How to comply with the legal requirements and minimize vulnerabilities to a cyber-attack or data security breach

Cyber risks in the healthcare sector: Security experts suggest personal data contained within healthcare records is worth ten times more than credit card data on the black market.

Date published





Security experts suggest personal data contained within healthcare records is worth ten times more than credit card data on the black market. The security of healthcare records is an increasing concern in Hong Kong following the introduction of the Electronic Health Record Sharing System (eHRSS) last year, discussed in our previous edition of the Hong Kong Medical Law Brief. We discuss the relevant legal requirements in relation to data security in the healthcare setting and advise healthcare professionals as to how to comply with these laws and minimise the risks of falling victim to a cyber-attack.
Why cyber risks are such a concern for the healthcare sector
Following the introduction of eHRSS, for the first time healthcare professionals in Hong Kong’s public and private healthcare sectors can potentially access a patient’s full medical history. Hong Kong is therefore leading the way on electronic record keeping and the benefits of electronic access to healthcare records are plentiful. However, with the increased access to personal information brings with it increased risks of cyber-attack.

Medical records are highly attractive to hackers for a number of reasons. Fraudsters can use the information to create fake identities, potentially to buy medical equipment or drugs that can be resold, or to file fake claims with insurers. Medical identity theft is also unlikely to be quickly identified by patients or healthcare providers. Further, medical records tend to be poorly secured. While credit card numbers are protected by increasingly elaborate security methods used by financial institutions, hospitals and healthcare clinics tend to use older technology with relatively poor security.
What does the law require in relation to data security of healthcare information?

There are several laws which impose data security obligations on healthcare providers in Hong Kong. The Electronic Health Record Sharing System Ordinance governs healthcare information stored on eHRSS, the Personal Data (Privacy) Ordinance applies to any personal data held by a hospital clinic and doctors must also comply with the Medical Council of Hong Kong’s Code of Professional Conduct (“the Code of Conduct”).

The Code of Conduct imposes a duty on all doctors to ensure all medical records are kept secure, which includes ensuring unauthorised persons do not have access to information contained in records and that there are adequate procedures to prevent improper disclosure or amendment (there is no specific guidance as to “adequate procedures” in the Code of Conduct). Further, doctors must have regard to their duties under the Personal Data (Privacy) Ordinance, discussed below.

Section 37 of the Electronic Health Record Sharing System Ordinance provides that a hospital or clinic which has access to eHRSS must take reasonable steps to ensure that access to a patient’s health data on eHRSS is restricted to:

  • those healthcare professionals who perform healthcare services for that patient (i.e. no one other than a healthcare professional can access data from eHRSS and healthcare professionals should not be able to access data relating to individuals who are not their own patients); and
  • the data that is relevant for performing healthcare services for that patient (i.e. healthcare professionals can only access data that is relevant to performing the healthcare services they provide to that patient – for example, a patient’s psychiatric history may not be relevant to a doctor treating that patient for a broken leg).

Healthcare providers will also store some personal data about patients (such as contact details and billing information) outside of eHRSS. The Personal Data (Privacy) Ordinance governs the collection, use and storage of any kind of data that could be used to identify an individual and applies to any data held by a healthcare provider, whether stored in eHRSS or other systems.

Data Protection Principle 4 of the Personal Data (Privacy) Ordinance provides that a data user must take “all practicable steps” to ensure that personal data is protected against unauthorized or accidental access, processing, erasure, loss or use. This is broader than the requirement to take “reasonable steps” in section 37 of the Electronic Health Record Sharing System Ordinance, as it includes data stored in the healthcare provider’s own computer systems. As such, the obligation to take all practicable steps covers not only controlling access to data, but also the security of the computer systems on which the data is stored.

What constitutes “all practicable steps” depends on the type of personal data being protected and the harm that could result if it was compromised. Much of the personal data healthcare providers hold about patients is highly sensitive. In addition to such data potentially being used for identity theft, unauthorised disclosure or access could be harmful and embarrassing to patients. “All practicable steps” requires healthcare providers to adopt a relatively high standard of security for their computer systems and networks and to actively manage that security. In the event of a security breach, the healthcare provider would need to be able to convince the Privacy Commissioner for Personal Data it had done everything practicable to protect the personal data it holds.

Advice to medical professionals
There are a number of practical electronic and physical measures a healthcare provider can put in place to minimise the risks of a security breach, including:

  • Conduct a risk assessment of systems and devices: Consider the security risks that systems and devices pose by assessing the nature of the systems and the data stored on those systems.
  • Develop security policies and processes: Following the risk assessment, prepare a written set of security policies and processes to mitigate the risk of a security breach, which should include a plan for responding to a breach once detected. Training should be conducted to ensure staff understand and follow these policies and processes.
  • Ensure security measures are actually used: Invest in electronic and physical security measures, ranging from firewalls and access controls to locking filing cabinets and offices. Ensure these measures are actually implemented and used properly, i.e. avoid disabling or workarounds for security measures for the sake of convenience. A number of security breaches are caused by a password being left as the manufacturer default or a door being left propped open.
  • Access to screens: Unauthorised persons should not be able to view patient data on an unattended computer screen or tablet. When in use, screens should not be visible from public areas.
  • Hard copies: If healthcare data is printed, hard copies should be kept secure, locked away when not in use and securely destroyed when no longer required. 
  • Portable media: Consider whether to restrict the use of USB memory sticks and other portable media. Many workplaces configure work computers to disable USB devices. If patient data needs to be downloaded to a portable drive or memory stick, that device should be kept physically secure and, preferably, password protected.
  • Social engineering: An increasing number of security breaches do not involve hacking into systems at all; the attacker simply tricks an employee into revealing a password, or providing patient data directly. Staff should be made aware of the potential for social engineering or “phishing” attacks and processes should be put in place to verify the identity of anyone asking for information.

Read other items in Hong Kong Medical Law Brief - May 2017