Quote Of The Year

Quote Of The Year - Paul Shetler - "Its not Your Health Record it's a Government Record Of Your Health Information"

Sunday, May 27, 2018

Is Tim Kelsey Telling An Untruth Here Or Am I Missing Something?

At the National Press Club last week Mr. Kelsey said the following in his prepared speech:
----- Begin Extract.
Tim Kelsey:                         My Health Record has a range of protocols which mean that all instances of access by a clinician are attributable directly to that person and recorded in real time. Unauthorised access is subject to a custodial prison sentence of up to two years. Trust is the essence of medicine. Digital services can support confidentiality and not undermine it. My Health Record operates to the highest cyber security standards in Australia, and is independently audited on that basis by a number of organisations, including the Australian Signals Directorate. The agency has set up a national cyber security centre to ensure constant multi-layered surveillance of My Health Record. Since the system was launched in 2012, there has been no breach. But, real time vigilance, of course, remains our highest priority. People are quite rightly concerned about the security of their privacy information, and that's why they have a right to make a choice. That's why the Australian government was absolutely right to introduce opt-out into this measure.
----- End Extract.
Here we have the Office of The Australian Information Commissioner (OAIC) Report for 2016-17.

Annual report of the Australian Information Commissioner’s activities in relation to digital health 2016–17

Part 1: Executive summary

From 1 July 2016, national digital health governance arrangements and My Health Record system operations transitioned from the Department of Health and the National E-Health Transition Authority to a new body, the Australian Digital Health Agency (the Agency).
This annual report sets out the Australian Information Commissioner’s digital health compliance and enforcement activity during 2016–17, in accordance with s 106 of the My Health Records Act 2012 (My Health Records Act) and s 30 of the Healthcare Identifiers Act 2010 (Cth) (HI Act), as outlined in the 2016–17 memorandum of understanding (MOU) between the Office of the Australian Information Commissioner (OAIC) and the Agency.
The report also provides information about the OAIC’s other digital health activities, including its assessment program, development of guidance material, provision of advice, and liaison with key stakeholders.
More information about the MOU is provided below in section 2 of this report. The MOU can also be accessed on the OAIC’s website www.oaic.gov.au.
This was the fifth year of operation of the My Health Record system and the seventh year of the Healthcare Identifiers (HI) Service, a critical enabler for the My Health Record system and digital health generally.
The management of personal information is at the core of both the My Health Record system and the HI Service (collectively referred to as ‘digital health’ in this report). In recognition of the special sensitivity of health information, the My Health Records Act and the HI Act contain provisions that protect and restrict the collection, use and disclosure of personal information. The Australian Information Commissioner oversees compliance with those provisions and is the independent regulator of the privacy aspects of the My Health Record system and the HI Service.
The My Health Record system commenced in 2012 as an opt-in system where an individual needed to register in order to get their My Health Record. In March 2016, the Australian Government commenced a trial of opt-out system participation in Far North Queensland and in the Nepean Blue Mountains region of New South Wales. A My Health Record was created for each individual living in those areas, unless the individual chose to opt-out of participating in the trial.
Changes to the My Health Records Act introduced by the Health Legislation Amendment (eHealth) Act 2015 enabled the trial to be undertaken. That amendment Act also introduced a number of other changes across digital health legislation and the Privacy Act 1988 (Privacy Act), including streamlining the personal information handling authorisations, and introducing additional civil and criminal penalties for privacy breaches. An independent evaluation of the trials commissioned by the Department of Health was conducted to look at the outcomes from these trials.
In the May 2017 Budget, the Australian Government announced the creation of a My Health Record for every Australian to begin nationally from mid–2018.
In 2016–17, the OAIC received 35 mandatory data breach notifications. These notifications recorded 140 separate breaches affecting a total of 152 healthcare recipients, 144 of whom had a My Health Record at the time of the breaches. Five of these notifications remain open at the end of the reporting period. The OAIC received two complaints regarding the My Health Record system and no complaints relating to the HI Service. In addition to handling data breach notifications, the OAIC carried out a full program of digital health-related work, including:
  • commencement of one privacy assessment and completion of two assessments from the previous year
  • liaising with the Agency and the Department of Health on the decision for national expansion of My Health Record in 2018
  • making submissions to various stakeholders on matters directly related to or associated with the My Health Record system. This included a submission to the Agency on the development of the National Digital Health Strategy
  • providing advice to stakeholders, including the Agency, on privacy related matters relevant to the My Health Record system
  • developing, revising and updating guidance materials for a range of audiences, including the development of My Health Record related multimedia resources for healthcare providers
  • participation in the Privacy and Security Advisory Committee, one of the advisory committees established by the Agency to support the Agency’s Board
  • monitoring developments in digital health, the My Health Record system and the HI Service.
----- End Extract.
Here is the link:
I am unable to reconcile the two bolded sentences and would be interested to know how they can be reconciled (channeling Rowena Orr QC of the Royal Commission). When is a breach not a breach etc?
Interestingly there were similar findings the previous year:
“In 2015–16, the OAIC received 16 mandatory data breach notifications. These notifications recorded 94 separate breaches affecting a total of 103 healthcare recipients, 98 of whom had a My Health Record at the time of the breaches.”
Here is the link:
I look forward to views on this repeated claim (of a breach free system)  which must make us wonder what else we are told we can take as the full and precise truth?
David.

11 comments:

Anonymous said...

Perhaps the ADHA CEO and his advisors consider a breech to be a mass harvesting of records, or the MyHR being the source of a national denial of service attack rather than having concerns for the individual.

I am not sure they can claim the record of the past 6-7 years and use that as some sort of defence. The model has changed (no longer out-in) so the conditions have changed. They will only be able to measure from the day Opt out commences as the period of time that passed before the breech of a catastrophic natures occurs. All the more serious as they have a cyber security centre and Tim claims the system is impervious to malicious attacks.

Anonymous said...

as someone pointed out the disclaimer says
the Australia Digital Health Agency does not guarantee, and accepts no legal liability whatsoever arising from or connected to, the accuracy, reliability, currency or completeness of any material contained on this website or on any linked site.

You can't complain when they are up front about a lack of accuracy, reliability, currency or completeness.

Trust, what trust?

Bernard Robertson-Dunn said...

And then there's this claim by Tim:

"My Health Record is a consumer controlled, secure, electronic health record that can be accessed anywhere 24/7 by a patient and their care professional"

and

"Service availability

Due to system maintenance, some channels to access and view records in the My Health Record system may be slightly interrupted between 8:00PM Saturday 26 May 2018 and 4:00PM Sunday 27 May 2018 (AEST).

During this change window, viewing some documents and new registrations to the My Health Record may not be possible. Existing consumers may be able to access and view records via mobile apps (see available apps). Healthcare providers may be unable to add new reports, update or remove existing information from your record via their connected computer systems.

We apologise for any inconvenience."

https://www.myhealthrecord.gov.au/service-availability

A generous use of weasel words: "may be slightly interrupted", "some documents ... may not be possible".

Anonymous said...

The OAIC outlines what is a breach.

https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme/identifying-eligible-data-breaches

I will leave it to the community to ascertain if the accuracy of what is being stated by the ADHA is clear and free of ambiguity or if they are treating us like fools

Anonymous said...

Given the recent IT outages experienced by NAB and Telstra mobile, does anyone really think it is wise to rely on a centralised database system of health documents?

At least the ADHA and the AMA say to health professionals - don't rely on the system.

tygrus said...

Tim Kelsey said "...Since the system was launched in 2012, there has been no breach.."

but as reported by Healthcare IT (Lynne Minion, 25 Oct 2017):
My Health Record data breaches caused by fraudulent behaviour or human error
-----
Fraudulent behaviour or human error were responsible for My Health Record data breaches, the Australian Digital Health Agency has confirmed, following the release of the Australian privacy commissioner’s annual report containing details of the security failures.

"This year we received six data breach notifications from the My Health Record System Operator,” the Office of the Australian Information Commissioner’s annual report says.

"These notifications related to unauthorised My Health Record access by a third party."
=====
Tim Kelsey can you please explain?

Anonymous said...

Yeah-but no-but, yeah-but anyway it’s about the scourge of the fax in’it.

It is becoming harder and harder to believe much coming from ADHA. The Jurisdiction are no help they are focused on implementing policy at the coal-face and probably just see ADHA as a minor project.

Anonymous said...

1:02PM. Yes an explanation is deserved. This is not a random one off slip, to the contrary, this no breach claim is a common thread. ‘Tell a big enough lie often enough and people will believe it’ is shallow and deceitful at best. It has no place in Australia. The Minister needs to front up and explain

Anonymous said...

The Minister has no idea what is going on. Neither has Jim Birch, Chair of the ADHA.

Anonymous said...

The MSIA has naively and blindly lead its Members over a huge crevasse despite repeated warnings.

Bernard Robertson-Dunn said...

If anyone is interested, this is a link to an industry briefing presentation on the test beds tender:

https://www.youtube.com/watch?v=0kktkptEKrg

The repeated objective of the test beds project is to identify benefits of My Health Record. Not costs, not risks, not to evaluate My Health Record, just identify benefits.

As it says on slide 16 (21’30”):

"Their purpose is to promote innovation to address Australia’s highest priority health challenges, generating evidence of how the new approaches improve health outcomes"

As the tender says:
"This is REI process is intended to enable the Agency to establish test bed projects that will produce evidence of the positive impact of new digitally-enabled services and models of care, and demonstrate that they are sustainable and scalable."

and:

"The first tranche of test beds should include use of the My Health Record system and how it can be utilised to create new, digitally-enabled services and models of care, particularly where these can be rapidly implemented or are already underway."

It is interesting to compare ADHA's approach to test beds with that of Sheffield Hospitals. I have an affinity with Sheffield hospitals/university, it is where I did my PhD in computer modelling the human intestine.

https://www.digitalhealth.net/2016/07/sheffield-test-bed-aims-to-create-perfect-patient-pathway/

From the web site

"The project has run a series of engagement workshops with GPs, community nurses, social workers and the public to inform people about what is involved and what it hopes to achieve. There are plans to recruit a number of expert patients with experience and understanding of living with a long-term condition to act as the public voice.

Haigh said that involving patients in decisions about the technologies was essential: “Our absolute intention, wherever possible, is to work on the principle of co-production. This is not about forcing technologies on people who don’t want to embrace it or understand the benefits, it’s about working with populations to help them help us shape whether technologies can help or not.”

Wendy Tindale, scientific director at Sheffield Teaching Hospitals and acting senior responsible officer for the programme, said that the project didn’t require people to be “hugely digitally-enabled” to participate: “Some of the things we’re looking at are very simple and straightforward, such as an automated phone call.”

The test bed will start deployment on a small scale within the next three months. The technologies, which include sensors, wearables and smartphone apps, are designed to help people remain independent by monitoring mobility, risk of falls and general wellbeing. Participants will be able to nominate friends and family to receive automatic alerts if the technology identifies a problem requiring support.

Data from the devices will be collated and analysed to inform the co-ordination of care, both for individuals and groups, ..."

It looks very much as though ADHA is doing catch-up. The original PCEHR business case probably didn't have much in the way of a description of how PCEHR would or could be used or how it would deliver benefits and at what cost.

Now they have built it, the government is desperately looking to justify it. They call it innovation; it looks much more like confirmation bias to me.

All a bit backwards.

And finally, slide 19 (30’52”):

Models of Care Interventions – Kingdom of Saudi Arabia

Is our government seriously going to take a similar approach to health care as that of Saudi Arabia?