“ONLINE MEDICAL DATA/RECORDS : ADDRESS LEGAL WEAKNESSES AND ENFORCEMENT MECHANISMS”
Jeong Chun Phuoc, 10TH March 2011
The recent concerns raised in “Concern over abuse of online medical records” (NST, 2011/02/23) and “Health service: Ensure security of online records” (NST, 2011/03/01) are real and may open a floodgate of un-intended dangers, litigation and sufferings if not managed in a proper manner in an age of expanding cybercrimes.
These perceived dangers, however, can be ameliorated and addressed effectively by two methodologies:
1) Legal Protection and Measures and 2) Online Security Protection and Safeguards
Malaysia has the most comprehensive law pertaining to the protection of online data. This is by virtue of the new law ie the Personal Data Protection Act 2010 after a long 1o years walk.
The substantive principles comprising of Notice and Choice; Disclosure; Security; Retention; Data Integrity; and Access are remarkably exemplary as it follows the EU Data protection standard.
However, the devil is in the details in terms of enforcement and inherent weaknesses.
One major weakness is that the PDPA applies only to personal data processed within Malaysian jurisdiction.
Enforcement weakness lies in the fact that currently there is no clear guidelines except for the 3 months transition period for industrial compliance.
It is therefore imperative that the Ministry of Information, Culture and Communications (MICC) take immediate actions to provide detailed guidelines and codes of practice,etc to ensure practical online security compliance.
There is no agreed standards of online data protection in the current system as these standards vary from company to company. In this regard, the recent announcement by the Health Ministry to have online medical record by 2015 must be taken into serious view(“Medical records online by 2015”, NST , 2011/02/22).
As the concerns pivoted on possible leaks,unauthorised access,illegal use,etc including hacking, there is a serious need for the Ministry of Health and the appointed service provider to manage these risks by the establishment of a stable and robust online security system/database architectural framework.
By virtue of the “Security Principle” of section 9 of the PDPA 2010( section 9: A data user shall, when processing personal data, take practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction — ” the government could require that these critical websites adopt the highest level of web security safeguards which are currently adopted by the banks.
With increased online security features and ‘unbreakable’ multi-level encryption approaches,etc the concerns relating to illegal or unauthorised access and download of personal health data from online database could be minimised, if not eliminated.
Jeong Chun Phuoc
Expert Consultant in Environment and Taxation
An advocate in Strategic Environment and Taxation Intelligence(SETI),
an advocate in Syariah Blue Ocean Strategy(sBOS) in ASEAN,
a Reader in Syariah Intelligence(CSI)
He can be reached at Jeongphu@yahoo.com
**The above professional analysis is the writer’s personal view and in no way represent the view/position of
the research institutes/thinktanks/organisations to which he is currently attached to.