Special task group submits review report on patient information security
************************************************************************
The Hospital Authority (HA) today (September 27) announced the acceptance of the "Report on the Review of Patient Information Security at Accident & Emergency Departments (AEDs)" by the special task group appointed earlier by the HA Chief Executive to conduct an urgent and focused review into information security in the HA, with a particular focus on clinical system security risks with regard to patient privacy protection and front-line operation.
The HA spokesperson said that the special task group was established in late June following concerns expressed by staff and the community towards patient data security associated with the Accident & Emergency Information System (AEIS).
"The special task group has thoroughly reviewed various aspects including access, display, use and security of patient data in the HA's clinical systems in the AEDs and suggested corresponding improvements on security policies, technology and procedures for enhancing the security and privacy of patient data," the HA spokesperson said.
In concluding the review, the following recommendations have been made by the special task group:
- Strengthen system access control of the AEIS, including mandatory personal login and access rights based on operational needs and audit controls;
- Enhance traceability and accountability of user activities in the AEIS;
- Transform the Accident & Emergency process and workflow through electronic documentation to minimise the risk of exposure of hard copies of patient data;
- Improve physical security control by setting up "public area", "clinical area" and "staff area" in AEDs, and to further protect privacy on computers and display monitors;
- Review AEIS disaster module reports to enhance report content while minimising disclosure of patient information;
- Enhance staff awareness and training on patient information protection and proper handling guidelines on external requests for patient information;
- Further collaborate with the Privacy Commissioner for Personal Data to enhance policy and practice on handling patient information; and
- Explore technological solutions to facilitate fast login for the AEIS to balance between workflow efficiency and access control in the heavily loaded AEDs.
The HA has accepted the findings and all recommendations made by the special task group. "The HA has always accorded priority to safeguarding patient privacy. We will implement necessary follow-up measures in accordance with the recommendations made by the special task group," the HA spokesperson added.
The HA also expressed gratitude to the Chairman and Members of the special task group for providing their professional views and valuable suggestions to the HA within such a short time. Membership of the special task group is as follows:
Chairman
---------
Mr Jason Yeung
HA Board Member
Chairman of the Audit and Risk Committee of the HA Board
Members
---------
Professor Daniel Lai
Co-opted member of the Information and Technology Services Governing Committee of the HA Board
Former Chief Information Officer of the Hong Kong Special Adminstrative Region Government
Mr Stephen Lau
Ex-co-opted member of the Information and Technology Services Governing Committee of the HA Board
First Privacy Commissioner for Personal Data
Ends/Friday, September 27, 2019
Issued at HKT 18:15
Issued at HKT 18:15
NNNN