Monday, April 25, 2016

The APF Identifies A Major Privacy Gap In The myHR. Another Reason To Stay Away I Believe.

This press release appeared a day or so ago. It is republished with permission.
April 21 2016
—Media Release—

Government’s My Health Record, a Privacy Disaster


The Australian Privacy Foundation today said that Federal Government’s My Health Record system is a privacy disaster waiting to happen. Its biggest weakness is the Medicare Call Centre with its many operators, all with potential access to My Health Record data.
In 2011 the government promised a “clear and robust framework” for the Health Records Call Centres. Five years later there are no rules or procedures in place, the necessary infrastructure or a robust framework of privacy protection.
"This total failure to deliver on its promise and put in place much needed protections exposes patients to curious Call Centre operators whose prying and spying are unlikely to be detected" said Dr Bernard Robertson-Dunn, chair of the Australian Privacy Foundation’s health committee. “This will get even worse if everyone is forced to have a My Health Record, which the Government is trying to do with its opt-out initiative.
"The Government's negligence is breathtaking considering the privacy of Call Centre access to your health data" he said.
Call Centre operators have unlimited access to patient health records to do their jobs; there has been nothing done to properly and adequately protect patient data from misuse by these operators, whether intentional or accidental.
“Health Information is highly attractive to criminals and hackers. This is a serious threat not only to patients but to Call Centre operators themselves who could potentially be pressured by outsiders to reveal health data on targeted individuals.” said Dr Robertson-Dunn.
“Prevention is better than cure. Relying on criminal and civil penalties will not protect privacy. It will only punish breaches, where they are detected.
"Acknowledging the privacy and security flaws, and fixing them all, must be the priority. The My Health Record is not safe to use as it stands, especially with the dangerous ‘Opt Out’ model creating records without prior consent." said Dr Robertson-Dunn.
With such poor privacy protections in place the Australian Privacy Foundation calls on the Australian Government to immediately stop the opt-out registration trials.
It should seriously reconsider the enormous privacy risks of its Call Centre and look at alternative designs that do not require such a potentially intrusive capability. If that means no public access, then so be it.
Dr Robertson-Dunn also said “Australians need to be aware that that the system has other privacy threatening features such as that it is impossible to cancel or remove your record. You can only inactivate it.
“Unfortunately the My Health Records System is like Hotel California ‘You can check out any time, but you can never leave’ he said.
Media Contact:
Dr Bernard Robertson-Dunn
Australian Privacy Foundation
Chair Health Committee
Bernard.Robertson-Dunn@privacy.org.au
APF website: https://www.privacy.org.au/
For detailed information on the My Health Record Call Centre debacle go to: https://www.privacy.org.au/Campaigns/MyHR/callcentre.html
For a rundown on all the features of the My Health Record the government doesn't speak of see: https://www.privacy.org.au/Campaigns/MyHR/info.html
 ------ End Release
Here is the link:
The release almost says it all - but just does not describe in enough detail the risk associated with staff having system admin level access to a huge data-base of personal sensitive information.
We have all seen stories of the clinical staff browsing the health records of celebrities and of staff stealing health credentials and then committing fraud. Of course the behaviour was not ethical or legal but it still happened and it is likely it will here to.
My advice, if you value your privacy, is to stay well away and certainly do not allow any personally sensitive information to be stored in this system.
David.

14 comments:

Anonymous said...

Systems (all organisations) that access MyEHR records should do a weekly or monthly audit as too what records are being accessed and by who. Is a person accessing records at a far greater rate per hour of work ? Can the MyEHR records and local records accessed be related to visits and services of the relevant patients ? if not, then the records probably been accessed illegally.
If the record is not a patient, not your patient or no visit then why are you accessing it?
When you remind staff regularly that they are being monitored then illegal access becomes very risky and quickly deterred for all but a few.
Launching an investigation only when someone complains is too late and not enough of a deterrent. ~~~~ Tim

Anonymous said...

The Department calls it My Health Record or MHR not MyEHR. It can't be called MyHR because an American company has trade marked that name. How confusing is that?

Anonymous said...

Why don't they call it My Digital Health Record and My DHR? .. pronounced my duuhhh. The logo could be two digits pointing upwards.

Anonymous said...

wrt Tim's comment : " Can the MyEHR records and local records accessed be related to visits and services of the relevant patients ? if not, then the records probably been accessed illegally."

GP surgeries do not have the funding, resources or software to permit this to happen and it should be something that is an integral part of the record system and reflects on the poor design of the PCEHR, MyEHR or whatever they choose to call it. many of the "architects" come from a corporate background - they need to go to a few GP surgeries and actually appreciate that there is no IT department, server room or administrator and unless the government wants to give GPs a huge boost in funding those things will never exist.

Anonymous said...

As a Company Director well versed in Board responsibilities I am very glad I am not on the Board of the two PHN's piloting the opt-out trials in NSW and QLD. I would be getting very nervous indeed.

Bernard Robertson-Dunn said...

re: "Systems (all organisations) that access MyEHR records should do a weekly or monthly audit as too what records are being accessed and by who."

Who is likely to actually access a MyHR?

A GP/medical centre isn't. They'll have their own systems. Test results, specialists reports etc will be sent directly to the GP. The MyHR specifically states:

"Healthcare providers will continue to take and review clinical notes. It is important to remember that the My Health Record system is not intended to be a communication tool – it will not replace the need to communicate important health information directly to individuals or other healthcare providers treating them."

