Friday, October 26, 2018
This Is The Best Coverage Of Just How Badly The ADHA Has Failed With The Opt-Out Process I Have Read!
This appeared last week.
A lesson from the Australian Government.
Privacy missteps are eroding the public’s trust in the Government’s ability to achieve ambitious digital projects, and risking trust in the very notion of government itself.
The corrosive effects of privacy debacles are cumulative, with hashtag-worthy government disasters like #Censusfail colliding in public consciousness with the re-identification of MBS/PBS data, bumping up against the cruelty of #Robodebt and the stupidity of declaring a war on maths, and flaring into outrage at a Minister’s unpunished disclosure of a welfare recipient’s personal information to a journalist.
Each privacy catastrophe eats away at the public’s trust in successive government projects, before they even get off the ground. Reasons people have given for opting out of the My Health Record system have included fear of misuse by the government of the day, citing both Robodebt and the weaponisation of Centrelink records by Minister Tudge. And then in turn, mistrust in My Health Record has been referenced in multiple submissions to PM&C’s Issues Paper on the proposed Data Sharing & Release Bill, as a way of illustrating the dangers of proceeding without caution and due respect for privacy and security.
As tech commentator Stilgherrian noted on the day the opt-out process opened – and the system crashed because of the level of demand – “When citizens rush to opt out of an Australian government service, it says something about their levels of trust. When the system falls over under heavy load, it proves them right”.
Waleed Aly has drawn together the Government’s disregard for the privacy of individual citizens with recent revelations about political interference with the ABC: “the pact is broken… this is a time of unprecedented demands, unprecedented capitulations and inevitably, unprecedented dysfunction”. Regardless of whether you care about privacy as a human right, we all should care about the decline of community faith in democracy and our public institutions.
So how did we get here?
Taking the unfolding disaster that is My Health Record as an example, let’s examine exactly how a government manages to lose its social licence to hold or use our data.
Step 1: Shift responsibility for risk management on to the individual
Research into community expectations about privacy has shown, time and time again, that the majority of people believe that a shared electronic health record should be something a patient chooses to have. And, by the way, when asked, the majority would choose not to have one.
Why would anyone not want all the benefits of a shared electronic health record? Well, for lots of reasons, it turns out.
People who might face discrimination, harassment, family shaming, blackmail or loss of employment as a result of the sharing of their health records include mental health patients, sexual health patients, HIV patients, teenagers, women who have had terminations, people in family court disputes, and people undergoing employment-related health checks.
In some cases, it won’t necessarily be clinical records which create the risk for an individual, but the potential exposure of their home address to hundreds of thousands of people, some of whom could be intent on doing harm. This can pose a risk for victims of family violence, serving police officers, members of the armed forces or the judiciary, public figures, and foster parents and the children in their care.
The decision to shift the enrolment model for My Health Record from opt-in to opt-out was always going to be controversial, but in my view for some people it will be downright dangerous.
Without a fully informed decision by every competent individual about where their personal risk-to-benefit ratio sits, an opt-out system is a ticking time bomb. Someone is going to get hurt.
Does the government really think that every Australian adult knows that they are going to have their health information shared if they don’t opt-out by mid-November?
Some Australians will be pushed into this scenario of heightened privacy and safety risks by a government program they don’t even know existed. Others might know the program exists, but won’t have understood the extent to which the sharing of their My Health Record could create risks for them, because they have been lulled into a false sense of security by hollow promises about privacy protections.
And this is the central problem with making the system opt-out. It takes responsibility for making a critical decision out of the hands of the individual most affected by it. An opt-out approach to a shared eHealth record is paternalistic government, and paternalistic healthcare, at its worst.
But it also shifts responsibility for managing privacy risks onto the individual, who did not necessarily choose to be in the system, and who may not be fully informed about the risks. Because to be fully informed, we as citizens, and we as patients, need thorough explanations about how the system works, and how it might impact on each of us, both good and bad. Those explanations need to be available in multiple languages, for teenagers, for the elderly, for people with intellectual disabilities. Not ads on buses, or substance-free glossy brochures gathering dust on the GP’s reception desk.
Step 2: When people raise privacy concerns, talk about security instead
This tactic is straight from the #Censusfail playbook. Whenever anyone, from journalists to members of the public to privacy advocates, start to ask questions about privacy (like: Why should you have my information? and What are you going to do with it? and Who will have access to it, under what conditions, for what purposes?), completely ignore those valid questions and talk about information security instead.
Step 3: When people keep raising privacy concerns, give them spin instead of truth
Of course, it turns out that those claims by Health Minister Greg Hunt about bank-grade security and military-grade security are just spin. Worse, the Minister’s claims that there have been ‘no data breaches’ are demonstrably false.
Legitimate concerns have been raised about access to the record by third parties, from medical professionals not involved in the patient’s care, to law enforcement agencies and insurance companies. (Insurance companies have not done the government any favours, with both NIB and Medibank openly salivating at the prospect.)
