Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsHealth and fitnessRights as a patient for data hosted online?
Aaroona

3204 posts

Uber Geek
+1 received by user: 169


#293800 14-Feb-2022 12:08
Send private message

I'm enrolled at a doctors practice which enabled an online portal a couple of years ago - something I support. This portal allowed for a patient (user) to enable 2FA on their account.

 

Given in this account I am able to request repeat prescriptions, see test results (blood panels, etc.), update personal information, see allergies, among other things, it seems pertinent to want to a 2FA/MFA option on this publicly hosted website.

 

Sometime in the last year (I don't visit the doctors often) they migrated to a new website - appears to be the same system underneath, maybe just updated. But a different domain name and *almost* none of the information from the previous website has been migrated (aside from username, password (!!), repeat prescriptions and a couple of other things). Any new information will be uploaded to this new site - (hosted on AWS... Can an NZ health service host patient information on public cloud not located in NZ?).

 

This new website does not have any 2FA options. So my account is accessible via username/password combo only.

 

Additionally, the old website is still up and available, which means they have another copy of my data hosted somewhere else.

 

 

 

My questions at this stage are;

 


1. As the specific patient data pertains to me, does this mean I effectively own that data on both sites?
2. Assume yes to point 1, has anyone successfully opened a dialogue with their provider to discuss their data-hygiene and life cycle practices? is there a general process for this? 
3. Can a health service host patient records in a non-NZ based server? 
   3a. They are at least using the Australian AZ/Sydney DC, so less concerned, but still curious.

 

 

 

My main concerns here are; 

 

- A move backwards in security with no 2FA in place now for my critical health information.
- No notification (as far as I'm aware) of any move to a new service... less concerned with this one.
- General knowledge of some bad practices when it comes to health and law (firm) services in IT, so want to make sure things are good, particularly as they now have multiple copies of my data hosted on multiple public websites, hosted on different services.

 

 

 

I have also sent an email into the website owner to find out more info and query some things, but thought I'd also ask some questions here.

Create new topic
Beccara
1473 posts

Uber Geek
+1 received by user: 517

ID Verified

  #2868160 14-Feb-2022 12:57
Send private message

*Insert all disclaimers known to mankind here*

 

 

 

1) Data ownership will depend on what your signed when you signed upto the practice/pho, it's a very murky area

 

2) Most clinics will point you to accreditation's they have which have IT components, you're welcome to try but it will be hit and miss depending on the clinic, who owns the clinic and the practice manager. Some clinics are very onto it and may even have an information parcel for you, others may point you to your PHO

 

3) Yes they can, Whenever data is not hosted onsite clinic you have frameworks like the "Health Information Security Framework" and things like the DIA's "Cloud Risk Assessment" but ultimately it falls to the clinic owners to be happy with risks. You have things like the updated "Health Information Privacy Code 2020" which dont relate directly to IT but more general things

 

 

 

As an aside almost all of these websites have a hook into the clinics PMS system and will often not keep data or keep data for a small amount of time to cover outages in the connection to the clinics PMS. It's likely that this clinic has both connectors up and running. There is one PMS system in NZ that is completely "cloud" based so this doesn't apply, PM me if you want to talk specifics




Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated 



plas
456 posts

Ultimate Geek
+1 received by user: 59


  #2868163 14-Feb-2022 13:01
Send private message

Is it Manage My Health ? They have no MFA/2FA and I've inquired multiple times with no response.

evilonenz
/dev/urandom
291 posts

Ultimate Geek
+1 received by user: 152

ID Verified
Trusted
Lifetime subscriber

  #2868174 14-Feb-2022 13:10
Send private message

I actually logged in to Manage My Health this morning, and under security there is a Two Step option now, however I'd warn anyone from turning it on, as instead of getting a code emailed to myself, I get a "Verify my email" link, that does absolutely nothing, all subsequent login attempts produce the same email, so I have had to email them to get this fixed! Doh.




