This blog is totally independent, unpaid and has only three major objectives.
The first is to inform readers of news and happenings in the e-Health domain, both here in Australia and world-wide.
The second is to provide commentary on e-Health in Australia and to foster improvement where I can.
The third is to encourage discussion of the matters raised in the blog so hopefully readers can get a balanced view of what is really happening and what successes are being achieved.
Monday, April 25, 2016
The APF Identifies A Major Privacy Gap In The myHR. Another Reason To Stay Away I Believe.
This press release appeared a day or so ago. It is republished with permission.
April 21 2016
Government’s My Health Record, a Privacy Disaster
The Australian Privacy Foundation today said that Federal Government’s My Health Record system is a privacy disaster waiting to happen. Its biggest weakness is the Medicare Call Centre with its many operators, all with potential access to My Health Record data.
In 2011 the government promised a “clear and robust framework” for the Health Records Call Centres. Five years later there are no rules or procedures in place, the necessary infrastructure or a robust framework of privacy protection.
"This total failure to deliver on its promise and put in place much needed protections exposes patients to curious Call Centre operators whose prying and spying are unlikely to be detected" said Dr Bernard Robertson-Dunn, chair of the Australian Privacy Foundation’s health committee. “This will get even worse if everyone is forced to have a My Health Record, which the Government is trying to do with its opt-out initiative.
"The Government's negligence is breathtaking considering the privacy of Call Centre access to your health data" he said.
Call Centre operators have unlimited access to patient health records to do their jobs; there has been nothing done to properly and adequately protect patient data from misuse by these operators, whether intentional or accidental.
“Health Information is highly attractive to criminals and hackers. This is a serious threat not only to patients but to Call Centre operators themselves who could potentially be pressured by outsiders to reveal health data on targeted individuals.” said Dr Robertson-Dunn.
“Prevention is better than cure. Relying on criminal and civil penalties will not protect privacy. It will only punish breaches, where they are detected.
"Acknowledging the privacy and security flaws, and fixing them all, must be the priority. The My Health Record is not safe to use as it stands, especially with the dangerous ‘Opt Out’ model creating records without prior consent." said Dr Robertson-Dunn.
With such poor privacy protections in place the Australian Privacy Foundation calls on the Australian Government to immediately stop the opt-out registration trials.
It should seriously reconsider the enormous privacy risks of its Call Centre and look at alternative designs that do not require such a potentially intrusive capability. If that means no public access, then so be it.
Dr Robertson-Dunn also said “Australians need to be aware that that the system has other privacy threatening features such as that it is impossible to cancel or remove your record. You can only inactivate it.
“Unfortunately the My Health Records System is like Hotel California ‘You can check out any time, but you can never leave’ he said.
The release almost says it all - but just does not describe in enough detail the risk associated with staff having system admin level access to a huge data-base of personal sensitive information.
We have all seen stories of the clinical staff browsing the health records of celebrities and of staff stealing health credentials and then committing fraud. Of course the behaviour was not ethical or legal but it still happened and it is likely it will here to.
My advice, if you value your privacy, is to stay well away and certainly do not allow any personally sensitive information to be stored in this system.