health information
genetic information
biometric information used for verification or identification
Differing regulatory approaches here and overseas
Key privacy and security challenges
Openness and transparency in management of personal information
To do this, need to understand your data flows
Helps with data security strategy
Key privacy and security challenges
Notification and consent:
must notify individual how personal information is collected, the purposes of
collection and to whom information will be disclosed
traditional notion of “informed consent” challenged
Issues:
consent buried in privacy policies
bundling of consents
obtaining meaningful consent
avoiding negative reactions
Key privacy and security challenges
Use and disclosure of personal information:
cross-border disclosures and accountability
IoT industry is generally poor on privacy
Data mapping and supplier due diligence is critical
Security:
burden increases with the sensitivity of the personal information involved
It’s not just a matter of compliance, but a business fundamental
Key privacy and security challenges
Mandatory data breaching reporting requirements
Action by the Privacy Commissioner(s)
Breach of duty
Class actions
A statutory duty based on a right to privacy?
Identity theft, ransomware
Risks
My Health Records Act 2012 (Cth)
Applies to registered healthcare providers
Must notify the Privacy Commissioner and/or the System Operator (in the case of
State and Territory agencies) when there has been unauthorised collection, use or
disclosure of health information included in a healthcare recipient's My Health
Record
Privacy Amendment (Notifiable Data Breaches) Act 2017(Cth)
Applies to entities covered by the Privacy Act 1988 (Cth)
Must notify Privacy Commissioner and affected individuals of an ‘eligible data
breach’ - unauthorised access to, unauthorised disclosure of, or loss of personal
information where there is a risk of serious harm to the individual to whom the
information relates
Failure to provide notification may result in investigation by Privacy Commissioner
Mandatory data breach reporting
Commissioner's powers:
undertake investigations
make a determination
enforceable undertakings
civil penalty orders of up to $1.7 million for companies under the Privacy Act
Privacy Commissioner
Recent investigations involving a number of Australian companies, NSW
public sector agencies and healthcare providers:
Pound Road Medical Centre
Organica and Brygon
MedVet
Privacy Commissioner
Wyndham Worldwide (US)
Hackers invaded the main network of one of Wyndham’s operating
subsidiaries and stole credit card information for over 619,000 Wyndham
customers
Federal Trade Commission began to investigate and subsequently
commenced legal proceedings
Wyndham’s shareholders simultaneously brought shareholder derivative
action against certain directors and officers of the company, and the company
itself as nominal defendant
Duty owed, but not breached – adequate systems in place
Breach of duty
Horizon Blue Shield
Two laptop computers, containing sensitive personal information about
members, were stolen from Horizon
Even without evidence that the plaintiffs’ information was used improperly, the
alleged disclosure of their personal information created a de facto injury
Medical Informatics Engineering
Took MIE three weeks to discover hackers had gained access to systems,
compromising personal information of nearly 4 million Americans
Insurers sought order declaring no duty to defend or indemnify MIE
Triple-S Management Corporation
USD $3.5 million settlement after repeatedly failing to put safeguards in place
to protect beneficiaries information
Class actions
Lahey Hospital and Medical Center
Non-profit teaching hospital pay USD $850,000 and implement corrective
actions for violations related to lax security
Sony
Settlement reached after detailed medical records swiped in cyberattack
Cancer Care Group
Large radiation oncology practice fined USD $750,000
Unencrypted server backup media and laptop containing the protected health
information, Social Security numbers and insurance data for some 55,000
patients was stolen from an employee's car
Class actions
Google v Vidal-Hall (UK)
Collection of private information about internet usage
An action for breach of privacy is now decoupled from the requirement to
prove economic loss
Legislative right to privacy?
Action for breach of privacy?
Identity theft
Unauthorised trading in personal data
Ransomware
Royal Melbourne Hospital cyber attack on pathology department in
January 2016
Gold Coast medical centre held to ransom by Russian hackers who encrypted
thousands of patient medical records
Data security risks
De-identification as a potential solution
what does it look like?
possibility of re-identification, e.g. Australian Public Service employee census
creation of new personal information through the power of analytics
need for multi-sector cooperation
Managing the challenges
Implement a privacy and security management program
Undertake privacy impact assessments (PIAs)
Be alive to changing community attitudes
Put patients/clients in control:
increased transparency
privacy policy
privacy settings
consent
Managing the challenges
Notification and consent models:
continuous
unbundling
meaningful
dynamic
Increased involvement and engagement of patients/clients on new
initiatives
Managing the challenges
Data security:
technical, operational, contractual safeguards
Reviewing adequacy of existing measures
Ensuring appropriate contractual protections with vendors
Managing the challenges
Mature information governance frameworks
Top-down management approach
Policies, practices and procedures
Regular staff training
PIAs
Threat or risk assessments
Data breach response plans
Audits
Testing
Technology
Implementing a management framework