GPNZ backs stronger national assurance following Phase One MMH inquiry findings

SECTOR UPDATE - General Practice New Zealand 

General Practice New Zealand (GPNZ) welcomes the shared conclusions of three reports into the Manage My Health (MMH) privacy breach, saying the findings reinforce the need for a coordinated, system-wide approach to privacy and security across the health sector.

“With these recommendations in place, we expect to see rapid and meaningful system improvements that will ensure the protection of patient information, with clear standards and accountability,” says GPNZ Deputy Chair Justin Butcher. 

As the Ministry of Health report says, the experience ‘should serve as a call to action for the health sector, and New Zealand organisations more broadly, to improve cyber security controls and governance’.

GPNZ endorses the Ministry’s recommendation that ‘Health NZ comprehensively review and uplift its third-party risk management practices’.

“This is a clear theme across the separate reports that needs urgent action. One of the most significant recommendations of the Privacy Commissioner’s report is the call for the Ministry of Health to establish a centralised and ongoing programme to verify that key health sector vendors are meeting appropriate security standards,” says Mr Butcher. 

“A nationally coordinated assurance function will help create greater consistency, clearer accountability and stronger confidence across the system, while reducing duplication and avoiding unrealistic compliance expectations being placed on frontline providers.”

GPNZ had an opportunity to provide feedback to the Office of the Privacy Commissioner during the inquiry process, and it is positive to see the final report acknowledge the practical limitations general practices face when dealing with complex security and contractual arrangements with vendors – issues the sector has raised for some time.

The OPC’s recommendation to consider amendments to the Privacy Act to ensure third-party technology vendors have direct obligations for maintaining appropriate privacy and security safeguards is a sensible and practical step.

“Small businesses such as general practices should not be left relying solely on contractual remedies when IT providers fail to meet appropriate standards,” says Mr Butcher.

General practices already understand the obligations they have around privacy and information security, with PHOs continuing to work alongside practices to support that work.

“Today’s findings reinforce the importance of regularly reviewing security settings, processes and governance arrangements, alongside stronger national assurance and better support for general practice.”

GPNZ has been working alongside Health NZ to develop practical resources for the sector, including a cyber security checklist and guidance for safe information sharing practices.

While the reports acknowledge the efforts of Health NZ and MMH in responding to the breach, GPNZ said there also needed to be stronger recognition of the extensive response led by PHOs and general practices across the country.

“Primary care teams carried a significant operational and relationship burden throughout this incident,” says Mr Butcher.

“Practices and PHOs were heavily relied on to support patients, respond to concerns, provide reassurance, gather information and help resolve issues in real time, at considerable time and cost.”

“That work was critical to maintaining patient trust and supporting the overall system response, and future breach response planning needs to properly recognise and incorporate the role of primary care.”

The safe sharing of health information is a vital element of modern healthcare, which, unfortunately, hackers will continue to try to exploit. The MMH breach was a wake-up call for us all, and these inquiries reinforce the additional elements we need to put in place to ensure the protection of that data.

GPNZ will continue working collaboratively with the Ministry of Health, Health NZ and its members to support ongoing improvements across the sector.

“This is about building a safer, more resilient and more trusted digital health system for patients and practices alike.”

Source: General Practice New Zealand media release

Sector updates are provided by organisations to eHealthNews.nz and have not necessarily been edited or checked for accuracy. Any queries should be directed to the organisation issuing the release.

Do you have an item to add to sector updates?

Email your information to us at updates@hinz.org.nz

Return to eHealthNews.nz home page