Rob Hosking <[EMAIL PROTECTED]> wrote: > > Dear All > I would be interested in other people's ideas to respond to this e-mail > from Pail Oppy at Austin Health.( The Austin is one of the major > hospitals in Melbourne for those who don't know). > I have asked to be removed from their e-mail list suggesting that I will > only receive encrypted e-mail regarding my patients. It concerns me that > such a large public institution is going down the track of using plain > e-mail for this communication with GPs. They also appear to have sought > advice from the Privacy Commissioner which is at odds to the advice the > GPCG received during the Security Project.Like most things, I suspect > that people will interpret things the way they want until it is > challenged legally. > I have referred him to the GPCG Security Guidelines and I am going to > inform him that future GP practice accreditation standards are likely to > be enforcing that communication be encrypted or secure in some other > form. > Does anyone have any other thoughts that we can use to implore them to > not proceed in this way? Are there any other major public hospitals > around Australia taking this stance? > Regards > Rob Hosking > GPCG Privacy and Security Standing Committee (?still standing) > > Dear Dr Hosking, > > Wendy has probably responded to you by now, letting you know that she > will remove your email address from her list, so that you don't receive > unencrypted email from Austin. > > I'm responding to you, as Chairman of the Privacy and Security Committee > of the GPCG, on the wider issue of email encryption as it affects all > GPs with whom Austin communicates via email. > > As Director of Information Technology at Austin, I respect and share the > concern of the GPCG about the confidentiality of email messages. > However, I'd like to explain why Austin persists with unencrypted email > and ask your advice. > > This issue was considered very seriously by Austin's Privacy Committee > before our current policy was adopted. The recommendations of the > Privacy Commissioner were considered. On balance, the Committee decided > that the benefit of rapid and reliable email communication to GPs > outweighed the risks to patient confidentiality. Hence, GPs were > offered the option of receiving messages via unencrypted email if they > preferred that to faxed messages. About 10% of GP's took up that offer. > > Recently, Austin consulted the Health Commissioner's Office on this > issue. In brief, the response was: > > The law does not state that you_ cannot_ email without > encryption, although we are required to take reasonable > steps to prevent patient information from being lost or > misused and we need to weigh up the benefits of emailing > information against the risks. > > Reasonable steps could include: > > + Have an email audit trail of emails that fail Austin > has this. > + Ensure that information on patients who have opted out > is not sent out Austin also has this in place. > + Have email guidelines that list certain precautions, > e.g. check email addresses, do not use distribution > lists to send patient information, etc. Austins > Privacy Committee approved our emailing guidelines > last year. > + Ask GPs if they prefer their patient information by > fax or email. We currently do this and our GP database > reflects their preferences. > > The Commissioners Office thought that emailing is not > necessarily any more dangerous than faxing. It could even be > argued as safer and the risk of fraud or identity theft of > health information is low. > > At about the time Austin offered GPs unencrypted email, the hospital > also put considerable effort into setting up a PKI encryption service > for GP's who wanted to transmit outpatient referrals via encrypted > email. This service was promoted to GP's by the Northern Division of > General Practice and the North East Valley Division of General Practice. > The outcome was that three GP's took up the encryption offer, a minute > percentage. > > Austin would have to invest substantial funds in software and > administration to extend encryption to admission and discharge notices. > With very little prospect of significant up-take by GP's, it's > impossible to justify this expense. So, for now, the hospital offers > only unencrypted email, fax or post as GP communication options. > > There's a wide range of encryption options available but the hospital is > reluctant to pursue any of these options until it sees where GP > preferences lie. We simply can't afford to introduce multiple solutions, > or solutions which are adopted by only a very small percentage of GP's. > And, presumably, GP's will favour a solution which is common to all the > hospitals and other service providers with whom they communicate > electronically. I'd appreciate your Committee's advice on which > encryption/decryption mechanism would most likely attract a significant > proportion of GP's. > > Paul Oppy > Director of Information Technology > */Austin Health/* > Heidelberg 3084 > (03) 9496 3391
Where does one start when presented which such uninformed opinions? It may be forgivable for the Privacy Commissioner to be ignorant of the true nature of unencrypted Internet email (although s/he should seek expert advice), but it is unforgivable for the Director of IT at a major public hospital to be so ill-informed. As has been said so many times by so many people in so many places: unencrypted email provides no more confidentiality than does writing a message on the back of a postcard and sending it without an envelope via Australia Post. Anyone and everyone who handles the postcard along the delivery chain can read what is written on the back without the slightest effort - and so it is with unecrypted email. Would it be acceptable to the public or the privacy commissioner for Austin Hospital to send identified discharge summaries for patients on the back of an naked postcard via Australia Post? Of course not! Unbelievable! Tim C _______________________________________________ Gpcg_talk mailing list [email protected] http://ozdocit.org/cgi-bin/mailman/listinfo/gpcg_talk
