Sunday, July 16, 2017

Has The ADHA Not Kept The Right And Left Hand In Synch – It Rather Looks Like It.

We had this appear yesterday from the ADHA.

Fact Check: Security of My Health Record

Created on Friday, 14 July 2017

What is My Health Record?

My Health Record is a secure online summary of your health information. An individual can control what goes into it, and who is allowed access. Individuals can choose to share their health information with their doctors, hospitals and other healthcare providers.

Why is there a need for a digital record system?

One in three General Practitioners (GPs) will see a patient for whom they have little or no health information. Many patient records are created as paper files. They are regularly transmitted between healthcare providers using unsecure email, fax machines and by post. The My Health Record offers health professionals secure digital access to a patient’s record at the point of care, wherever that may be.
There are significant benefits of My Health Record for all Australians. These include avoided hospital admissions, fewer adverse drug events, reduced duplication in diagnostic tests, better coordination of care for people seeing multiple healthcare providers, and better informed treatment decisions.
Following unanimous support by all State and Territory governments, the Government will expand My Health Record and create a record for every Australian, unless they prefer not to have one.
The Health Sector Supports My Health Record
‘We all want the My Health Record to work. It has the potential to support much better patient care, particularly when your patients see another doctor or health care provider.’
  • The Royal Australian College of General Practitioners (RACGP) includes helpful case studies on their website on the benefits of My Health Record for GPs:
‘The RACGP has been an advocate for a national shared electronic health record system and understands the clinical benefits of healthcare providers accessing healthcare information not available via normal communications channels.’
‘Community pharmacy, as the most accessible community health care destination, has always been at the forefront of digital innovation and an opt-out model for the operation of My Health Record will enable community pharmacies to enhance their patient care.’

How does My Health Record system protect people’s health information?

My Health Record legislation provides protections for privacy of medical information in the system. The Agency, as the system operator, is responsible for the security of the My Health Record system.
The Agency have in place a comprehensive set of people, process, and technology controls to protect health records from a cyber-attack. The system has bank strength security which ensures information is stored and accessed by only trusted connected health systems.
The system complies with the Australian Government requirements for storing and processing protected information, and is regularly tested and audited to confirm that these requirements are met.
The Agency’s Cyber Security Centre continually monitors the system for evidence of unauthorised access. This includes utilising specialist security real-time monitoring tools that are configured and tuned to automatically detect events of interest or notable events. Examples of this include:
  • Overseas access by Consumers and Healthcare Providers
  • Multiple failed logins from the same computer
  • Multiple logins within a short period of time
  • Logins to the same record from multiple computers at the same time
  • High transaction rate for a given Healthcare Provider
  • Certain instances of after business hours access and all instances of emergency access.
The Cyber Security Centre regularly reviews the events of interest based on its knowledge of the likely threats to the My Health Record and updates them accordingly.

How do healthcare providers protect your health information?

Every time a healthcare provider accesses a My Health Record, a log is automatically created. This allows an individual to monitor every access to their My Health Record in real time, with complete transparency.
An individual’s Medicare card number does not allow My Health Record information to be accessed, additional information is required to authenticate consumers and health care providers.
Healthcare organisations can only access an individual’s My Health Record if they:
  • are directly involved in the individual’s care;
  • have a healthcare provider certificate installed (either with NASH HPI-I or HPI-O certificate) on the device that they are using to access the record;
  • a valid username and password, and;
  • have the Record Access Code (RAC), if an individual has enable restrictions.
Any software that connects to the system undergoes automated checks to ensure that it conforms to the system requirements and has authority to access the information. Write access to My Health Record is only available to healthcare provider organisations via approved clinical software.
If a person were to deliberately access an individual’s My Health Record without authorisation, criminal penalties may apply. These may include up to two years in jail and up to $126,000 in fines.

What controls do individuals have?

A person can arrange to be notified by email or SMS when a healthcare provider organisation accesses their record for the first time. The individual can also view a real time log of every access to their My Health Record by a provider organisation.
Individuals can control what information is in their My Health Record, and which healthcare provider organisations can access their record. A range of privacy controls are available including:
  • Setting a Record Access Code (RAC) which the individual can give to their healthcare provider organisation to allow access to their record, and prevent other healthcare providers from access unless in an emergency
  • Flagging specific documents in their record as ‘limited access’, and controlling who can view
  • Removing documents from view within their record
  • Asking healthcare providers not to upload information and, under the My Health Records Act 2012, healthcare providers must comply with this request.
For more information on managing access, privacy and security of your My Health Record visit www.myhealthrecord.gov.au or call 1800 723 471.

