Quote Of The Year

Quote Of The Year - Paul Shetler - "Its not Your Health Record it's a Government Record Of Your Health Information"

Friday, October 26, 2018

This Is The Best Coverage Of Just How Badly The ADHA Has Failed With The Opt-Out Process I Have Read!

This appeared last week.

How to corrode your social licence in nine easy steps

A lesson from the Australian Government.
Privacy missteps are eroding the public’s trust in the Government’s ability to achieve ambitious digital projects, and risking trust in the very notion of government itself.
The corrosive effects of privacy debacles are cumulative, with hashtag-worthy government disasters like #Censusfail colliding in public consciousness with the re-identification of MBS/PBS data, bumping up against the cruelty of #Robodebt and the stupidity of declaring a war on maths, and flaring into outrage at a Minister’s unpunished disclosure of a welfare recipient’s personal information to a journalist.
Each privacy catastrophe eats away at the public’s trust in successive government projects, before they even get off the ground. Reasons people have given for opting out of the My Health Record system have included fear of misuse by the government of the day, citing both Robodebt and the weaponisation of Centrelink records by Minister Tudge.  And then in turn, mistrust in My Health Record has been referenced in multiple submissions to PM&C’s Issues Paper on the proposed Data Sharing & Release Bill, as a way of illustrating the dangers of proceeding without caution and due respect for privacy and security.
As tech commentator Stilgherrian noted on the day the opt-out process opened – and the system crashed because of the level of demand – “When citizens rush to opt out of an Australian government service, it says something about their levels of trust.  When the system falls over under heavy load, it proves them right”.
Waleed Aly has drawn together the Government’s disregard for the privacy of individual citizens with recent revelations about political interference with the ABC: “the pact is broken… this is a time of unprecedented demands, unprecedented capitulations and inevitably, unprecedented dysfunction”. Regardless of whether you care about privacy as a human right, we all should care about the decline of community faith in democracy and our public institutions.
So how did we get here?
Taking the unfolding disaster that is My Health Record as an example, let’s examine exactly how a government manages to lose its social licence to hold or use our data.
Step 1: Shift responsibility for risk management on to the individual
Research into community expectations about privacy has shown, time and time again, that the majority of people believe that a shared electronic health record should be something a patient chooses to have.  And, by the way, when asked, the majority would choose not to have one.
Why would anyone not want all the benefits of a shared electronic health record?  Well, for lots of reasons, it turns out.
People who might face discrimination, harassment, family shaming, blackmail or loss of employment as a result of the sharing of their health records include mental health patients, sexual health patients, HIV patients, teenagers, women who have had terminations, people in family court disputes, and people undergoing employment-related health checks.
In some cases, it won’t necessarily be clinical records which create the risk for an individual, but the potential exposure of their home address to hundreds of thousands of people, some of whom could be intent on doing harm.  This can pose a risk for victims of family violence, serving police officers, members of the armed forces or the judiciary, public figures, and foster parents and the children in their care.
The decision to shift the enrolment model for My Health Record from opt-in to opt-out was always going to be controversial, but in my view for some people it will be downright dangerous.
Without a fully informed decision by every competent individual about where their personal risk-to-benefit ratio sits, an opt-out system is a ticking time bomb.  Someone is going to get hurt.
Does the government really think that every Australian adult knows that they are going to have their health information shared if they don’t opt-out by mid-November?
Some Australians will be pushed into this scenario of heightened privacy and safety risks by a government program they don’t even know existed.  Others might know the program exists, but won’t have understood the extent to which the sharing of their My Health Record could create risks for them, because they have been lulled into a false sense of security by hollow promises about privacy protections.
And this is the central problem with making the system opt-out.  It takes responsibility for making a critical decision out of the hands of the individual most affected by it.  An opt-out approach to a shared eHealth record is paternalistic government, and paternalistic healthcare, at its worst.
But it also shifts responsibility for managing privacy risks onto the individual, who did not necessarily choose to be in the system, and who may not be fully informed about the risks.  Because to be fully informed, we as citizens, and we as patients, need thorough explanations about how the system works, and how it might impact on each of us, both good and bad.  Those explanations need to be available in multiple languages, for teenagers, for the elderly, for people with intellectual disabilities.  Not ads on buses, or substance-free glossy brochures gathering dust on the GP’s reception desk.
Step 2: When people raise privacy concerns, talk about security instead
This tactic is straight from the #Censusfail playbook.  Whenever anyone, from journalists to members of the public to privacy advocates, start to ask questions about privacy (like: Why should you have my information? and What are you going to do with it? and Who will have access to it, under what conditions, for what purposes?), completely ignore those valid questions and talk about information security instead.
Step 3: When people keep raising privacy concerns, give them spin instead of truth
Of course, it turns out that those claims by Health Minister Greg Hunt about bank-grade security and military-grade security are just spin.  Worse, the Minister’s claims that there have been ‘no data breaches’ are demonstrably false.
Legitimate concerns have been raised about access to the record by third parties, from medical professionals not involved in the patient’s care, to law enforcement agencies and insurance companies.  (Insurance companies have not done the government any favours, with both NIB and Medibank openly salivating at the prospect.)
