Friday, November 09, 2018

The Privacy Foundation Comments On The Currrent Situation With The #myHealthRecord.

This release appeared this morning.

The opt-out period should be extended and My Health Record properly evaluated

The Australian Privacy Foundation fully supports recent calls by the Opposition Parties, Dr Kerryn Phelps, lawyers, clinicians, educators and others to extend the period when people can opt-out of being registered for a government owned and controlled My Health Record.
There is obvious broad disquiet and substantive community concern: over a million people have opted out; there have been reports of recurrent crashes of the opt-out web site and helpdesk; and the number of people wanting to opt-out seems to have jumped, in line with the recent increased publicity.
This disquiet and concern can largely be attributed to the paucity of information about the opt-out campaign and the lack of balanced information of My Health Record on the government’s websites which only spruik claimed benefits. People have not been given all the information they need on which to make an informed decision.
The recent Senate Inquiry into My Health Record and the opt-out initiative received over 110 submissions. The Inquiry’s recommendations that raise this and other issues have largely been ignored and dismissed by the government. The Health Minister’s attempts to “strengthen” the legislation protecting the privacy and security of the system are akin to putting a band-aid on a train wreck.
It is not widely known but the original design of the My Health Record had a requirement that all health providers (currently estimated to be about a million) who are able to use the system were to have a smart card that controlled access, identified them and allowed proper auditing of access to a patient’s health data.
This was never implemented. One can only wonder why. Whether it was cost-cutting, the need to meet a deadline, or a desire NOT to transparently record which individuals have accessed your information, the result is a remarkable security implementation failure.
The consequences of this decision mean that the protections built into the My Health Record are second class, as is the use of legislation to protect privacy. Legislation does not stop bad and inappropriate behaviour; at best all it does is punish those who get caught; if they get caught.
The Australian people cannot rely on this or any future government to properly protect the privacy and security of their health data. Legislated protections can be increased and, just as easily, weakened.
The APF calls upon the government to extend the opt-out period, not just to better inform Australians about this system (as recommended by the Senate Inquiry) but to properly and fully assess the actual benefits, the costs and risks.
My Health Record should be treated in exactly the same way as any other medical procedure, protocol or treatment. The system should be subjected to scrutiny and assessment by a wide range of independent experts to fully identify and validate the benefits, costs and risks. This is something that has never been done but, after over six years in operation, should be done. It should be completed and the results published before finalising the automatic registration process; hence the need to extend the opt-out period.
The government should stop treating itself as some sort of privileged player in the health care industry and obey the same rules as everyone else.
The extraordinary but so far unjustified and sometimes misleading claims made by the government need extraordinary evidence or, to use the vernacular, they should put up or shut up.
For more information about our views and links to other coverage of My Health Record during the opt-out period (over 200 links) see:
My Health Record

Disclosure: I am a member of the Health Committee of the Foundation.

David

12 comments:

  1. Good news, friends! I have discovered where the TV ads are running.... on (little-watched) 9's Life channel - which features reruns of The Block etc - in the 4-5pm timeslot, during ancient reruns of the UK show Come Dine With Me!

    Yes, I've seen the ad twice now, it's quite long and features fulsome description of "benefits" then in final 10-15 seconds advises that you can opt-out, brief screenshot of how...

    And yes, I know I'm pathetic and probably the only person who watches CDWM (the shows are so old I've seen them many times before) so I'll stop now before I embarrass myself further

    ReplyDelete
  2. Sounds the perfect channel for re-runs of care.data

    ReplyDelete
  3. This was posted to a privacy list, in response to my comment about the the smart card security feature not being implemented in myhr. Reproduced with permission

    We had a discussion about this at my local Linux User group. I had seen my doctor access my MHR details. All it took was clicking a mouse button a couple of times. (After finding the information he wanted, he then declared he didn't trust it and asked the doctor who put it there to send him a fax.) The implication of just needing a couple of mouse clicks is that at the time he needed no authentication whatsoever. Worse, he only looked it up after I suggested he do so. I took from that he doesn't normally access it, so he hadn't used it in some while.

    That meant his computer probably had unlimited access to the MHR system while he was logged in at best, unconditionally at worst. The entire LUG decided at that point it was not a question of if the MHR database ended up being sold on the web, but when.

    The logic is pretty simple - it's potentially worth a lot of money and doctors surgeries regularly fall for all sorts of malware that has accesses their entire computer network (think ransomware). So it's just a question of time before some bright spark puts two and two together and figures the entire lot is there for the taking.

