Wednesday, August 08, 2018

It’s Been A Pretty Big Week For Health Data Breaches. What Does It All Mean For The myHR?

First we had the news that the private health sector were the data beach front-runners.

 “Yet another wake-up call”: Privacy Commissioner releases new data breach report, with health sector top of the list

Lynne Minion | 31 Jul 2018
The healthcare sector has topped the list for data breaches once again, with the Office of the Australian Information Commissioner releasing its delayed quarterly report into the Notifiable Data Breaches scheme, with most caused by malicious conduct and human error.
According to the report released today, 49 notifications of data breaches in healthcare were made from April to 30 June 2018, surpassing the finance sector’s 36 notifications. A total of 242 notifications were received during the quarter.
Included within the healthcare component were breaches reported by online booking app HealthEngine, which connects to the Federal Government’s My Health Record, and Family Planning NSW.
The report shows 59 per cent of data breaches were caused by malicious or criminal attacks (142 notifications), with the majority of those linked to the compromise of credentials such as usernames and passwords.
Thirty-six per cent of breaches were the result of human error such as sending emails containing personal information to the wrong recipients.
System faults caused 12 notifications.
One breach affected over 1 million Australians, 52 notifications involved the personal information of 100 to 1000 people, 61 per cent of the data breaches related to the details of 100 or fewer individuals, while 38 per cent affected up to ten people.
The report only covers private healthcare providers, with public hospitals and health services not included.
Lots more here:
In the second of three we had a very messy paper breach.

NSW Government criticised after hundreds of medical files found abandoned in derelict aged care building

3 August, 2018
Privacy advocates are demanding the New South Wales Government explain how hundreds of medical files were left abandoned in a derelict building south of Sydney.

Key points:

  • New South Wales Health says it is investigating the matter
  • It says the site was accessed illegally
  • ABC sources maintain the building was not secured
The privacy breach, uncovered in a triple j Hack and ABC News investigation, is believed to be one of the largest of its kind in Australian history.
The documents date from 1992 to 2002 and were found at the former Garrawarra Centre for Aged Care in Helensburgh.
New South Wales Health said it was investigating the matter and that the site was surrounded by signs warning of asbestos and was illegally trespassed.
ABC sources maintain the building was not secured and was being accessed by members of the public.
The Australian Privacy Foundation's health committee chair, Dr Bernard Robertson-Dunn, said an appropriate explanation was needed.
More here:
Lastly SA Health chimed in with a fun – and long lasting – breach.

Thousands of SA children's medical test results online for 13 years: SA Health

4th August, 2018.
SA Health has revealed that thousands of children's medical test results have been publicly available online for the past 13 years.
The data with the names, date of birth and test results for about 7,200 pathology tests was embedded in a document on the Women's and Children's Hospital website from 2005.
It was removed in 2006, but two other document-storing websites kept it available until Thursday, when the department's IT security teams asked them to remove the data.
Cached versions of those documents were online until yesterday.
The test results related to patients who were treated at the hospital for respiratory infection, gastro or whooping cough between 1996 and 2005, Women's and Children's executive director of corporate services Phil Robinson said.
More here:
And for clarity we had this from the ADHA:

Statement on notifiable data breaches

Thursday, August 2, 2018 - 15:15
In the operation of the My Health Record, the Australian Digital Health Agency (the Agency) has reconfirmed there has not been a security or privacy breach, meaning that there has been no unauthorised viewing of any individual’s health information.
There are now close to six million people who have chosen to have a My Health Record.
The system has been operating for six years.
To ensure transparency, the Agency must report notifiable data breaches to the Information Commissioner and will continue to do so.
Last year, six cases were reported – these occurred due to either alleged fraudulent Medicare claims or administrative processing errors.
It was these items which were previously published by the Information Commissioner.
However, these is no evidence that any of these cases led to unauthorised viewing of any individual’s health information.
In the context of the My Health Record system, a notifiable data breach must be reported when data may have been accessed or viewed by someone who does not have appropriate authorisation. Errors of this type have occurred due to either alleged fraudulent Medicare claims or administrative processing errors.
security breach occurs where the system or data is accessed by bypassing the security controls in place, for example if a person were to break the authentication controls and gain access to a record for which they don’t have authorisation.
This has never occurred for the My Health Record system and there have been no security breaches detected in six years of operation.
 Here is the link:
What can we make of all this?
1. Humans are humans and by accident or design data breaches are inevitable – it is not if, but when, in the case of any system that holds any significant amount of personal data.