Download 'Factsheet: Security of My Health Record'

Here is the link:
Clearly the message that is intended is that we have it all utterly in hand an – to quote a now dead politician – ‘Don’t you worry about that!’
But then we have this that appeared also last week:

Australian Digital Health Agency MOU Biannual Report 2016-2017 for the period ending 31 December 2016

Mr Tim Kelsey
Chief Executive Officer
Australian Digital Health Agency
Level 25, 56 Pitt Street
Sydney NSW 2000
Dear Mr Kelsey
I am pleased to provide you with the biannual report for the period ending 31 December 2016, in accordance with section 3.3 of Schedule 1, section 3.3 of Schedule 2 and section 10.1 of the Memorandum of Understanding between the Office of the Australian Information Commissioner and the Australian Digital Health Agency, in relation to the provision of dedicated privacy-related services under the Privacy Act 1988, the My Health Records Act 2012 and the Healthcare Identifiers Act 2010.
If you have any queries relating to the report, please contact Melanie Drayton on [contact details removed].
Yours sincerely
Angelene Falk
Deputy Commissioner
21 March 2017
Here is the link to the total report:
Here we discover (about ½ way down the full report) the following:

Details of mandatory data breach notifications relating to the My Health Record system

Mandatory data breach notifications received during the reporting period

The OAIC received two mandatory data breach notifications from the System Operator during the reporting period, in September 2016 and December 2016. It involved the unauthorised access of a healthcare recipient’s My Health Record by a third party. The review of these notifications was ongoing as at 31 December 2016.
The OAIC also received eighteen mandatory data breach notifications from DHS during the reporting period.
  • Eleven notifications resulted from findings under the Medicare compliance program that certain Medicare claims in the name of a healthcare recipient but not made by that healthcare recipient were uploaded to their My Health Record. These notifications totalled 92 breaches, each of which affected a separate healthcare recipient. Seven of these data breach notifications have been closed, totalling 67 breaches, and the review of the other four notifications, totalling 25 breaches, was ongoing as at 31 December 2016.
  • A further seven notifications, affecting fourteen healthcare recipients, eight with a My Health Record and six without, relate to healthcare recipients with similar demographic information having their Medicare records intertwined. As a result, Medicare claims belonging to another healthcare recipient were made available in the My Health Record of the record owner. Review of these notifications was ongoing as at 31 December 2016.

Mandatory data breach notifications closed during the reporting period

The OAIC completed its enquiries into ten data breach notifications received from DHS between April 2016 and October 2016. These data breach notifications relate to the findings under the Medicare compliance program discussed above.
The OAIC requested further information from DHS regarding the data breaches. Following consideration of the additional material and response provided by DHS, the OAIC considers that DHS has acted appropriately in assessing those incidents, sought to cancel the relevant My Health Records and sought to contact affected individuals.

Mandatory Data breach notifications received in previous reporting periods and still open

Two of the data breach notifications received by the OAIC prior to 1 July 2016 were still open at 31 December 2016. These data breach notifications relate to intertwined Medicare records and affected four healthcare recipients and two My Health Records.
-----  End extract.
So not only do we have breaches of the myHR but they don’t seem to be rapidly investigated and resolved.
Go figure – but it is hardly bolstering the confidence of those who have also been a little disquieted by the Medicare Number leaks of last week.
Not very professional as far as I can see, and just what was the point of discussing how many entities love the myHR in the same document?
David.

9 comments:

Anonymous said...

and just what was the point of discussing how many entities love the myHR in the same document

You need to listen to Tim more than twice to understand that it's blah blah blah, extract where someone said, blah blah, data is good, blah blah, someone once said it was potentially, blah blah, don't ask me to explain data of health, blah blah, some other random story.

It's simply 101 propaganda. If you tell a fib big enough and keep repeating it, people will eventually come to believe it. The misrepresentation can be maintained only for such time as the State can shield the people from the political, and/or economic consequences of the claims.

Bernard Robertson-Dunn said...

re "My Health Record is a secure online summary of your health information"

This is the biggest lie. Anyone reading this and who doesn't know the reality, would think that MyHR is a summary of their health information - after all, that's what it claims.

A more accurate assertion would be:

"My Health Record is a place where a patient can store a summary of their health information. The patient is responsible for keeping this information accurate, complete, relevant and up-to-date. They do this in conjunction with their nominated service provider, usually their GP. If they do not keep it accurate, complete, relevant and up-to-date, there is a possibility that their health care may suffer or be less efficient while discrepancies are resolved.

Anyone who has access to the My Health Record system can see a patient's Shared Health Summary; it is not possible to put any access controls on this document."

Bernard Robertson-Dunn said...

Gee, the misinformation buzzing around MyHR is amazing.
MyHR, at best is a transport mechanism. Most, if not all the data in MyHR either exists elsewhere or is a copy of data held elsewhere. Even the SHS is usually uploaded from a GP's medical practice system.

How many people know what the legislation says about a patient's health data that is available elsewhere? Try this:

"Division 3—Prohibitions and authorisations limited to My Health Record system

"2) If health information included in a healthcare recipient’s My Health Record can also be obtained by means other than by using the My Health Record system, such a prohibition or authorisation does not apply to health information lawfully obtained by those other means, even if the health information was originally obtained by using the My Health Record system."

In other words, when it comes to most health data in MyHR all privacy and security provisions that protect MyHR data are off.

The government only hints at this on its website by saying that if data is downloaded to a GPs system then security and privacy is a matter for the GP's system.

And while we are on about the fawning institutions, have a look at what some others said to the government about the proposed changes to the legislation:

The Royal Australian and New Zealand College of Psychiatrists (ANZCP)
https://myhealthrecord.gov.au/internet/mhr/publishing.nsf/Content/consultation-submissions/$FILE/079%20-%20RANZCP.PDF

The Health Information Management Association of Australia (HIMAA)
https://myhealthrecord.gov.au/internet/mhr/publishing.nsf/Content/consultation-submissions/$FILE/106%20-%20HISA%20&%20HIMAA(2).PDF

The Australian Federation of AIDS Organisations
https://myhealthrecord.gov.au/internet/mhr/publishing.nsf/Content/consultation-submissions/$FILE/086%20-%20Australian%20Federation%20of%20AIDS%20Organisations.DOCX

Australian Privacy Foundation\
https://myhealthrecord.gov.au/internet/mhr/publishing.nsf/Content/consultation-submissions/$FILE/060%20-%20Australian%20Privacy%20Foundation.PDF/

Anonymous said...

Hi Bernard, not exactly groups that should be ignored. I do not get a sense many of these recommendations where carried forward. I wish this was another country we were watching

Bernard Robertson-Dunn said...

In March 2016 the eHealth Working Group (EHWG) circulated for review a draft National Digital Health Strategy for Australia, July 2016 - June 2019

EHWG was, for all intents and purposes, the Department of Health, which was, for all intents and purposes, Paul Madden.

The Australian Privacy Foundation made a submission, which is available here:
https://www.privacy.org.au/Papers/DoH-DigHlthStrat-160414.pdf

We drew the attention of the Department to many submissions and attempts to provide feedback, including those referenced earlier. It will be interesting to see if the ADHA is any better than the Department of Health/EHWG, especially when it comes to listening to others.

The key points were:

The Purpose and Audience are Unclear

The Document Lacks Flow, Coherence and Analysis

There is no critical assessment of the National E-Health Strategy, 30th September, 2008

There is no mention of the review of the Personally Controlled Electronic Health Record system by Mr Richard Royle released in December 2013

There is no mention of the published submissions to the Department of Health3 last June regarding the proposed eHealth legislation

There is no mention of the opt-out trials of the registration of people into the My Health Record

There is no mention of the concerns raised by The Parliamentary Joint Committee on Human Rights and the Senate Standing Committee for the Scrutiny of Bills

There is no check-point assessment of the cost/benefit of the Personally Controlled Electronic Health Record/My Health Record initiative after nearly four years of operation.

Anonymous said...

A lot of fuss over not much, hackers are not interested in seeing your health information they are interested in identity theft, the My Health Record will be of little interest

Anonymous said...

5:55 PM That is a relief, I was worried the My HR had a use for someone, glad you cleared that security and privacy concern up

Anonymous said...

July 18, 2017 5:55 PM. Sorry but that has to be one of the most misinformed states I have seen or heard for a longtime. Wherever you picked up that view from you should delete immediately and seek out someone who can better inform you. That is in fact a very dangerous message to be communicating.

Anonymous said...

@ 8 July 5:55 PM. Perhaps this might help you - https://www.protenus.com/blog/a-virtual-goldmine-why-criminals-target-patient-data-part-2

There are many simple to understand websites and literature that may also enlighten you.

Scale this to a national EHR wrapped in government processes and complex relationships and I can guarantee a person of 35 with two children under 10, will be relying on their great grandchildren to finally repair the damage.