Print

The principles of secure communication using public key encryption were uncovered 40 years and have been implemented in medical communication in Australia for over 25 years.

The details of the process, asymmetric encryption, are well described and cryptography is an increasingly important area of computer science. Online explanations abound and vary from the very technical  to the overly simplified. The latter appearing trivially so at times.

Most end users merely want to know that their communication is secure and that the padlock in their browser or email client means something.

While the technology is freely available, the implementation has proven too difficult for most users to perform on their own. Large companies buy commercial solutions or devote internal departments solely to this issue.

In the Australian medical scene a number of commercial secure messaging organisations provide this service. The Federal Department of Health also runs these systems for Medicare billing, the My Health Record and online web access.

By design these systems are incompatible. While this has the effect of limiting damage from a cyberattack, it does put an increased burden on medical practices in maintaining multiple encryption clients on their own servers.

The general public is increasingly familiar with secure internet interactions and commerce. Online banking, travel and accommodation are routine. Online publications and entertainment have shut down newsagents, libraries, newspapers and cinemas. Federal and State governments prefer online communication with the public for cost and efficiency reasons.

The passage of the Notifiable Data Breaches (NDB) scheme in February 2018 put medical practitioners in a difficult spot. While wanting to increase online communication with their patients they face increased penalties if there should be cyber theft of their patients’ data.

In recent times some solutions have become available for use by individuals and small businesses. These solutions are web based and can overcome the difficulty of creating keys for public key encryption. They also address the security issue of stolen passwords by implementing two factor authentication.

For several years medical software has allowed practices to retain patients’ email addresses and mobile phone numbers for SMS messaging. Secure practice to patient communication is now a reality by combining these technologies.

Many patients will be familiar with these techniques through their online banking experience. A financial transaction is not completed until a pin code sent separately by SMS is entered by the customer into the confirmation box on the web page.

In the case of secure email communication, the practice sends the patient an email link that takes them to a secure website. The patient visits the link and can decrypt the communication and any associated attachments by using a pin number that has been sent to them by SMS. All encryption and decryption is done at the end points, the practice’s and the patient’s browsers.

The system is also suitable for transferring large attachments such as a complete electronic medical record between surgeries. It is faster, more accurate and more secure than any of the off line alternatives.

No system is foolproof but new technologies that are both simple to use and cryptographically secure provide a welcome alternative to printing the entire patient record.

Dr David Guest spoke at the NoRDocs Unconference
in Lismore on 30 June, 2018 

Slides