The official line has been to hose down those concerns, suggesting that no such thing is possible. But note the slippery language used by both the Minister and the Australian Digital Health Agency (ADHA) on this issue.  They talk about who “can” or who is “allowed” or “authorised” to access a patient’s My Health Record, which is not the same as “for whom it is actually possible”.  For example, in response to questions about insurers gaining access, ADHA told the media that the “only healthcare providers authorised to access a healthcare recipient’s information in a My Health Record are those who are providing healthcare to the individual.”  Similarly, the main My Health Record information page for individuals says only that “any providers who are involved in your care can see this information”; it doesn’t explain how the system knows (or doesn’t know) who is actually ‘involved in your care’, and doesn’t explain whether providers not involved in your care are also capable of accessing your record.
As the journalist noted, ADHA “did not respond to a question about whether a health fund with a member’s consent and with the purpose of providing health advice, could access that person’s My Health Record”.  Given the scope of section 66 of the My Health Records Act, the privacy concerns about this type of scenario seem entirely valid.
But to my mind, even more worrying is the ease with which something like 900,000 people who work in the healthcare system will have access to patient records in the My Health Record system.  While the law says that those workers should only access your file if you happen to be their patient at the time, the system has not actually been designed that way. The controls on access are much looser than the public has been led to believe.
Journalists have exposed the reality.  The only details that one of those 900,000 or so healthcare workers needs to know about you, in order to gain access to your My Health Record, are your name, gender and date of birth.
(While in theory, the authorised user also needs to know your Individual Healthcare Identifier, they can find that out from the first nine digits of your Medicare card number. And if they don’t know your Medicare card number, they can use a different system, HPOS, to look up your Medicare card number, based only on your name, date of birth and gender.  It was the ease of access via HPOS which led to Medicare card details being found for sale on the dark web.)
Just let that sink in for a bit.  Name, date of birth and gender is all that stands between your health record and its misuse.  If I was a nurse for example, I would already know, or be able to quickly find out, the name, date of birth and gender of my ex-partner; certainly my friends and family members; maybe my neighbours, colleagues, members of my basketball team or book club, and perhaps even that teacher who has been giving my kid bad grades; and no doubt plenty of celebrities, politicians and sports stars. And as a result, I could look up their My Health Record, even if they had never set foot in the hospital where I work.
We all know that the law is not enough to stop privacy breaches.  Some people will be motivated by curiosity, greed, revenge, jealousy, hatred or the pursuit of power or a political agenda to look up and misuse a patient’s record, even when they know they are not supposed to.  Even when the law says it is illegal.  Even when they have been warned they could be sacked.  It happens in hospitals now.  It happens in police forces.  It happens in banks.
Some people will do the wrong thing.  If you really care about protecting customers’ privacy, you build in technical controls, and enforce a security culture, to make attempted misuse as difficult as possible.  But that’s not the way My Health Record has been designed.
For ADHA to respond to these risks with the statement that “It is illegal for non-authorised staff to access medical information of any sort” is disingenuous at best, and downright misleading and dangerous at worst.
It is about as naïve and useless as building a bank vault with an unlocked door and no alarms, but telling customers their money will be safe because it is illegal to steal.
Making something illegal isn’t enough; the My Health Record system design should actively prevent the likelihood of misuse with proper security controls.
Step 4: Pressure or silence critics
When claims by the Minister and ADHA that law enforcement access would require a warrant were contradicted by everyone who could be bothered reading what the legislation actually allowed, from the Queensland Police Union to journalists, advocates and the non-partisan Australian Parliamentary Library, the Department of Health complained and had the Library remove then edit its article to remove elements contradicting the Minister, while the Minister called journalists to tell them they were wrong.
Of course, the critics were right, and the Minister had to quickly draw up legislation to amend the law so that it would do what he had said it already did.
Mind you, Minister Hunt only acted once the peak medical profession bodies started articulating for patient privacy in relation to law enforcement access.  The medical profession has not been so strong on advocating for better access controls on doctors themselves, so that issue has been ignored.
The back-downs by critics has been achieved even at an individual level.  Coalition MP Tim Wilson caused a stir when on 23 July he announced he had opted out, and said “my instinctive position should always be as a Liberal that systems should be opt-in and people should be able to freely choose to opt into a system rather than have to go through the process of opting out”.
But once the Minister said he would introduce legislation about limiting law enforcement access, Wilson suddenly changed his tune and on 31 July tweeted “Elated the Health Minister will fix Labor’s flawed MyHealth legislation. These changes address the principle concerns I had with MyHealth”.
Wilson’s position ignores the fact that it was his own Government which made the switch from opt-in to opt-out that he had ‘instinctively’ reacted against, and the ‘fixes’ proposed by Minister Hunt didn’t reverse that position at all.
There is much more here covering points 5 to 9:
If you read through the full blog and are not amazed at the scale of the mishandling of the opt-out process I will be very surprised.


