HA vows to review data security after arrests of patients

June 21, 2019 17:16
Dr. Leung Pak-yin, chief executive of the Hospital Authority, said the top priority for all medical staff is saving lives. Photo: RTHK News

The Hospital Authority has pledged to review the security of patient information following reports that several protesters against the extradition bill were arrested while seeking treatment in public hospitals following violent clashes with police on June 12.

Speaking to media on Thursday, HA chief executive Dr. Leung Pak-yin said the authority has confirmed that a protester was arrested at Yan Chai Hospital after the patient had been assigned to a ward, the Hong Kong Economic Journal reports.

Leung also said he has received reports from frontline medical staff of two other cases where protesters were arrested while waiting at the accident and emergency departments of Queen Elizabeth Hospital and Kwong Wah Hospital respectively.

The arrests happened even before their personal information had been input into the HA computer database, according to the hospital staff. 

The authority also announced the establishment of a special task group to conduct a quick and focused review of the HA information technology system, with a focus on the protection of patients' privacy and frontline staff operations.

The three-member group will review the security and privacy protection measures in the HA clinical systems, suggest areas where new approaches to securing access are required, and highlight new security technologies and practices which could enhance the security and privacy of the HA clinical systems.

The three members are Jason Yeung Chi-wai, who is the chairman of the Audit and Risk Committee of the HA Board; Professor Daniel Lai Sik-cheung from the Hong Kong Polytechnic University, who is a former government chief information officer; and Stephen Lau Ka-men, the city's first privacy commissioner for personal data.

The special task group is expected to complete its review and submit a report to the authority in three months' time, the HA said.

Dr. Pierre Chan Pui-yin, a lawmaker who represents the medical functional constituency, told a news conference on Monday that he had received complaints from medical staff that police officers had been able to access the HA patient database for information on protesters who had sought treatment in public hospitals.

The staff said police were able to obtain patients' personal information from the database without having to type a password to access the system. The data included names, identity card numbers, phone numbers, age as well as time and date of treatment of the patients.

Leung on Thursday reiterated that the HA patient database has no connection with the police computer system, and that all computers and the Accident and Emergency Information System (AEIS) in the accident and emergency department are for the exclusive use of public hospital staff.

As an additional measure to protect the privacy of patients, the HA has suspended the “report” and “print” commands in the “Disaster” module of the AEIS. 

From Thursday, staff members must use their personal password via the Clinical Management System to view or print the list of patients of major incidents reported on the AEIS.

The HA chief also stressed that the top priority for all medical staff is saving lives, which means that they should not let individuals who are not family members of patients interfere with their work, adding they should seek help from their superiors if there is such an interference.

Leung said he has also told Police Commissioner Stephen Lo Wai-chung via a phone call about the concerns of frontline staff regarding the arrest of people under their care.

In another development, Leung told reporters that the HA suffered a cyber attack on Wednesday.

He said no patient data was compromised as a result of the attack, which lasted three hours, RTHK reported.

Meanwhile, news circulating online said the Hong Kong Adventist Hospital in Tsuen Wan refused to treat an injured demonstrator but advised the person to go to Yan Chai Hospital before reporting to the police.

In its defense, the private hospital told media that it normally does not handle cases related to legal disputes, adding that patients involved in such cases are referred to a public hospital.

– Contact us at [email protected]