This appeared last week.
How to corrode your social licence in nine easy steps
A lesson
from the Australian Government.
Privacy
missteps are eroding the public’s trust in the Government’s ability to achieve
ambitious digital projects, and risking trust in the very notion of government
itself.
The
corrosive effects of privacy debacles are cumulative, with hashtag-worthy
government disasters like #Censusfail
colliding in public consciousness with the re-identification
of MBS/PBS data, bumping up against the cruelty of #Robodebt
and the stupidity of declaring a war
on maths, and flaring into outrage at a Minister’s unpunished
disclosure of a welfare recipient’s personal information to a journalist.
Each
privacy catastrophe eats away at the public’s trust in successive government
projects, before they even get off the ground. Reasons people have given
for opting out of the My Health Record system have included fear of misuse by
the government of the day, citing both Robodebt and the
weaponisation of Centrelink records by Minister Tudge. And then in
turn, mistrust in My Health Record has been referenced in multiple
submissions to PM&C’s Issues Paper on the proposed Data Sharing &
Release Bill, as a way of illustrating the dangers of proceeding without
caution and due respect for privacy and security.
As
tech commentator Stilgherrian noted on the day the opt-out process opened – and
the system crashed because of the level of demand – “When citizens rush to opt
out of an Australian government service, it says something about their levels
of trust. When
the system falls over under heavy load, it proves them right”.
Waleed
Aly has drawn together the Government’s disregard
for the privacy of individual citizens with recent revelations about
political interference with the ABC: “the
pact is broken… this is a time of unprecedented demands, unprecedented
capitulations and inevitably, unprecedented dysfunction”. Regardless of
whether you care about privacy as a human right, we all should care about the
decline of community faith in democracy and our public institutions.
So
how did we get here?
Taking
the unfolding disaster that is My Health Record as an example, let’s examine
exactly how a government manages to lose its social licence to hold or use our
data.
Step
1: Shift responsibility for risk management on to the individual
Research
into community expectations about privacy has shown, time and time again, that
the majority of people believe that a shared
electronic health record should be something a patient chooses to have.
And, by the way, when asked, the
majority would choose not to have one.
Why
would anyone not want all the benefits of a shared electronic health
record? Well, for lots of reasons, it turns out.
People
who might face discrimination, harassment, family shaming, blackmail or loss of
employment as a result of the sharing of their health records include mental
health patients, sexual health patients, HIV patients, teenagers,
women who have had terminations, people in family court disputes, and people
undergoing employment-related health checks.
In
some cases, it won’t necessarily be clinical records which create the risk for
an individual, but the potential exposure of their home address to hundreds of
thousands of people, some of whom could be intent on doing harm. This can
pose a risk for victims
of family violence, serving police officers, members of the armed forces or
the judiciary, public figures, and foster parents
and the children in their care.
The
decision to shift the enrolment model for My Health Record from opt-in to
opt-out was always going to be controversial, but in my view for some people it
will be downright dangerous.
Without
a fully informed decision by every competent individual about where their
personal risk-to-benefit ratio sits, an opt-out system is a ticking time
bomb. Someone is going to get hurt.
Does
the government really think that every Australian adult knows that they are
going to have their health information shared if they don’t opt-out by mid-November?
Some
Australians will be pushed into this scenario of heightened privacy and safety
risks by a government program they don’t even know existed. Others might
know the program exists, but won’t have understood the extent to which the
sharing of their My Health Record could create risks for them, because they
have been lulled into a false sense of security by hollow promises about
privacy protections.
And
this is the central problem with making the system opt-out. It takes
responsibility for making a critical decision out of the hands of the
individual most affected by it. An opt-out approach to a shared eHealth
record is paternalistic government, and paternalistic healthcare, at its worst.
But
it also shifts responsibility for managing privacy risks onto the
individual, who did not necessarily choose to be in the system, and who may not
be fully informed about the risks. Because to be fully informed, we as
citizens, and we as patients, need thorough explanations about how the system
works, and how it might impact on each of us, both good and bad. Those
explanations need to be available in multiple languages, for teenagers, for the
elderly, for people with intellectual disabilities. Not ads on buses, or
substance-free glossy brochures gathering dust on the GP’s reception desk.
Step
2: When people raise privacy concerns, talk about security instead
This
tactic is straight from the #Censusfail
playbook. Whenever anyone, from journalists to members of the public
to privacy advocates, start to ask questions about privacy (like: Why
should you have my information? and What are you going to do
with it? and Who will have access to it, under what conditions, for what
purposes?), completely ignore those valid questions and talk
about information security instead.