The official line has been to hose down those concerns, suggesting that no such thing is possible. But note the slippery language used by both the Minister and the Australian Digital Health Agency (ADHA) on this issue. They talk about who “can” or who is “allowed” or “authorised” to access a patient’s My Health Record, which is not the same as “for whom it is actually possible”. For example, in response to questions about insurers gaining access, ADHA told the media that the “only healthcare providers authorised to access a healthcare recipient’s information in a My Health Record are those who are providing healthcare to the individual.” Similarly, the main My Health Record information page for individuals says only that “any providers who are involved in your care can see this information”; it doesn’t explain how the system knows (or doesn’t know) who is actually ‘involved in your care’, and doesn’t explain whether providers not involved in your care are also capable of accessing your record.
As the journalist noted, ADHA “did not respond to a question about whether a health fund with a member’s consent and with the purpose of providing health advice, could access that person’s My Health Record”. Given the scope of section 66 of the My Health Records Act, the privacy concerns about this type of scenario seem entirely valid.
But to my mind, even more worrying is the ease with which something like 900,000 people who work in the healthcare system will have access to patient records in the My Health Record system. While the law says that those workers should only access your file if you happen to be their patient at the time, the system has not actually been designed that way. The controls on access are much looser than the public has been led to believe.
Journalists have exposed the reality. The only details that one of those 900,000 or so healthcare workers needs to know about you, in order to gain access to your My Health Record, are your name, gender and date of birth.
(While in theory, the authorised user also needs to know your Individual Healthcare Identifier, they can find that out from the first nine digits of your Medicare card number. And if they don’t know your Medicare card number, they can use a different system, HPOS, to look up your Medicare card number, based only on your name, date of birth and gender. It was the ease of access via HPOS which led to Medicare card details being found for sale on the dark web.)
Just let that sink in for a bit. Name, date of birth and gender is all that stands between your health record and its misuse. If I was a nurse for example, I would already know, or be able to quickly find out, the name, date of birth and gender of my ex-partner; certainly my friends and family members; maybe my neighbours, colleagues, members of my basketball team or book club, and perhaps even that teacher who has been giving my kid bad grades; and no doubt plenty of celebrities, politicians and sports stars. And as a result, I could look up their My Health Record, even if they had never set foot in the hospital where I work.
We all know that the law is not enough to stop privacy breaches. Some people will be motivated by curiosity, greed, revenge, jealousy, hatred or the pursuit of power or a political agenda to look up and misuse a patient’s record, even when they know they are not supposed to. Even when the law says it is illegal. Even when they have been warned they could be sacked. It happens in hospitals now. It happens in police forces. It happens in banks.
Some people will do the wrong thing. If you really care about protecting customers’ privacy, you build in technical controls, and enforce a security culture, to make attempted misuse as difficult as possible. But that’s not the way My Health Record has been designed.
For ADHA to respond to these risks with the statement that “It is illegal for non-authorised staff to access medical information of any sort” is disingenuous at best, and downright misleading and dangerous at worst.
It is about as naïve and useless as building a bank vault with an unlocked door and no alarms, but telling customers their money will be safe because it is illegal to steal.
Making something illegal isn’t enough; the My Health Record system design should actively prevent the likelihood of misuse with proper security controls.
Step 4: Pressure or silence critics
When claims by the Minister and ADHA that law enforcement access would require a warrant were contradicted by everyone who could be bothered reading what the legislation actually allowed, from the Queensland Police Union to journalists, advocates and the non-partisan Australian Parliamentary Library, the Department of Health complained and had the Library remove then edit its article to remove elements contradicting the Minister, while the Minister called journalists to tell them they were wrong.
Of course, the critics were right, and the Minister had to quickly draw up legislation to amend the law so that it would do what he had said it already did.
Mind you, Minister Hunt only acted once the peak medical profession bodies started articulating for patient privacy in relation to law enforcement access. The medical profession has not been so strong on advocating for better access controls on doctors themselves, so that issue has been ignored.
The back-downs by critics has been achieved even at an individual level. Coalition MP Tim Wilson caused a stir when on 23 July he announced he had opted out, and said “my instinctive position should always be as a Liberal that systems should be opt-in and people should be able to freely choose to opt into a system rather than have to go through the process of opting out”.
But once the Minister said he would introduce legislation about limiting law enforcement access, Wilson suddenly changed his tune and on 31 July tweeted “Elated the Health Minister will fix Labor’s flawed MyHealth legislation. These changes address the principle concerns I had with MyHealth”.
Wilson’s position ignores the fact that it was his own Government which made the switch from opt-in to opt-out that he had ‘instinctively’ reacted against, and the ‘fixes’ proposed by Minister Hunt didn’t reverse that position at all.
There is much more here covering points 5 to 9:
If you read through the full blog and are not amazed at the scale of the mishandling of the opt-out process I will be very surprised.
Posted by Dr David G More MB PhD at Friday, October 26, 2018