Quote Of The Year

Timeless Quotes - Sadly The Late Paul Shetler - "Its not Your Health Record it's a Government Record Of Your Health Information"

or

H. L. Mencken - "For every complex problem there is an answer that is clear, simple, and wrong."

Tuesday, September 19, 2017

I Wonder Where The Truth Lies In All This - It Is Not Clear To Me.

Tim Kelsey gave a prepared opening statement to the Senate Enquiry on The Medicare Data Breach on Friday afternoon.
Here is the transcript:
Finance and Public Administration References Committee - 15/09/2017
Protection of personal Medicare information
Mr Kelsey: If I could, first of all, thank the committee for giving us an opportunity to explain the security protocols for My Health Record, in particular, and note that we're here really just to consider item C in the terms of reference:
c. the implications of this breach for the roll out of the opt-out My Health Record system;
The Australian Digital Health Agency was established in July 2016 by all the governments of Australia, and, as I mentioned, is responsible not only for the system operations of the My Health Record but also for the implementation of the National Digital Health Strategy, which was agreed by the governments of Australia in August. If I can initially say that there has been no security breach of the My Health Record and that there is no direct or technical connection between the HPOS system and the record system. There has in fact never been a security breach of the My Health Record system in its five years of operation, with the system currently containing over five million records. At the moment we have on a voluntary basis 5.1 million Australians who have registered to have a My Health Record.
I'm responsible as chief executive officer of the agency for the day-to-day operation of the system, including ensuring that all our legislative requirements are met. In May this year the federal government of Australia announced its commitment for continued and improved operation of the My Health Record system. Significantly, the announcement included a transition to an opt-out model by the end of 2018. This followed unanimous support at the COAG for a national rollout with a My Health Record to be created for every Australian unless they tell us they don't want one.
The transition to opt out will bring forward benefits many years sooner than the current opt-in arrangements. It's the fastest way to realise the significant health and economic benefits of My Health Record through, for example, reduced hospital admissions, reductions in adverse drug events, reduced duplication of diagnostic tests, better coordination of care for people seeing multiple healthcare providers and, of course, more control in the hands of the patient and the citizen of their health and wellbeing.
I believe there has been a conflation of issues surrounding the incident which is the subject of today's hearing and the security of My Health Record. I would like to just address some of that commentary by briefly outlining the security features of My Health Record, if that would be helpful to the committee. First of all—we can discuss this in more detail—we operate to the very highest levels of security, as you can imagine, in terms of cyberprotection. My colleague, Mr Kitzelmann, can detail shortly more about the actual protocols we operate to, but we'll perhaps come back to that. What I wanted to dwell on is the way in which the My Health Record system actually operates if you are a healthcare practitioner and to reassure members of the committee that there is a very rigorous process of protection against unauthorised access into the My Health Record in the way the process, the standard, is designed.
In summary, firstly, in order to access a My Health Record, a healthcare provider needs significantly more information than just the Medicare number. In fact, they would need at least five items of personal information in addition to the Medicare number to be able to access a My Health Record. Secondly, a healthcare provider accessing My Health Record has to have a unique identifier for themselves and also be uniquely attributed to an organisation that they are working for in health care. Thirdly, they need to access the record through what's called conformance software. This is software which we accredit at the Australian Digital Health Agency and which performs a number of checks on the identity and authentication of an individual, a patient, as well as on their healthcare provider, before they are able to access a My Health Record. Fourthly, currently, of course, all people who are registered for a My Health Record have volunteered to do so; they have provided their consent to make medical information where appropriate available to a clinical practitioner who is treating them. There are access controls under the My Health Records Act 2012 which individuals have the right to exercise. These are an important set of protections which allow an individual citizen to, for example, mask a particular clinical document from view, should they choose to; put a PIN number on their entire record and can decide whether or not a particular clinician has access to it; and also, in collaboration with their practitioner, elect not to have a document uploaded into My Health Record. Those, in broad terms, are the protections which mean that a Medicare number on its own cannot suffice for access to the My Health Record and, more importantly, that Australia really is setting a standard globally in providing patients with very important rights to control access to their confidential medical information. I will leave it there by way of introduction, if that's okay. Thank you.
----- End Extract.
The link is here:
See especially the bolded text.
This is to be contrasted with this:
Here we discover (about ½ way down the full report) the following:

Details of mandatory data breach notifications relating to the My Health Record system

Mandatory data breach notifications received during the reporting period

The OAIC received two mandatory data breach notifications from the System Operator during the reporting period, in September 2016 and December 2016. It involved the unauthorised access of a healthcare recipient’s My Health Record by a third party. The review of these notifications was ongoing as at 31 December 2016.
The OAIC also received eighteen mandatory data breach notifications from DHS during the reporting period.
  • Eleven notifications resulted from findings under the Medicare compliance program that certain Medicare claims in the name of a healthcare recipient but not made by that healthcare recipient were uploaded to their My Health Record. These notifications totalled 92 breaches, each of which affected a separate healthcare recipient. Seven of these data breach notifications have been closed, totalling 67 breaches, and the review of the other four notifications, totalling 25 breaches, was ongoing as at 31 December 2016.
  • A further seven notifications, affecting fourteen healthcare recipients, eight with a My Health Record and six without, relate to healthcare recipients with similar demographic information having their Medicare records intertwined. As a result, Medicare claims belonging to another healthcare recipient were made available in the My Health Record of the record owner. Review of these notifications was ongoing as at 31 December 2016.

Mandatory data breach notifications closed during the reporting period

The OAIC completed its enquiries into ten data breach notifications received from DHS between April 2016 and October 2016. These data breach notifications relate to the findings under the Medicare compliance program discussed above.
The OAIC requested further information from DHS regarding the data breaches. Following consideration of the additional material and response provided by DHS, the OAIC considers that DHS has acted appropriately in assessing those incidents, sought to cancel the relevant My Health Records and sought to contact affected individuals.

Mandatory Data breach notifications received in previous reporting periods and still open

Two of the data breach notifications received by the OAIC prior to 1 July 2016 were still open at 31 December 2016. These data breach notifications relate to intertwined Medicare records and affected four healthcare recipients and two My Health Records.
----- End Extract.
So are there any breaches or not?
Hard to say….
Comments welcome!
David.

8 comments:

Bernard Robertson-Dunn said...

Tim says:

"There are access controls under the My Health Records Act 2012 which individuals have the right to exercise. These are an important set of protections which allow an individual citizen to, for example, mask a particular clinical document from view, should they choose to;"

However,
https://myhealthrecord.gov.au/internet/mhr/publishing.nsf/Content/privacy-statement
says
"My Health Record allows you to limit access to documents within your My Health Record (except for the Shared Health Summary, Personal Health Summary or advance care planning information)"

Isn't misleading a senate committee a bit risky? Maybe he doesn't realise he is being misleading. Whatever the case, what he says is not what the government's own website says.

He then goes on to say:

"... and can decide whether or not a particular clinician has access to it; and also, in collaboration with their practitioner, elect not to have a document uploaded into My Health Record. "

As we all know by now, you can't put access controls on a document based upon an individual clinician, only the institution for which the work.

And if he is relying on the fact that they could ask a practitioner not to upload a particular document such as an SHS, then I would argue that this is not the same as masking a document.

He does seem to be a bit muddled in what is saying. Maybe someone should tell him the facts of life about MyHR.

Anonymous said...

I recall at time of Luanda it got supposedly hacked, around the same time the soft launch reveal 60% of the build had been deferred. The prepared speech says more about how little will be open, transparent and believable going forward, hopefully it's a first date politeness thing.

Anonymous said...

The speech does seem to highlight some interesting perspectives, had it not been so obviously pre written and rehearsed, (guessing it was not read our), I would be less concerned. It demonstrates perhaps a more serious insight, that being the numerous technical, security and policy advisors to the CEO and yet to grasp what they are playing with.

Anonymous said...

From a care.factor this rates low for me, as has been demonstrated by a number of technology provider in this space, the MyHR concept is being made redundant it will simply continue and create intractable ethical, legal and regulatory issues. The Governments of Australia have a role, just not enforcing solutions that creat more problems than it solves

jbeltman said...

He comes straight out of the gate and tries to control the discussion and to tell the committee what they want to talk to him about, i.e. item C - the implications for roll out, and not, for example, item D 'Australian government data protection practices as compared to international best practice;'.

http://www.aph.gov.au/Parliamentary_Business/Committees/Senate/Finance_and_Public_Administration/medicareinformation

Garry said...

Maybe Martin King should interview him on A Current Affair........ it would be a bit more probing than the Senate Committee. Besides, Mr King is not known for embracing the muddled message syndrome.

Anonymous said...

Question: as providers of clinical systems of all shapes and sizes start deploying to the cloud, and the Government (hence) MyHR restricted in what cloud personal health information can be stored where, in this new era where seamless transferring of documents takes place, am I at risk now through the MyHR of having personal information suck from the MyHR into a cloud based system that is hosted somewhere that has less of a care factor about data stored within its sovereignty? Or will every connect device and system be subject to government classifications?

A innocent question, I just can't workout the consent model or divisions of accountability

Anonymous said...

8:04 AM, interesting questions, afraid I am not best placed to answer. It is great that this site allows such questions to be posted knowing there are people out there who can provide insight. Pity we don't have a national entity that is this open and inviting. Fancy 100 million a year funding David.