2. Paper breaches are messy but electronic breaches can leak much more data more quickly and typically do much more damage.

3. With recent evidence from here, Singapore and elsewhere (the US health system in particular) to be kidding ourselves the myHR is immune is simply placing our bum up and our head firmly in the sand.

4. The ADHA has not quite grasped that a breach, is a breach, is a breach and is playing silly semantic games.

5. When you have a lot of private systems handling health information there will be variation in the quality of the terminal security and at least some of those may be accessing the myHR with obvious implications. The ADHA does not talk much about this risk but it is there big time - as is human abuse of myHR data access by 'rogue' professionals.

Can’t we all get real, accept that breaches are inevitable, work to prevent and mitigate them and decide on a reasonable considered basis whether to opt-out / cancel our myHR record depending on our own risk profile and how much happier we would be with a myHR vs. a health summary in our wallet.
David.

9 comments:

  1. I am sure the ADHA is making great use of the top selling Legislation for Dummies. But I agree David toying with semantics is childish and not doing them any favours. I don’t think Timmy gets the Common thread we all share - we all know BS when we see it, it’s inherent in us all regardless of the path taken to get here.

    or administrative processing errors. Which translates as someone discovered a file that was not theirs. Who ever file it was probably did not authorise the accidental recipient to read the file, which the must have to determine it was not theirs.

    ReplyDelete
  2. Out of interest, with so many calling the ADHA and whyHR, and a significant powerhouse of thought leaders amoungst them. Has a series of discussion been setup to discuss the implications of the current and changing decisions in a public forum with webcasting?

    ReplyDelete
  3. I understand this blog has many views and is a well known site by many influential people in healthcare. The debate around the MyHR has become another victim of a broader erosion of open and balanced debate. In recent times debate has been hijacked by extreme views at both ends of a spectrum. Many with differing views are branded blasphemous.

    Anyway, I just wanted to provide a bit of a risk perspective on the management of personal information in healthcare, which is around the 9th poorest sector when it comes to security.

    Healthcare data breaches often expose highly sensitive information, from personally identifiable information such as Medicare numbers, names, and addresses to sensitive health data such as identifiers, health insurance information, and patients’ medical histories.

    The motives behind cyber attacks on healthcare companies are clear: hospitals, urgent care clinics, pharmacies, health insurance companies, and other healthcare providers keep records of very valuable information – more “juicy details” that can be used for identity theft than almost any other industry. What’s more, the healthcare industry is widely regarded as having rather weak security.

    Identity theft, based on an Accenture report cover the US identified an average personal cost of $2,500 out-of-pocket expenses. Even worse, half of the survey respondents reported that they learned of the breach themselves – as opposed to an official company or government notification – after they had been alerted to an error on their , savings, credit card statement, or similar documents.

    These are sobering facts, especially when you consider the broad reach of the healthcare industry; nearly everyone has healthcare records somewhere within the healthcare system.

    With the consolidation of this information into a central database which is it seem part of a broader set of interrelated and trusted systems and unconfirmed number of end points coupled with healths general lacked approach, one has to ask the government why they are doing this?

    For the CEO of ADHA, he should get his head out of the 80’s and this fixation with a physical fax machine and have a look at the modern Information Age

    ReplyDelete
  4. "one has to ask the government why they are doing this?"

    Follow the money.

    The government funds health care in Australia. Therefore it is probably reasonable to assume they are most interested in what impacts them.

    They already have statistical data but not granular data.

    MMBS/PBS data is granular but not a lot of information on what medical decisions/events they relate to. myhr goes some way to revealing this.