Step
3: When people keep raising privacy concerns, give them spin instead of truth
Of
course, it turns out that those claims by Health Minister Greg Hunt about bank-grade
security and military-grade security are just
spin. Worse, the
Minister’s claims that there have been ‘no
data breaches’ are demonstrably false.
Legitimate
concerns have been raised about access
to the record by third parties, from medical professionals not involved in
the patient’s care, to law enforcement agencies and insurance companies.
(Insurance companies have not done the government any favours, with both NIB and
Medibank
openly salivating at the prospect.)
The
official line has been to hose down those concerns, suggesting that no such
thing is possible. But note the slippery language used by both the
Minister and the Australian Digital Health Agency (ADHA) on this issue.
They talk about who
“can” or who is “allowed” or “authorised” to access a patient’s My Health
Record, which is not the same as “for whom it is actually possible”.
For example, in response to questions about insurers gaining access, ADHA told
the media that the “only healthcare providers authorised
to access a healthcare recipient’s information in a My Health Record are
those who are providing healthcare to the individual.” Similarly, the
main My Health Record information page for individuals says only that “any
providers who are involved in your care can see this information”; it
doesn’t explain how the system knows (or doesn’t know) who is actually
‘involved in your care’, and doesn’t explain whether providers not involved
in your care are also capable of accessing your record.
As
the journalist noted, ADHA
“did not respond to a question about whether a health fund with a member’s
consent and with the purpose of providing health advice, could access that
person’s My Health Record”. Given the scope of section 66 of the My Health Records Act,
the privacy concerns about this type of scenario seem entirely valid.
But
to my mind, even more worrying is the ease with which something
like 900,000 people who work in the healthcare system will have access to
patient records in the My Health Record system. While the law says that
those workers should only access your file if you happen to be their patient at
the time, the system has not actually been designed that way. The controls
on access are much looser than the public has been led to believe.
Journalists
have exposed the reality. The only details that one of those 900,000
or so healthcare workers needs to know about you, in order to gain access to
your My Health Record, are your name, gender and date of birth.
(While
in theory, the authorised user also needs to know your Individual Healthcare
Identifier, they can find that out from the first nine digits of your Medicare
card number. And if they don’t know your Medicare card number, they
can use a different system, HPOS, to look up your Medicare card number,
based only on your name, date of birth and gender. It was the ease
of access via HPOS which led to Medicare
card details being found for sale on the dark web.)
Just
let that sink in for a bit. Name, date of birth and gender is all that
stands between your health record and its misuse. If I was a nurse for
example, I would already know, or be able to quickly find out, the name, date
of birth and gender of my ex-partner; certainly my friends and family members;
maybe my neighbours, colleagues, members of my basketball team or book club,
and perhaps even that teacher who has been giving my kid bad grades; and no
doubt plenty of celebrities, politicians and sports stars. And as a
result, I could look up their My Health Record, even if they had never set foot
in the hospital where I work.
We
all know that the law is not enough to stop privacy breaches. Some people
will be motivated by curiosity, greed, revenge, jealousy, hatred or the pursuit
of power or a
political agenda to look up and misuse a patient’s record, even when they
know they are not supposed to. Even when the law says it is
illegal. Even when they have been warned they could be sacked. It
happens in hospitals now. It happens in
police forces. It happens in
banks.
Some
people will do the wrong thing. If you really care about protecting
customers’ privacy, you build in technical controls, and enforce a security
culture, to make attempted misuse as difficult as possible. But that’s
not the way My Health Record has been designed.
For
ADHA to respond to these risks with the statement that “It
is illegal for non-authorised staff to access medical information of any sort”
is disingenuous at best, and downright misleading and dangerous at worst.
It
is about as naïve and useless as building a bank vault with an unlocked door
and no alarms, but telling customers their money will be safe because it is
illegal to steal.
Making
something illegal isn’t enough; the My Health Record system design should
actively prevent the
likelihood of misuse with proper security controls.
Step
4: Pressure or silence critics
When
claims by the Minister and ADHA that law enforcement access would require a
warrant were contradicted by everyone who could be bothered reading what the
legislation actually allowed, from the Queensland
Police Union to journalists, advocates and the non-partisan Australian
Parliamentary Library, the Department
of Health complained and had
the Library remove then edit its article to remove elements contradicting the
Minister, while the Minister
called journalists to tell them they were wrong.
