Key Takeaways
- Manage My Health, a healthcare provider, has been criticized for its handling of patient data, with concerns over its storage and security practices.
- The company’s terms and conditions appear to provide an "out" for any potential breaches, with users warned that the system may not be secure.
- Industry experts and commentators believe that a lack of regulatory oversight and weak penalties have contributed to the issue.
- The Digital Health Association has lobbied against stronger privacy laws and regulation, despite warnings from Privacy Commissioners.
- Health NZ is considering introducing independent cyber-security auditing in the future to ensure the security of health information.
Introduction to the Issue
The recent data breach at Manage My Health has raised concerns over the company’s handling of patient data. The company has been criticized for its storage and security practices, with some experts believing that it has failed to invest in adequate measures to protect patient information. Despite having two years to address the issue, the company has not made sufficient changes, leading to the current breach. The company’s terms and conditions also appear to provide an "out" for any potential breaches, with users warned that the system may not be secure.
Lack of Regulatory Oversight
The lack of regulatory oversight in the healthcare industry has been cited as a major contributor to the issue. The Digital Health Association, the industry body for health software vendors, has lobbied against stronger privacy laws and regulation, despite warnings from Privacy Commissioners. This has resulted in weak penalties for companies that fail to protect patient data, allowing them to be "quite lax" in their security measures. The industry has argued that stronger regulations would be "overly burdensome" and would stifle innovation, but experts believe that this is a false dichotomy.
Industry Response
The Digital Health Association has responded to criticism by stating that it does not oppose regulation, but rather advocates for "better" legislation. The association’s chief executive, Stella Ward, said that the organization supports the intent of the Therapeutic Products Act, which would regulate software as a medical device with surveillance and penalties for non-compliance. However, the association believes that the bill as drafted lacked clarity and risked creating broad, impractical definitions. The association has also stated that stronger penalties alone do not prevent incidents, and that continuous investment is required to ensure the safe and efficient delivery of digital health services.
Health NZ’s Response
Health NZ has stated that it is Manage My Health’s responsibility to ensure the data it is contracted to manage is "safe". The Health Information Security Framework (HISF), published by Health NZ, is intended to guide the health sector in the secure use and management of health and information technology. However, a spokesperson indicated that oversight could be introduced in the future, including independent testing of third-party services such as patient portals. This could provide an additional layer of security and protection for patient data, and would help to ensure that companies like Manage My Health are held to account for their security practices.
Conclusion
The Manage My Health data breach highlights the need for stronger regulatory oversight and penalties in the healthcare industry. The lack of clear guidelines and consequences for companies that fail to protect patient data has allowed companies like Manage My Health to be lax in their security measures. The industry’s lobbying against stronger regulations has contributed to this issue, and it is time for the government to take action to ensure that patient data is protected. The introduction of independent cyber-security auditing and stronger penalties could help to prevent similar breaches in the future, and would provide patients with greater confidence in the security of their health information.