    The important thing to the government is not the patient's health but the behaviour of health providers. Step 1 is to identify decision patterns, step 2 is to modify it. W
    hat can the government learn most from myhr data? GP decision making patterns.

    Thus the Health Department's Behavioural Economics & Research Team (BERT).
    http://www.health.gov.au/internet/main/publishing.nsf/Content/behavioural-economics-research in collaboration with the government wide Behavioural Economics Team of the Australian Government (BETA)

    Their first experiment probably used PBS data rather than myhr data (after all there's not much of it)

    For more advanced work they need more granular data. Where can they get it? Only one place. myhr.

    IMHO, that's their ultimate goal. The story that its all about individuals taking charge of the health or lifesaving access to myhr in A&E just doesn't stack up.

    To take another angle, the government has been trying to get financial institutions to share credit and other data. It's called Open Banking. The narrative is spookily similar to that of myhr.

    "some of the benefits of open banking for the consumer would include:

    * aggregation of key accounts and services including status;

    * the ability to bring a consumers financial data to wherever they are, such as into a messaging service, Alibaba or Amazon;

    * the pre-filling of forms and applications using actual data e.g. mortgage application or payment directly to a supplier or retailer.

    There is a caveat. “The security standards and process of certification will be critical to ensure consumer privacy and security is managed in the transfer of data,” Eriksson says.

    This is the crux of the issue: systems need to be in place to ensure that our data is kept secure, and consumers need to be confident that these systems are safe and robust.

    'It's reasonable to say that uptake is going to be slow initially but very fast when it gets going' "
    https://www.smh.com.au/money/banking/open-banking-is-coming-but-australians-are-sceptical-20180807-p4zw0t.html

    My question is this: This is a similar problem to that of fragmented health data. Why did the government go for a different. i.e. distributed solution based upon data exchange (interoperability), rather than a myhr style centralised database?

    Answer. Because the government has no interest in the detailed financial transactions or status of individuals. They don't want to monitor or control the individuals or financial institutions - it's not government money. All they want to do is increase competition.

    Anyway they can get at much of the financial transaction data by other means.

    They need granular data in health but not in open banking. Hence different solutions.

    If the government really cared about improving health they would introduce a sugar tax. Not only would it improve health, it would raise money.

    Follow the money.

    ReplyDelete
  5. This following piece is a sober view of the troubled system

    My Health Record — a flawed initiative
    Information Technology Professionals Association (ITPA)

    Tim Kelsey has made a right royal stuff-up. I would go as far as to believe that his negligence is prepare the system has placed many people’s live and livelihood at grave risk, including our children who are probably at the greatest risk.

    ReplyDelete
  6. Here is the link for the article mentioned above:

    https://www.technologydecisions.com.au/content/information-technology-professionals-association/article/my-health-record-a-flawed-initiative-83304796

    Well worth a read.

    David.

    ReplyDelete
  7. @August 08, 2018 8:54 PM. When you say - For the CEO of ADHA, he should get his head out of the 80’s and this fixation with a physical fax machine and have a look at the modern Information Age

    Do you mean something like this

    https://www.venturebeat.com/2018/08/08/apple-says-ios-health-records-has-over-75-backers-uses-open-standards/amp/

    ReplyDelete
  8. 8:49 PM that is a great milestone for Apple. I and most of my family use the Apple health app that comes with the iPhone. My parents who travel a fair bit find it really useful. Dad lost his phone once and simply deleted it remotely and loaded the data back on a replacement. Thought it was the best thing since the remote control.

    This does raise the issue, is the MyHR actually blocking user based innovation?

    I also note today the change.org petition hit 50k.

    https://www.change.org/p/greg-hunt-mp-make-my-health-record-opt-in

    ReplyDelete
  9. > is the MyHR actually blocking user based innovation

    yse, as is clear if you look around the world at what's happening elsewhere. Choosing to build a solution rather than a platform has always been recognised as a government grab to control innovation. And the professional societies are conflicted on this because they have the same agenda: owning control. User innovation will always have big head winds in health.

    ReplyDelete