Data security concepts and entry reading

Data security concepts and entry reading

We have compiled short descriptions of key concepts and a reading list for people who wish to enter into the world of digital health.

This background knowledge will help you to make informed decisions on choosing the right technology for your telehealth service.

End-to-end encryption

Encryption is the technique that turns our data into an undecipherable format so that no third party can read or alter it. It’s what keeps us safe in the ocean of the internet. End-to-end encryption means that only the sender and receiver can read or see the communication.

Encryption is especially important for keeping a website secure. Every website address starts with either an ‘http’ or ‘https’. If a website begins with https, that means it has an SSL or TLS certificate installed on its origin server to make it more secure, and that means the data between the website and your browser is encrypted, so no-one can see the information being transferred. You can also see the presence of SSL or TLS ‘protocols’, when there’s a padlock icon that appears first thing in the address bar. We use these encrypted SSL or TLS connections, for most of our activities on the internet – some examples include when we log onto our internet banking site, Coles, Facebook, or even just browse the Digital Health CRC homepage. 

Further reading:

Jay Thakkar. End-to-end encryption: the good, the bad, and the politics. hashedout. (4 Nov 2019)

What is encryption? Types of encryption. Cloudflare. (2020)

Why is HTTP not secure? HTTP vs. HTTPS. Cloudflare. (2020)

Where is the data stored?

Data storage refers to any number of ways that physical recording media are used to retain information read by computer systems so that it can be retrieved when needed. Data can be stored on-premise, co-located, or in public or private ‘clouds’.

  • On-premise data storage: data is stored on computer servers that are owned and managed by your organisation.
  • Co-location: your data storage equipment is in a ‘data centre’ which is not on your premises (it may be a service provided by another organisation) – but you still retain complete control over the data.
  • Public cloud: storing data with a public cloud provider makes it easy to have more storage space, computer resources, and allows the employee to utilise data from almost anywhere. The open nature of the environment makes it difficult to protect sensitive data from unauthorised access. Examples include Dropbox and Google Drive.
  • Private cloud access: for companies that cannot afford to take risks, private cloud offers a greater level of security, especially when coupled with encryption protocols. It is a form of co-location but no hardware is involved. Virtual servers can offer companies all the benefits of physical equipment while being much easier to maintain.
  • Hybrid and multi-clouds: an approach to network architecture that stores sensitive data in secure private clouds while still taking advantage of the computer power of public cloud services. (Alan Seal, 6 September 2019)

Further reading:

Alan Seal. 4 data storage methods for business. VIRTUS Data Centres (6 Sep 2019)

Anthony Carter. Where is cloud data physically stored? VIRTUS Data Centres (24 April 2019)

healthvital IT. What is the ‘cloud’ and how can we use it? South Eastern Melbourne PHN (no date) 

Where is the platform hosted? Why is it important?

It’s important to consider where your data is held and transmitted – and there are strong reasons for health professionals to consider Australian-based services for data storage and web conferencing.

The use of offshore web conferencing solutions introduces additional business and security risks, where a website or network-based portal enables interaction among virtual community members. There are both technological components and policy components to these risks. 

For example, laws in other countries may change without notice and foreign-owned service providers that operate in Australia may still be subject to the laws of a foreign country. Also, service providers who are located offshore may be subject to lawful and covert data collection requests, which might lead to external access to your organisation’s data without your knowledge.

Further reading:

Australian Cyber Security Centre. Web conferencing security. Australian Signals Directorate. (April 2020)

Secure messaging

Secure messaging is a critical component of digital health care. Secure messaging products are used to make sure that electronic communication and document transfer are reliable and confidential, and they can also streamline workflow and provide seamless audit trails. Secure messaging also: integrates directly with clinical software systems; improves patient matching; makes critical patient information more accessible and readily available; reduces the chances of communication breakdown; has a send/receive audit trail; and lets you receive priority clinical information in real-time.

The Australian Digital Health Agency collaborated with the health community to develop a set of standards that health technology providers must comply with, called SMD (Secure Message Delivery). These specifications mean that messages that contain clinical documents can be delivered between healthcare organisations. Many organisations use an approved messaging service provider to deliver these communications, and the Australian Digital Health Agency maintains a Register listing the suppliers of clinic software and secure messaging solutions which comply with these standards. There is ongoing work to resolve the issue of the continued lack of a consistent approach to secure messaging and information exchange across Australia health care.

Further reading:

Australian Digital Health Agency. Secure messaging. Australian Government. (no date)

Australian Digital Health Agency. Register of conformity. Australian Government. (no date)

Health Vital IT. Secure messaging and electronic clinical referrals. South Eastern Melbourne PHN. (no date)

South Western Sydney PHN. Secure messaging. (no date)

Interoperability

.Modern health care systems have moved to collaborative, patient-centred care, where health professionals work in partnership. Digital health plays an important role in sharing confidential patient data between treating professionals.

Health data exchange architectures, application interfaces and standards are required to make sure that data is accessed and shared appropriately and securely across the complete spectrum of care, within all applicable settings and with relevant stakeholders, including by the individual.

Interoperability is how different computer systems can access, exchange, integrate and use data in a co-ordinated manner, so that information is provided in a reliable and timely way, to optimise the health of individuals.

There are four levels of interoperability:

– foundational (how one system connects with another to securely communicate and receive data from each other)
– structural (the format, program language (syntax), and organisation of data exchange)
– semantic (standard variable definition), and
– organisational (governance, policy, social, legal and organisational considerations to facilitate seamless communication and use of data within, and between organisations and with individuals).

Further reading:

Health Information and Management System Society (HIMSS). What is interoperability in health care? (no date)

Application Programming Interface (API)

API is the acronym for Application Programming Interface, which is a piece of software that works like a translator and lets two different applications talk to each other. Each time you use an app like Facebook, send an instant message or check the weather on your phone, you’re using an API. These play a critical role in digital health.

Further reading:

MuleSoft. What is an API? (Application Programming Interface)

Healthcare IT News. What you need to know about healthcare APIs and interoperability (April 2019)

Compliance to Australian Privacy Principle (APP compliance)

The Privacy Act 1988 (Cth) (Privacy Act), which includes the Australian Privacy Principles (APPs), regulates the way that individuals’ personal information is collected, used and managed. The Act gives people the right to know why their personal information is being collected, how it will be used, and to whom it will be disclosed, and to ask for access to, or correction of, this information.

Further reading:

Google Cloud. Australian Privacy Principles (APPs)

Office of the Australian Information Commissioner (OAIC):

Health Insurance Portability and Accountability Act (HIPAA) compliance

The Health Insurance Portability and Accountability Act (HIPAA) in the United States sets the standard for sensitive patient data protection which is adopted by most global health software companies. Systems which have HIPAA compliance also usually comply with any subsequent amendments to HIPPA and any related US Federal legislation such as the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Companies that deal with protected health information (PHI) must have physical, technical, and administrative safeguards and process security measures in place and follow them to ensure HIPAA compliance.

In Australia, the Privacy Act (see section above) is the equivalent to HIPAA, and Australia is recognised as having some of the most stringent patient privacy and confidentiality laws in the developed world.  

HIPAA Journal. HIPAA compliance checklist 2019-2020

Have you got changes, suggestions, or more information? We'd love to hear from you. Use the form below to suggest or upload a resource.