Anyone not directly treating a patient (pathology services etc) might upload data, but apart from the out of place, out of time users (probably a very small number) nobody will need to look at a patient's MyHR.

And if there is something in the MyHR that a GP decides is useful they'll download it and put into their own eHR. Which means that all the MyHR access controls and the civil and criminal penalties in the eHealth Bill 2015 won't apply.

In most cases, as far as health professionals are concerned, the MyHR is a write only database.

The Government. Now that's a different kettle of worms.

Anonymous said...

The more I read the more concerned I become. The newly appointed Chair of the ADHA is being set up to implement the Draft Digital Health Strategy which has been predetermined by the bureaucrats - virtually a fait accompli.

As a Board Director of ADHA I'd be digging my heels in right now. The ADHA should be the one setting the strategy not Departmental bureaucrats who've demonstrated they couldn't make NEHTA work and they can't write a basic Draft Digital Health Strategy. The way the Department is approaching eHealth today is the same way they approached it when they set up NEHTA.

Yep, they set NEHTA up to fail and now they are setting up the ADHA to fail. Has the ADHA got the courage to take control and demonstrate leadership or do they fear putting their emoluments at risk should they try to do so?

Anonymous said...

If all else fails - read the disclaimer. The contents of myhealth record can not be relied upon and doctors are excused from legal responsibility should they not consult the myhealth record... says it all. should be sent out to all tax payers so they know.

Anonymous said...

Re. April 26, 2016 2:06 PM "..the two PHN's piloting the opt-out trials in NSW and QLD. I would be getting very nervous indeed.".

They can't really be considered pilots because every medical practice in Australia is being driven to use the My Health Record under the practice incentive payments commencing in a few weeks. Use it or lose it - lose $50,000 that is.

Specialists aren't affected, GPs are. The pilots were conceived to lure GPs into a false sense of security until the $50,000 Health Summary ePIPs kicked in to force doctors to use MyHR. A big confidence trick? or a Gotcha or both. LOL

Anonymous said...

The Opt-Out trials won't be finalized until October at the earliest. The new ePIPs linked to Health Summaries shouldn't be introduced until the trials have been finalized and proven to work satisfactorily. Will the trials demonstrate success?

No-one knows. The government should be more cautious, there have been far too many failed healthIT projects in the last 10 years. We don't need another one.

Bernard Robertson-Dunn said...

The department has never clearly explained what the trials are supposed to test.

Is it that automatic pre-registration works?

Is it to find out how many people go to their GP, set up a nominated provider and put something in their health record?

Is it to measure how many uploads there are and if they are kept current?

Is it to find out if anyone actually accesses or downloads a MyHR because the data is useful?

Or is it to determine what the benefit is in terms of more effective and efficient health care?

According to https://myhealthrecord.gov.au/internet/mhr/publishing.nsf/Content/got-a-letter

"The outcomes of the trials will inform decisions expected in 2017 about future strategies for bringing forward the benefits of the My Health Record system nationally"

So maybe they will try and measure the value of the system rather than just meaningless statistics like registrations or uploads.

Anonymous said...

"The outcomes of the trials will inform decisions expected in 2017 about future strategies for bringing forward the benefits of the My Health Record system nationally".

In that case April 27, 2016 10:20 AM is absolutely correct to suggest that "The new ePIPs linked to Health Summaries shouldn't be introduced until the trials have been finalized and proven to work satisfactorily".

The Minister, the Government and the Department are being quite irresponsible by usurping the outcome of the trials. The RACGP should therefore be demanding the Health Summary ePIPs be postponed until 2017.

Anonymous said...

Usurping means:- take a position by force. That's a good description of the Department's modus operandi. Remove any semblance of choice. Force the doctors - yes, and for that matter force the ADAH Board to use the Department's Draft Digital Health Strategy.

Bernard Robertson-Dunn said...

The Department claims that Call Centre operators cannot see health data, only registration data.

However, re this page on their website:
https://myhealthrecord.gov.au/internet/mhr/publishing.nsf/Content/privacy-statement
under "How can I contact the System Operator?

it says


You can contact us to:
request correction of information you believe is not accurate, complete or up-to-date;


The only contact available to patients is via Medicare Call Centre operators.

If call centre operators cannot see health information, how can they correct it? The processes for correcting information have never been detailed so it is an assumption of ours that may be incorrect - on the other hand it may be correct.

It is possible that the Call Centre Operator would take a request and
forward it to someone else for action. But without the robust framework they promised in 2011 or any other information, we just don't know.

Similarly, in the legislative rules document, it says (rule 21) Effective removal of records


(1) The System Operator may effectively remove, or may direct a
participant in the My Health Record system to effectively remove, a
record in the My Health Record system to the extent that the System
Operator reasonably considers that:

(a) the record contains a defamatory statement;


If the System Operator (maybe the Call Centre, maybe not - we don't know)
cannot see the contents of the health record how do they know if it is
defamatory?

If only NEHTA had explained the functions and capabilities of the Call Centre, which were expressly removed from the architecture documents, and the government had followed through on its acceptance "that a clear and robust framework is required for the operation of the PCEHR system Call Centre", the government could more easily denounce conspiracy theories. Although, they may actually be true.

As it is, all they can really say now is "trust us".

The issue is not "is privacy protected?" it is "is privacy seen to be protected?"