Of
course, the critics were right, and the
Minister had to quickly draw up legislation to amend the law so that it
would do what he had said it already did.
Mind
you, Minister Hunt only acted once
the peak medical profession bodies started articulating for patient privacy
in relation to law enforcement access. The medical profession has not
been so strong on advocating for better access controls on doctors themselves,
so that issue has been ignored.
The
back-downs by critics has been achieved even at an individual level.
Coalition MP Tim Wilson caused a stir when on 23 July he announced he had opted
out, and said “my instinctive position should always be as a Liberal that
systems should be opt-in and people
should be able to freely choose to opt into a system rather than have to go
through the process of opting out”.
But
once the Minister said he would introduce legislation about limiting law
enforcement access, Wilson suddenly changed his tune and on 31 July tweeted
“Elated the Health Minister will fix Labor’s flawed MyHealth legislation. These changes
address the principle concerns I had with MyHealth”.
Wilson’s
position ignores the fact that it was his own Government which made the switch
from opt-in to opt-out that he had ‘instinctively’ reacted against, and the
‘fixes’ proposed by Minister Hunt didn’t reverse that position at all.
There is much more here covering
points 5 to 9:
If you read through the full blog
and are not amazed at the scale of the mishandling of the opt-out process I
will be very surprised.
David.
Agreee David this article sums up the damage done nicely, the MyHR is done a nice job exposing the nice but dim thought leadership. My Saturday silly is the following amusing tripe from ADHA. https://www.tenders.gov.au/?event=public.atm.show&ATMUUID=04E9CE03-D1DA-0FED-9E0E17E0EA3318D2
ReplyDeleteDescription:
Overall concept and experience design for the specified space in line with the Agencies objectives and delivery and support of the technologies.
Collaborative Experience: Exploration of interactive experience which enable visitors to participate in giving feedback to the Agency relevant to their areas and exposing other submitted content (two-way conversation). Allowing visitors to have a hands-on experience with the Agencies or relevant products and services experiencing them in relevant user-scenarios. Enabling visitors to engage with data sets in their areas of interest.
Flexible: Efficient ways for content to be updated or refreshed. Hardware as a platform for quality user-experiences which supports different configurations and interactives. Flexible immersive options, exploring technology such as VR/AR for engagement over costly prop configuration.
Staged Development: Option to deliver the area in a staged approach. For example, Interactive Touch screens with interaction as ‘Stage 1’ and VR/AR developed in ‘Staged 2’
Elements of Portability: Designing the area in such a way which enables all or parts to be portable and transportable to conferences or events.
So much BS I am not sure what these people are taking, it is like they have joined the other penguins living in ice.
8:36 AM, do you know if there is a version in English?
ReplyDeleteCollaborative Experience: Exploration of interactive experience which enable visitors to participate in giving feedback to the Agency relevant to their areas and exposing other submitted content (two-way conversation). - as evidence shows, only in as far as you agree with Tim’s view of the world.
Allowing visitors to have a hands-on experience with the Agencies or relevant products and services experiencing them in relevant user-scenarios. Enabling visitors to engage with data sets in their areas of interest. - what Agencies are they referring to? Sounds like they are stepping on the DTA patch here.
My experience has been the ADHA cannot even hold a web conference without it falling over, not sure they are reading for anything interactive.
Looks to me like is is yet another desperate attempt to find benefits, any benefits in My Health Record. A bit like the so called test beds.
ReplyDeleteThey've built a crappy mousetrap and are wondering why people aren't beating a path to their door.
Allowing visitors to have a hands-on experience with the Agencies or relevant products and services experiencing them in relevant user-scenarios
ReplyDeleteUmm what does that suppose to mean???
I think they mean Agency’s rather than Agencies. It does show that the ADHA has little to no care factor regarding quality. Just what sort of half baked system they are about to force millions on unsuspecting onto is a little frightening.
ReplyDeleteCan this over paid plonker embarrass the department, government and the nation any more? This shabby ness is not a one off but yet another example in a long list of half baked ideas, poorly crafted and lacking any hint of editorial review.
ReplyDeleteWhy exactly would anyone take these people seriously?
@11:14 PM. If we are to learn anything from history, then it would seem we have only just started worming up and there is plenty more damaging actions/inactions to come. The saving grace will not come from a realisation that there is a better way but from a selfish need for self preservation in the Department and to a degree in the ADHA.
ReplyDeleteThe other little misleading bit of info the Agency is providing is that the opt out numbers. We exclude minors (under 14 years) from being counted. These are rolled up and counted as a single optout event under the parent or guardian that submits the request. About 15% of optout request involve multiple Medicare recipients.
ReplyDelete9:53 AM. Why am I not shocked or even surprised.
ReplyDelete@9:53AM. The ADHA is consistent with misleading data at least. I fully believe that is exactly the sort of underhanded tactics they are carrying out.
ReplyDeleteToday's Pulse IT Reports "ADHA to begin interoperability talks for 'licence to operate' in February".
ReplyDeleteAfter reading this PulseIT report the only conclusion one can arrive at is that Tim Kelsey just makes it all up as he goes along; the great con trick. AAaaahhh.
Quote:.....
ADHA CEO Tim Kelsey told the Health Information Management Association of Australia's annual conference in Hobart today that the agency has a statutory requirement to compile standards for interoperability.
The national consultation will be about what Australia wants from interoperability in the future, and when and how quickly does it need to be implemented, Mr Kelsey said.
Calling it an important watershed moment for Australia, Mr Kelsey said the public consultation would help to decide on how firmly standards need to be mandated, or not.
“What should be the core standards that a health provider needs to operate in relation to data management is the biggest conversation,” he said. “Essentially, what Australia is going to do in the next six to nine months is to determine a draft for what it thinks the basic licence to operate for providers of healthcare should be in both public and private [health settings].”
Natalie Cole nailed it in "Starting all over again".
ReplyDeleteAnd, when I hold you in my arms I promise you
You're gonna feel a love that's beautiful and new
This time I'll love you even better
Than I ever did before
And you'll be in my heart forever more
We, we're just too young to know
We fell in love and let it go
So easy to say the words goodbye
So hard to let the feeling die
I know how much I need you now
The time is turning back somehow
As soon as our hearts and souls unite
I know for sure we'll get the feeling right
And now we're starting over again
It's not the easiest thing to do
Gee, how original. I wonder if the ADHA CEO is aware that this has all been done before, over 11 years ago in the case for the interoperability framework.
ReplyDeleteHere's a few documents from NEHTA he might get his team to mull over and let us know a) why they are reinventing the wheel or b) why the earlier attempts got it wrong and, if b), c) why they think they can get it right this time.
Interoperability Framework, Version 2.0 — 17 August 2007
High-Level System Architecture, PCEHR System
Version 1.35 — 11 November 2011, Final
And of course the ConOp which they seem to have lost, but, as they informed the Senate, the Australian Privacy Foundation has a copy.
For information, the ConOp contains this:
"Access to the PCEHR System will be based on Australian and International
standards for ensuring interoperability of eHealth systems as well as other
relevant specifications."
As the PCEHR has been live for over six years, one might ask the question: "what's actually been built?" Is this the real reason why there is so much pdf in the system?
Bernard there is also an Australia Standard for interoperability perhaps they could start there. They might discover interoperability is more than system integration. However at the end of they day who gives a toss what they come up with, what happens to licenses, the ADOHA going to rebook your licences. This bloke is a joke
ReplyDeleteThe ADHA, led by their CEO who has no training in healthcare or technology, haven't a clue. Health IT has largely been a failure when it comes to true transformation and that's with some very smart people trying hard to advance health care. This lot aren't in the same league and don't have a hope in hell of doing anything innovative or even clever. It would be fun and amusing to watch if it wasn't so serious. I wonder what plans the ADHA has for the first data breach and/or death due to bad data.
ReplyDeleteThe ADHA is talking about Standards for interoperability more than 12 months after the "Australia’s National Digital Health Strategy" was published (Aug 2018).
ReplyDeleteAre we still at Step 1 of 7?
They seem very optimistic about the speed of progress considering their slow progress (or lack of) so far.
Step 1) Tim Kelsey is talking about ADHA making plans to have talks;
Step 2) Organise these talks and actually have them (the "national consultation");
Step 3) publish a strategic plan;
Step 4) plan more focus groups on the top priorities and create working parties;
Step 5) working parties have more industry, patient, government consultation;
Step 6) each working party develops standards and must have each implementation plan approved;
Step 7) wait for a magical pot of gold to appear at the end of a rainbow.
Quote from "Australia’s National Digital Health Strategy"
Page 6:
3. High-quality data with a commonly understood meaning that can be used with confidence.
The interoperability of clinical data is essential to high-quality, sustainable healthcare – this means that patient data is collected in standard ways and that it can be shared in real time with them and their providers.