Smokeping

 

Referral Links:

 

Quic - Use code R536299EPGOCN at checkout for free setup
Contact Energy - Use code FRTQDXB for $100 credit



insane
3324 posts

Uber Geek
+1 received by user: 1006

ID Verified
Trusted
2degrees
Subscriber

  #2868179 14-Feb-2022 13:14
Send private message

evilonenz:

 

I actually logged in to Manage My Health this morning, and under security there is a Two Step option now, however I'd warn anyone from turning it on, as instead of getting a code emailed to myself, I get a "Verify my email" link, that does absolutely nothing, all subsequent login attempts produce the same email, so I have had to email them to get this fixed! Doh.

 

 

Meanwhile your GP is getting bombarded with email verification emails :D

 

 

 

1. As the specific patient data pertains to me, does this mean I effectively own that data on both sites?
- Don't think you own it, but can request they provide everything they have on you.

2. Assume yes to point 1, has anyone successfully opened a dialogue with their provider to discuss their data-hygiene and life cycle practices? is there a general process for this? 
- You can ask if they comply with NZISM and so fourth - but realistically given how govt accreditation processes work they would have done this already and recorded any mitigations or future work required to beef up their security posture.
 
3. Can a health service host patient records in a non-NZ based server? 
   3a. They are at least using the Australian AZ/Sydney DC, so less concerned, but still curious.
- Yes absolutely, as long as they meet the standards required. AWS, Azure and Google have all been cleared by the DIA (as cloud providers - specific security controls etc still required).

Beccara
1473 posts

Uber Geek
+1 received by user: 517

ID Verified

  #2868190 14-Feb-2022 13:27
Send private message

insane:
3. Can a health service host patient records in a non-NZ based server? 
   3a. They are at least using the Australian AZ/Sydney DC, so less concerned, but still curious.
- Yes absolutely, as long as they meet the standards required. AWS, Azure and Google have all been cleared by the DIA.

 

 

 

 

Just an FYI on this they moved away from DIA/MoH approvals a little while back

 

https://www.health.govt.nz/system/files/documents/pages/changes-to-ministry-of-health-policy-cloud-computing-april2017.pdf

 

https://www.health.govt.nz/our-work/digital-health/digital-health-sector-architecture-standards-and-governance/cloud-computing-and-health-information

 

 




Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated 

insane
3324 posts

Uber Geek
+1 received by user: 1006

ID Verified
Trusted
2degrees
Subscriber

  #2868197 14-Feb-2022 13:37
Send private message

Beccara:

 

insane:
3. Can a health service host patient records in a non-NZ based server? 
   3a. They are at least using the Australian AZ/Sydney DC, so less concerned, but still curious.
- Yes absolutely, as long as they meet the standards required. AWS, Azure and Google have all been cleared by the DIA.

 

 

Just an FYI on this they moved away from DIA/MoH approvals a little while back

 

https://www.health.govt.nz/system/files/documents/pages/changes-to-ministry-of-health-policy-cloud-computing-april2017.pdf

 

https://www.health.govt.nz/our-work/digital-health/digital-health-sector-architecture-standards-and-governance/cloud-computing-and-health-information

 

 

 

 

Cool, I didn't even realize what the process used to be. I was referring to how the providers and DIA have a published PIA somewhere and said it's OK for agencies to use them (still required to meet any other specific controls/obligations). Edited my post above :)

 
 
 
 

Shop now for Dyson appliances (affiliate link).
plas
456 posts

Ultimate Geek
+1 received by user: 59


  #2868215 14-Feb-2022 13:52
Send private message

evilonenz:

 

I actually logged in to Manage My Health this morning, and under security there is a Two Step option now, however I'd warn anyone from turning it on, as instead of getting a code emailed to myself, I get a "Verify my email" link, that does absolutely nothing, all subsequent login attempts produce the same email, so I have had to email them to get this fixed! Doh.

 

 

Good to know, looking in the mobile app it has no security options. So I wonder if that only applies to the website.

Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright