Secure digital communications within the NZ health & disability sector Implementation guidance
Original Document can be downloaded from the NZHIT Resources page under the heading of "Security & Privacy"
Health agencies that hold health information must ensure that the information is protected, by such security safeguards as it is reasonable in the circumstances to take against - loss, access, use, modification, or disclosure, except with the authority of the agency; and other misuse.
Communication between health agencies is an essential part of healthcare delivery. Digital communications such as e-mail, text, messaging, etc are commonplace and provide significant operational benefits in improving communication between people and agencies, providing access to health information and supporting clinical and business workflow. Ensuring that communications, whether analogue or digital, are secure is a fundamental requirement of a modern health system.
Health Information Security Framework (HISF)
The HISF provides guidance on the security safeguards that should be applied by health agencies. Health agencies must align their security policies and assess their current security practices, and the digital tools they use, against the guidance provided in the HISF. Security controls must be practical and the impact on agencies workflow and business practice needs to be understood and effectively managed.
This implementation guidance is specific to e-mail and fax; similar guidance on other aspects of the HISF will be released over time.
The HISF asserts that all patient identifiable information must be protected at rest and in transit. Specifically, chapter 8 of the HISF (Communications) notes that health agencies are required to “ensure the integrity of information communicated across networks… [and] use appropriate encryption standards, when exchanging health information between external parties".
E-mail and fax are two of the most common communication tools used in the health sector. The security of information communicated using these tools currently does not always comply with the HISF; this needs to be addressed.
Fax is an analogue technology that is widely used by health agencies. A common use case is transmission of prescriptions in a legally compliant and clinically assured way between a prescribing physician and receiving pharmacist. Fax poses a number of information and physical security risks and the technology is becoming increasingly incompatible with more modern digital communications solutions.
1 Health Information Privacy Code [Rule 5]
The Ministry of Health and ACC(2) have collaborated to provide this guidance to support health agencies address the security of e-mail and fax communications. It should be noted that this advice represents an initial step in improving the technical security of these communications; further advice will be forthcoming. This guidance also does not address user generated security issues that agencies should be mitigating through effective cybersecurity user education.
Health agencies are expected to implement the following guidance. The Ministry of Health will with work agencies to support the implementation of this guidance and to provide learnings for subsequent updates. Health agencies should engage with their technology suppliers for additional advice and support in implementing this guidance.
1. All health sector agencies must enable opportunistic Transport Layer Security (TLS) version 1.2 or later, on e-mail servers that make incoming or outgoing e-mail connections over public internet infrastructure no later than January 2020 and advise the Ministry of Health when they have done so (email@example.com).
2. New analogue fax machines should not be purchased, with immediate effect.
3. Health agencies should implement one of the following digital alternatives to the use of analogue fax(3) for external communication no later than December 2020 and advise the Ministry of Health when they have done so (firstname.lastname@example.org):
a. Migrate use of analogue fax to fully digital, security assessed, communication solutions such as e-mail of scanned documents, secure messaging or cloud hosted secure collaboration platforms; or
b. Utilise the “scan-to-e-mail” capability on a multi-function device (MFD)(4) to scan documents and send them as e-mails (compliant with the secure e-mail requirement in point 2 above).
Ministry of Health and Accident Compensation Corporation June 2019