Anonymous said...

Agreee David this article sums up the damage done nicely, the MyHR is done a nice job exposing the nice but dim thought leadership. My Saturday silly is the following amusing tripe from ADHA. https://www.tenders.gov.au/?event=public.atm.show&ATMUUID=04E9CE03-D1DA-0FED-9E0E17E0EA3318D2

Overall concept and experience design for the specified space in line with the Agencies objectives and delivery and support of the technologies.
Collaborative Experience: Exploration of interactive experience which enable visitors to participate in giving feedback to the Agency relevant to their areas and exposing other submitted content (two-way conversation). Allowing visitors to have a hands-on experience with the Agencies or relevant products and services experiencing them in relevant user-scenarios. Enabling visitors to engage with data sets in their areas of interest.
Flexible: Efficient ways for content to be updated or refreshed. Hardware as a platform for quality user-experiences which supports different configurations and interactives. Flexible immersive options, exploring technology such as VR/AR for engagement over costly prop configuration.
Staged Development: Option to deliver the area in a staged approach. For example, Interactive Touch screens with interaction as ‘Stage 1’ and VR/AR developed in ‘Staged 2’

Elements of Portability: Designing the area in such a way which enables all or parts to be portable and transportable to conferences or events.

So much BS I am not sure what these people are taking, it is like they have joined the other penguins living in ice.

Anonymous said...

8:36 AM, do you know if there is a version in English?

Collaborative Experience: Exploration of interactive experience which enable visitors to participate in giving feedback to the Agency relevant to their areas and exposing other submitted content (two-way conversation). - as evidence shows, only in as far as you agree with Tim’s view of the world.

Allowing visitors to have a hands-on experience with the Agencies or relevant products and services experiencing them in relevant user-scenarios. Enabling visitors to engage with data sets in their areas of interest. - what Agencies are they referring to? Sounds like they are stepping on the DTA patch here.

My experience has been the ADHA cannot even hold a web conference without it falling over, not sure they are reading for anything interactive.

Anonymous said...

Looks to me like is is yet another desperate attempt to find benefits, any benefits in My Health Record. A bit like the so called test beds.

They've built a crappy mousetrap and are wondering why people aren't beating a path to their door.

Anonymous said...

Allowing visitors to have a hands-on experience with the Agencies or relevant products and services experiencing them in relevant user-scenarios

Umm what does that suppose to mean???

Anonymous said...

I think they mean Agency’s rather than Agencies. It does show that the ADHA has little to no care factor regarding quality. Just what sort of half baked system they are about to force millions on unsuspecting onto is a little frightening.

Anonymous said...

Can this over paid plonker embarrass the department, government and the nation any more? This shabby ness is not a one off but yet another example in a long list of half baked ideas, poorly crafted and lacking any hint of editorial review.
Why exactly would anyone take these people seriously?

Anonymous said...

@11:14 PM. If we are to learn anything from history, then it would seem we have only just started worming up and there is plenty more damaging actions/inactions to come. The saving grace will not come from a realisation that there is a better way but from a selfish need for self preservation in the Department and to a degree in the ADHA.