    A 2FA (two factor authentication) system like a card would fix this: but it would have to be something they had to manually trigger on every access. If they just plugged it in when they arrived at work to give them access for the entire day the situation would be no different from what it is now. It's not like these systems are expensive. Banks have used 2FA tokens in this way for at least a decade, Yubikeys have provided this facility for years, FIDO (Fast ID Online) is now a standardised way of doing it that costs $23.63 from an Australia supplier:

    https://core-electronics.com.au/fido-u2f-security-key-u2f-usb-two-step-authentication-security.html

    Getting security rock solid is very, very hard: there is always some subtle clink in the armour no one had thought of. But this isn't a case get getting it rock solid. Everyone should be aware by now you can't trust a normal PC connected to the Internet. Even if you trust the owner, you have to treat their computer as hostile"

    BTW, 2FA via a smart card was only intended for health service provider users.

    ReplyDelete
  4. The security of the client access systems is hardly "a subtle clink in the armour". It's been (not surprisingly) the #1 identified issue with the system from the very first security evaluation. The government might be proving incredibly tone deaf, but that's not quite the same thing as stupid, so they might have done something about it over the years. It's not hard to imagine what the mitigations are, either.

    I'd take a bet with your LUG that the MHR database won't be sold on the web any time soon (I wouldn't take the bet against a small number of records being leaked though). Actually, the router systems that provide access for state health departments... that's a much more viable attack route, since there's reason for bulk access from them - though they are a correspondongly harder target

    ReplyDelete
  5. The biggest privacy (not necessary the same as security) hole is via legitimate usage.

    When detaiis are downloaded to other systems eg GP or hospital, the myhr legislated protections no longer apply neither do the access controls or audit trails.

    Then of course are the smartphone app APIs and the apps themselves.

    So many holes; fortunately there's little of value. Fewer than about 25% of the existing 6.25million myhrs have a shared health summary.

    Only about 4% have a SHS uploaded this year.

    ReplyDelete
  6. This is not good - https://www.businessinsider.com.au/director-responsible-for-privacy-at-my-health-record-has-resigned-2018-11

    First round the clinicians walked out, this time it seems the privacy people are walking, we Are also witnessing a tsunami of citizens walking away.

    Perhaps it is time for those we vote into office to get the message

    ReplyDelete
  7. No it is not a good look. It is also not surprising l. The ADHA rather than be open, consultative and an exemplar employer has is reality become a closed shop run by fools who will bullying and sacrifice staff and the broader community to deliver something they have little understanding of. Tim has caused so much damage to peoples lives and eHealth in general its verging on criminal

    ReplyDelete
  8. Yet more evidence the CEO and COO are absolutely hopeless. Two years they have had and all they have successfully done is make a complete mess worse. It does not bode well for replatforming. The current MyHR contract runs out soon and no sign of requirements or EOI.

    ReplyDelete
  9. The privacy director walking out is only the tip of the ice berg. The ADHA claim of a restructure to position themselves as a more efficient operator is BS. The operating model is a joke, is yet another iteration of confused purposes and simple personal control rather than any sane organisational structure designed to work together. Yes the same person perhimd the closure of nehta, the formation of the ADHA and all subsequent restructures, witch hunts and sackings is heading this disaster.

    ReplyDelete
  10. Let’s have a look at ADHA and it’s claims to be leading the world in digital health.

    Broadly defined, digital health refers to technology-enabled healthcare based on the integration of AI, big data, computer vision, digital media, sensors and smart devices with traditional medicine. Utilizing these technologies, “Digital Health” enables the provision of remote healthcare, promotes data-driven diagnostics and treatment, increases efficiency and accuracy, and facilitates highly personalized medical care.

    So in that context can anyone point towards anything useful or innovative that has been delivered by ADHA?

    ReplyDelete
  11. @10:00 AM. Can’t think of a single thing which is a worry.

    ReplyDelete
  12. The ADHA claims that Australia is the only country in the world to have a national, patient controlled summary health system.

    That bit can probably be justified - it's the interpretation of that statistic that's arguable.

    The government goes on to claim that it puts Australia in front of the world in innovation, consumer health choice, etc etc - i.e. a good thing.

    An alternative claim could just as well be that Australia's approach is seen as useless, privacy invasive and not worth the cost. i.e. a useless, if not bad thing.

    That's why I'm calling for independent evidence based research into the benefits, costs and risks.

    And before anyone says "but what about the test beds?" they are explicitly designed to identify benefits, not costs and risks and are intended to support spin and marketing.

    ReplyDelete