By the end of 2018, a public consultation on draft interoperability standards will confirm an agreed vision and roadmap for implementation of interoperability between all public and private health and care services in Australia. Base-level requirements for using digital technology when providing care in Australia will be agreed, with improvements in data quality and interoperability delivered through adoption of clinical terminologies, unique identifiers and data standards. By 2022, the first regions in Australia will showcase comprehensive interoperability across health service provision.
https://conversation.digitalhealth.gov.au/australias-national-digital-health-strategy
Hmmm,
ReplyDelete"Interoperability Framework, Version 2.0 — 17 August 2007"
and
"By 2022, the first regions in Australia will showcase comprehensive nteroperability across health service provision.
15 years and maybe they can showcase something? And 2022 is only a prediction.
ADHA's strategy for digital health is an bottomless bucket of money. All spend, no gain.
It's worth having a read of this document:
ReplyDeleteNEHTA Blueprint
Version 2.0, FINAL, 30th Sept 2011
The number of features/requirements that have not been included in the PCEHR/MyHR as released in 2012 is quite astounding.
Starting with NASH, the blueprint document says:
"The potential damage resulting from an inability to authenticate an individual
or device accessing information such as pathology or radiology results ranges
from moderate to substantial.
Password-based authentication is no longer safe for many purposes – with
governments at local, federal and state levels directing that security of
access to sensitive information be upgraded.
Through the National Authentication Service for Health (NASH) NEHTA will
deliver authentication based on digital credentials, including digital
certificates, managed through Public Key Infrastructure (PKI), secured by
tokens, including smartcards.
NEHTA‘s initial target population for credential-based authentication is the
~40,000 healthcare provider organisations and ~500,000 individuals
identified in the Healthcare Identifier (HI) program. Registration of individuals
in this program will mainly be provided through the HI Service and the
Australian Health Practitioner Regulation Agency (AHPRA)"
Interoperability is mentioned throughout the blueprint including:
"A key driver behind the national approach to EHealth is to facilitate interoperability across the Australian health sector in order to improve health system outcomes around effectiveness, safety, responsiveness, continuity of care, accessibility, efficiency and sustainability."
"3.4.2 Standards Based Information Sharing
In order to facilitate interoperability across the health sector, NEHTA will work with stakeholders to develop an agreed set of specifications and standards to facilitate the effective sharing of health information.
Standards and specifications that need to be supported include:
* Foundation capability standards and specifications for identifiers, authentication, secure messaging, clinical terminology and supply chain; and
* EHealth solution capability standards and specifications for discharge, referral, medication management, pathology and diagnostic imaging."
NASH and interoperability are linked:
"Guidelines for interoperability.
To promote interoperability, NASH will supply technical specifications for message formats, certificate formats, encryption and signature algorithms, encoding of data, key usage, key management, and availability of digital credential/certificate status information"
One does wonder if ADHA realises the depth of the hole it is in. There are huge parts of the original design that were never implemented. Replatforming or, to give it it's more realistic description - starting again - could well be totally unachievable.
The original program of work, conducted mainly by NEHTA but under the control of the Department of Health, has all the hallmarks of a project dominated and interfered with by Project Managers with little or no understanding of the architecture process and even less understanding of health care.
In that respect, nothing has changed. I feel sorry for the many highly competent specialists who got over-ridden by Project Managers driven by cost and schedule issues. Mostly these specialists are not in a position to defend themselves or explain the reality of what actually happened and who understand what will happen over and over again.
Looking at other historical documents....
ReplyDeletehttps://www.alrc.gov.au/publications/60.%20Regulatory%20Framework%20for%20Health%20Information/introduction
"60. Regulatory Framework for Health Information
...
"60.7 Technology is developing to help deal with these challenges. DOHA went on to note that:
Australia is on the threshold of major developments in national e-health systems and the use of telehealth services. The aim of these systems is to enable health information to be shared more reliably, securely and efficiently between healthcare providers with the aim of delivering safe care and better health outcomes for individuals. The use of these systems will increase the volume and frequency of communications and may mean the individual whom the information concerns is located in a different State or Territory to the holder of the information. New work systems and practices will emerge as e-health systems are developed and implemented, and the use of telehealth services expand.[12]"
This was in their submission
"Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007"
Just like interoperability, for the past 11 years, it's all been about promises of untold benefits, just round the corner, real soon now.....
Well we have moved from threshold to watershed.
ReplyDelete