Anonymous said...

The other little misleading bit of info the Agency is providing is that the opt out numbers. We exclude minors (under 14 years) from being counted. These are rolled up and counted as a single optout event under the parent or guardian that submits the request. About 15% of optout request involve multiple Medicare recipients.

Anonymous said...

9:53 AM. Why am I not shocked or even surprised.

Anonymous said...

@9:53AM. The ADHA is consistent with misleading data at least. I fully believe that is exactly the sort of underhanded tactics they are carrying out.

Anonymous said...

Today's Pulse IT Reports "ADHA to begin interoperability talks for 'licence to operate' in February".

After reading this PulseIT report the only conclusion one can arrive at is that Tim Kelsey just makes it all up as he goes along; the great con trick. AAaaahhh.


ADHA CEO Tim Kelsey told the Health Information Management Association of Australia's annual conference in Hobart today that the agency has a statutory requirement to compile standards for interoperability.

The national consultation will be about what Australia wants from interoperability in the future, and when and how quickly does it need to be implemented, Mr Kelsey said.

Calling it an important watershed moment for Australia, Mr Kelsey said the public consultation would help to decide on how firmly standards need to be mandated, or not.

“What should be the core standards that a health provider needs to operate in relation to data management is the biggest conversation,” he said. “Essentially, what Australia is going to do in the next six to nine months is to determine a draft for what it thinks the basic licence to operate for providers of healthcare should be in both public and private [health settings].”

Anonymous said...

Natalie Cole nailed it in "Starting all over again".

And, when I hold you in my arms I promise you
You're gonna feel a love that's beautiful and new
This time I'll love you even better
Than I ever did before
And you'll be in my heart forever more

We, we're just too young to know
We fell in love and let it go
So easy to say the words goodbye
So hard to let the feeling die

I know how much I need you now
The time is turning back somehow
As soon as our hearts and souls unite
I know for sure we'll get the feeling right

And now we're starting over again
It's not the easiest thing to do

Bernard Robertson-Dunn said...

Gee, how original. I wonder if the ADHA CEO is aware that this has all been done before, over 11 years ago in the case for the interoperability framework.

Here's a few documents from NEHTA he might get his team to mull over and let us know a) why they are reinventing the wheel or b) why the earlier attempts got it wrong and, if b), c) why they think they can get it right this time.

Interoperability Framework, Version 2.0 — 17 August 2007

High-Level System Architecture, PCEHR System
Version 1.35 — 11 November 2011, Final

And of course the ConOp which they seem to have lost, but, as they informed the Senate, the Australian Privacy Foundation has a copy.

For information, the ConOp contains this:

"Access to the PCEHR System will be based on Australian and International
standards for ensuring interoperability of eHealth systems as well as other
relevant specifications."

As the PCEHR has been live for over six years, one might ask the question: "what's actually been built?" Is this the real reason why there is so much pdf in the system?

Anonymous said...

Bernard there is also an Australia Standard for interoperability perhaps they could start there. They might discover interoperability is more than system integration. However at the end of they day who gives a toss what they come up with, what happens to licenses, the ADOHA going to rebook your licences. This bloke is a joke

Anonymous said...

The ADHA, led by their CEO who has no training in healthcare or technology, haven't a clue. Health IT has largely been a failure when it comes to true transformation and that's with some very smart people trying hard to advance health care. This lot aren't in the same league and don't have a hope in hell of doing anything innovative or even clever. It would be fun and amusing to watch if it wasn't so serious. I wonder what plans the ADHA has for the first data breach and/or death due to bad data.

tygrus said...

The ADHA is talking about Standards for interoperability more than 12 months after the "Australia’s National Digital Health Strategy" was published (Aug 2018).

Are we still at Step 1 of 7?
They seem very optimistic about the speed of progress considering their slow progress (or lack of) so far.

Step 1) Tim Kelsey is talking about ADHA making plans to have talks;
Step 2) Organise these talks and actually have them (the "national consultation");
Step 3) publish a strategic plan;
Step 4) plan more focus groups on the top priorities and create working parties;
Step 5) working parties have more industry, patient, government consultation;
Step 6) each working party develops standards and must have each implementation plan approved;
Step 7) wait for a magical pot of gold to appear at the end of a rainbow.

Quote from "Australia’s National Digital Health Strategy"
Page 6:
3. High-quality data with a commonly understood meaning that can be used with confidence.

