Cloud Storage of Medical Records

The data files are stored on a server owned by a cloud service provider such as Google Drive or Dropbox.

You must have connection to the internet to access the stored information. Benefits for businesses can include cost savings, access by multiple users, and data compatibility across different machines and browsers.

Security risk

Security is the big risk of handing over control of your data to an external vendor.

Medical records contain data that is sensitive and subject to strict legal requirements. They are also extremely vulnerable to theft, because the information they contain has “street value” – it could be used for identity theft, to falsify drug prescriptions, claim false health benefit payments, and even enable stalking.¹

Loss of security of your medical records could breach privacy law, harm patients, damage your practice’s reputation, or affect the practice’s ability to function. Under Australian privacy law, a practice must take reasonable steps to protect personal information it holds from misuse, interference or loss; and from unauthorised access, modification or disclosure.²

Each practice’s circumstances must be taken into account. A cloud-based system may offer better security than a self-hosted system in a practice without security processes or qualified maintenance staff. In a well-publicised case in 2012, Russian hackers demanded a ransom after encrypting and disabling a Gold Coast GP clinic’s medical records.³

The fast pace of cloud development and the technical nature of data security may be daunting for doctors without extensive IT knowledge. External assistance is recommended.

A useful document is the Defence Department’s Cloud Computing Security for Tenants⁴ which aims to help a cloud user’s cyber security team, cloud architects and business representatives to work together to perform a risk assessment and use cloud services securely. Risk mitigations detailed include:

• using a cloud service with particular accreditation (some providers may abide by the international standard for cloud privacy – ISO27018)
• annually testing an incident response plan
• encrypting data sent to the cloud
• multifactor authentication
• encrypted backup stored off-line or with another cloud provider
• having adequate bandwidth for reliable network connectivity
• contractually retaining legal ownership of your data.

Your contract with a cloud provider must address mitigations to security risks, persons who can access your data, and the security measures used to protect your data.

Server location

The location of servers is a vital consideration in choosing a cloud service provider – servers in Australia are recommended. Some well-known cloud services have servers located overseas. Australian privacy law requires that before personal information is disclosed overseas, a practice must take reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles.⁵

If you believe the country where the servers are located has similar privacy laws to Australia, you should obtain documentation such as independent legal advice to support this. If not, your options are to:

• not use that cloud service provider
• enter into a contract with the cloud service provider requiring them not to breach the APPs
• get consent from patients to disclose their information to the cloud service provider.

Seek further information and legal advice before embarking on any of these options.

Useful information on information security

• Office of the Australian Information Commissioner: Guide to Information Security
• Royal Australian College of General Practitioners: Computer and Information Security Standards

Karen Stephens
Risk Adviser, MDA National

References

1. Funnell A. Your Health Information is Neither Safe Nor Secure. ABC News, 12 Nov 2016. Available at: abc.net.au/news/2016-11-12/your-health-information-is-neither-safe-nor-secure/8005338
2. APP11 – Security of Personal Information. More information available on the website of the Office of the Australian Information Commissioner: oaic.gov.au/agencies-and-organisations/app-guidelines/chapter-11-app-11-security-of-personal-information
3. Hicks S. Russian Hackers Hold Gold Coast Doctors to Ransom. ABC News, 11 Dec 2012. Available at: abc.net.au/news/2012-12-10/hackers-target-gold-coast-medical-centre/4418676
4.  Department of Defence, Australian Signals Directorate. Cloud Computing Security for Tenants. April 2015. Available at: cyber.gov.au/publications/cloud-computing-security-for-tenants
5. APP8 – Cross-border Disclosure of Personal Information. For more information see the Office of the Australian Information Commissioner. Available at: oaic.gov.au/agencies-and-organisations/app-guidelines/chapter-8-app-8-cross-border-disclosure-of-personal-information