Requirements for Information Communication (2007 Edition)

5 - Security of messaging

Page last updated: 14 January 2008

Standard

S5.1
To ensure the secure and confidential messaging of electronic pathology reports, laboratories must:
(a) ensure the completeness, accuracy and integrity of electronic messages (i.e. certainty that the message has not been altered during transmission)
(b) ensure the pathology laboratory message can be authenticated by the recipient.

Guideline

G5.1
To ensure the secure and confidential messaging of electronic pathology requests and reports, laboratories should:
(a) authenticate the originator of the pathology request
(b) acknowledge receipt of incoming messages
(c) authenticate the recipient of the pathology report.

Commentary

C5.1a
Electronic request messages cannot be considered as successfully delivered until a transport acknowledgment message has been received, confirming delivery.
C5.1b
Electronic report messages cannot be considered as successfully delivered until a transport acknowledgment message has been received, confirming delivery. It is recognised that clinical software receiving report messages may not send an acknowledgment. However, software vendors should be encouraged to include this feature in their products.
C5.1c
Laboratory acknowledgment of an electronic request does not constitute a contract to undertake services; it indicates a willingness and capability to perform or refer the requested services when appropriate specimens are received by the laboratory.
C5.1d
With faxed or SMS messaged reports, particular attention should be given to recipient authentication before transmission of the result.
C5.1e
Record of receipt of an electronic acknowledgment message forms part of the electronic patient record.

Standard

S5.2
Whenever a message is transmitted via a public network, it must be appropriately encrypted to protect the confidentiality of data and prevent unauthorised access during transmission.

Commentary

C5.2a
Data can be encrypted using accepted transport security protocols such as secure socket layer (SSL) or public key encryption mechanisms such as public key infrastructure (PKI) (e.g. HeSA or Pretty Good Privacy®). Public key encryption ensures strong authentication of sender and recipient.
C5.2b
Encryption should be considered in private networks as part of information security risk management.

Guideline

G5.2
Procedures should be in place to deal with the following circumstances:
(a) A result message returns a ‘failure’ acknowledgment message.
For example, where there is a failure to deliver a report.

(b) No acknowledgment message is received within a specified period.
The period of time to wait for an acknowledgment message may be agreed between the laboratory and receiver but in general should be no longer than one working day for routine reports. Failure to receive an acknowledgment message indicating a successful receipt should initiate a laboratory alert and possibly lead to delivery of results by another method.

(c) Urgent reports
Receipt of a ‘failure’ acknowledgment message or failure to receive any acknowledgment within an appropriate timeframe for messages containing urgent results should initiate immediate action to deliver reports through an alternative channel, such as phone or fax. In general, failure to receive a successful acknowledgment within one hour of message transmission should prompt review action by the laboratory.

(d) Clinically significant reports
These reports should be treated with a protocol similar to urgent reports (see G5.2(c)). Examples of clinically significant reports include, but are not limited to, critical abnormalities or marked and unexpected changes from previous results.

The appropriate procedures to deal with these cases should also be documented and a log maintained of such exceptions and the subsequent actions taken to ensure result delivery.