The interoperability of clinical data is essential to high-quality, sustainable healthcare – this means that patient data is collected in standard ways and that it can be shared in real time with them and their providers.
By the end of 2018, a public consultation on draft interoperability standards will confirm an agreed vision and roadmap for implementation of interoperability between all public and private health and care services in Australia. Base-level requirements for using digital technology when providing care in Australia will be agreed, with improvements in data quality and interoperability delivered through adoption of clinical terminologies, unique identifiers and data standards. By 2022, the first regions in Australia will showcase comprehensive interoperability across health service provision.

Anonymous said...


"Interoperability Framework, Version 2.0 — 17 August 2007"


"By 2022, the first regions in Australia will showcase comprehensive nteroperability across health service provision.

15 years and maybe they can showcase something? And 2022 is only a prediction.

ADHA's strategy for digital health is an bottomless bucket of money. All spend, no gain.

Bernard Robertson-Dunn said...

It's worth having a read of this document:
NEHTA Blueprint
Version 2.0, FINAL, 30th Sept 2011

The number of features/requirements that have not been included in the PCEHR/MyHR as released in 2012 is quite astounding.

Starting with NASH, the blueprint document says:

"The potential damage resulting from an inability to authenticate an individual
or device accessing information such as pathology or radiology results ranges
from moderate to substantial.

Password-based authentication is no longer safe for many purposes – with
governments at local, federal and state levels directing that security of
access to sensitive information be upgraded.

Through the National Authentication Service for Health (NASH) NEHTA will
deliver authentication based on digital credentials, including digital
certificates, managed through Public Key Infrastructure (PKI), secured by
tokens, including smartcards.

NEHTA‘s initial target population for credential-based authentication is the
~40,000 healthcare provider organisations and ~500,000 individuals
identified in the Healthcare Identifier (HI) program. Registration of individuals
in this program will mainly be provided through the HI Service and the
Australian Health Practitioner Regulation Agency (AHPRA)"

Interoperability is mentioned throughout the blueprint including:

"A key driver behind the national approach to EHealth is to facilitate interoperability across the Australian health sector in order to improve health system outcomes around effectiveness, safety, responsiveness, continuity of care, accessibility, efficiency and sustainability."

"3.4.2 Standards Based Information Sharing

In order to facilitate interoperability across the health sector, NEHTA will work with stakeholders to develop an agreed set of specifications and standards to facilitate the effective sharing of health information.

Standards and specifications that need to be supported include:

* Foundation capability standards and specifications for identifiers, authentication, secure messaging, clinical terminology and supply chain; and

* EHealth solution capability standards and specifications for discharge, referral, medication management, pathology and diagnostic imaging."

NASH and interoperability are linked:

"Guidelines for interoperability.

To promote interoperability, NASH will supply technical specifications for message formats, certificate formats, encryption and signature algorithms, encoding of data, key usage, key management, and availability of digital credential/certificate status information"

One does wonder if ADHA realises the depth of the hole it is in. There are huge parts of the original design that were never implemented. Replatforming or, to give it it's more realistic description - starting again - could well be totally unachievable.

The original program of work, conducted mainly by NEHTA but under the control of the Department of Health, has all the hallmarks of a project dominated and interfered with by Project Managers with little or no understanding of the architecture process and even less understanding of health care.

In that respect, nothing has changed. I feel sorry for the many highly competent specialists who got over-ridden by Project Managers driven by cost and schedule issues. Mostly these specialists are not in a position to defend themselves or explain the reality of what actually happened and who understand what will happen over and over again.

Bernard Robertson-Dunn said...

Looking at other historical documents....


"60. Regulatory Framework for Health Information

"60.7 Technology is developing to help deal with these challenges. DOHA went on to note that:

Australia is on the threshold of major developments in national e-health systems and the use of telehealth services. The aim of these systems is to enable health information to be shared more reliably, securely and efficiently between healthcare providers with the aim of delivering safe care and better health outcomes for individuals. The use of these systems will increase the volume and frequency of communications and may mean the individual whom the information concerns is located in a different State or Territory to the holder of the information. New work systems and practices will emerge as e-health systems are developed and implemented, and the use of telehealth services expand.[12]"

This was in their submission

"Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007"

Just like interoperability, for the past 11 years, it's all been about promises of untold benefits, just round the corner, real soon now.....

Anonymous said...

Well we have moved from threshold to watershed.