The hidden medico-legal risks of sharing information electronically

Dr Rob Hosking

11/04/2023 2:57:55 PM

The use of electronic communication in general practice is essential, but just how risky is sending emails or electronic pathology referrals?

Digital security concept
With the ease of the digital environment comes risk – the most sensitive of health information can quickly fall into the wrong hands.

With many significant cyber-attacks successfully infiltrating Australian shores last year, it is critical general practice does not overlook the potential information security and privacy risks that come with communicating health information electronically.

As doctors, we know that it is extremely important that a patient has trust in their GP, and protecting their privacy is critical to maintaining this. 
Health information is sensitive by nature and we GPs are stewards of our patient’s data. Alongside our practice team, we need to understand sharing information electronically requires a certain level of security to prevent it from being intercepted, altered or received by unintended people.
Any communication of confidential information, whether electronically or by other means, requires us to adequately protect our patient’s privacy.
We have witnessed the reputational damage resulting from the recent Medibank cyber-attack, and the subsequent loss of consumer trust when confidential health information ended up in the wrong hands.
While Medibank’s brand no doubt suffered immense damage, many small businesses, such as general practices, simply do not recover from the resulting loss from this type of event. This may result from fines relating to privacy breaches (which have recently increased), along with the loss of once loyal patients.
Keeping the right processes, policies and frameworks in place is a must, as is:

  • performing regular risk assessments
  • implementing password protection measures for documents containing sensitive clinical information sent directly to patients
  • ensuring a current practice policy on electronic communication
  • utilising secure booking and payment systems for online transactions
  • ensuring consent and privacy measures for general practice data for use by third parties.
These are further detailed in the RACGP’s recently updated Information security in general practice resource, which provides vital support and advice on keeping your practice and patient information safe. Indeed, it was essential for supporting my own practice’s cyber security risk assessment at the beginning of the year, where electronic communication was a key focus.
Email versus secure electronic messaging
Standard email lacked security features in the past, making it vulnerable to interception. Now with the use of encrypted connections between mail servers the security of email has increased.
However, communication of clinical information with other healthcare providers should ideally be from within your practice’s clinical software using secure electronic messaging (there are many on the market such as Argus, ReferralNet, Healthlink, Medical Objects, and MD Exchange to name a few of the larger ones).
Within my practice, we use Best Practice software to send documents directly to other health professionals and this has several secure messaging options, depending on the recipient’s use of the same secure messaging system. Other general practice software systems also have secure messaging enabled.
For patient communication, we seek consent from the patient to use the built-in Best Practice email system (which uses our practice’s standard no-reply email) and check if the patient wants clinical documents to be password protected.
In my experience, many patients do not want password protection, but it is always wise to check as someone else at their home or workplace may inadvertently read their emails. For patients sending emails, we ask them to use a central email address that is vetted by practice staff before sending them to the appropriate GP for action.
Some systems on the market will enable paid two-way communication directly with patients, but we have decided against this option as it can result in much unpaid work. And, as we know, a lot of GP work is already unpaid and we need to minimise this if we want to remain viable.

RACGP Expert Committee – Practice and Technology Management Chair Dr Rob Hosking.

Secure electronic messaging
Sharing electronic health information within the Australian health system relies on and incorporates encrypted, secure messaging techniques. To enable this, software programs are required to include this as a function. So how exactly does it work?
Secure electronic messaging involves two processes: encryption and authentication.
Encryption means data is electronically ‘scrambled’ so it cannot be read unless the information is decrypted using a digital key. Authentication means the sender can be verified using electronic signatures.
Currently, the most common method of communicating clinical information securely between healthcare providers is secure message delivery (SMD).
SMD packages enable us to send documents from within clinical software, and incoming messages to be received into our electronic clinical inbox, where reports of patient pathology and medical imaging are safely received. This is done every day when results are sent to your general practice software system by all pathology and imaging providers.
You may be unaware of this process, which this is the way a good system should operate. There is no real need for everyday GPs to know all this stuff about encryption and SMD – it should just happen.
Several pathology and imaging providers have developed electronic requesting systems that either use secure data transmission directly to the service or require web-based forms to be completed.
But again, there is a lack of consistency around the country and we need the adoption of standards by these organisations as well as interoperability so patients can use their ‘referral’ at any centre.
Electronic prescribing is an example of where the system does work and is a great demonstration of what is possible. Unfortunately, there has been a lack of will by successive federal and state governments to mandate the use of interoperable standards-based secure messaging systems despite multiple recommendations over many years from RACGP and other organisations and digital health experts.
It is concerning to see the continued use of fax and paper-based communications as these lack the security and functionality offered by SMD. As GPs, we regularly coordinate the multidisciplinary care of our patients.
The multitude of ways in which we are required to send and receive information is often outside of our control and does not always align with best practice recommendations. For the status quo to change, we need the SMD systems to work with each other and share information to support the widespread adoption of SMD across all areas of the health sector as the default way to communicate.  
This will ensure the security of our patient’s privacy and health information. 
Creating a security-focused practice culture
One of the key things which can support good information security is to create a practice culture focused on security and privacy awareness.
Human error remains one of the key mechanisms for privacy breaches, such as sensitive emails being sent to the wrong patient or practice staff clicking on unsafe links in emails.
Along with offering password-protected documents when emailing, you should verify and update email addresses, regularly. This process should be similar to updating residential addresses and telephone numbers by reception staff when patients arrive in the practice for an appointment.
You should also confirm the email address or telephone number before sending an email to a patient or an electronic prescription to a patient. Establishing a clear practice policy on how information is sent electronically to healthcare providers and patients is essential, although as mentioned above, some of this is outside our control as hospitals and other non-GP specialists and allied health providers have their own individual processes.
Additionally, we know data collected by general practice have a role to play in improving health outcomes in Australia by informing policy, public health initiatives, research, and service delivery.
The RACGP encourages general practices to provide data for these purposes, but it is important that this is done with careful consideration of your practice’s legal and ethical responsibilities. GPs and our general practice staff need to be adept at discerning to whom, when and how to provide our data for secondary use and that this is shared in a secure way.
The ‘Three key principles for the secondary use of general practice data by third parties’ resource is a useful guideline to support safe decision making.
While we cannot entirely eliminate the risk of privacy breaches and cyber-attacks, general practice must always be prepared with current information and policies in place, along with supporting our practice team to be resilient by creating a cyber-aware culture. 
RACGP resources  
Log in below to join the conversation.

cyberattack information security password protection referrals risk assessment secure message delivery

newsGP weekly poll Would you be willing to provide a firearms health assessment for your patient?

newsGP weekly poll Would you be willing to provide a firearms health assessment for your patient?



Login to comment