Australian Digital Health Agency Board
Here is the link:https://www.digitalhealth.gov.au/about-the-agency/australian-digital-health-agency-board
And they don't even do a release to announce they are lumping millions of people with a useless Secondary Data Record for them to store YOUR Health Information! I wonder might that be because they don't want to remind their victims what they have done so close to a Federal Election?
I hope the Audit Office is watching!
David.
10 comments:
On audits, Electronic health records and online medical records:an asset or a liability under current conditions? published last year had some pertinent findings.
The gentle
"We hypothesise that there is currently discordance in the medical information collected and stored in different hospital systems relating specifically to ADEs, which may lead to inefficient practices and potentially repeated drug-related events."
is sharpened in
"Evaluation of the same index, for example an ADE, between the sources is incredibly difficult and not reliable."
Anyway, read it yourselves if you haven't already. They turned up enough discordances across multiple indices in a small sample to indicate that clinical systems in current use should not be used to supply data to MyHR.
Has anyone at ADHA read it?
(Maybe David has already featured this study.)
GP patient encounters had about 10% with an ADE in the previous 6 months. About 80% of these had a known side-effect that was listed in the consumer information leaflet. These 'known' side-effects are not always recorded in health records and are rarely reported. There's always a first time for a patient before it can be recorded under allergies et. al.
I wonder if the major political parties and the public service have worked out who is at the greatest risk from My Health Record?
This national database, even without health data, will contain significant amounts of information that identifies people and reveals their contact details and location. This data could be used for identify theft and other nefarious purposes if it fell into the wrong hands.
If a sophisticated state actor picked a sensitive political occasion, say just before an election, and hacked My Health Record they would then have significant leverage over the government of the day. They could use it as a negotiating tool or as a means of destabilising a government.
Sophisticated state actors have no trouble breaking into systems with a high degree of security protection. Compared with these systems, My Health Record should be a doddle to crack. My Health Record is attached to a large number of relatively unprotected systems designed to download documents at the click of a button. All these attached systems create loopholes and weaknesses in the security protection. Security is only as good as the weakest link. The My Health Record system, including all its endpoints, does not have “military grade” security.
Neither political party or the public service (e.g. PM&C, the Department of Health) have realised that the biggest risk is to their survival. Politically, there is little benefit from My Health Record; on the other hand, the risk is enormous.
In the first scenario hackers could threaten to make the fact public. If the government succumbed to pressure and the hack was not publicised, nobody would be the wiser
If it were made public, there is a high likelihood that it would generate widespread resentment and concern, and may well be enough to bring down a government. It would depend on circumstances and timing.
And don’t think it couldn’t happen. It seems to have already happened in the USA.
The first scenario occurred when the USA Democratic Party’s email system was hacked and the fact (and the emails) made public.
The second scenario has probably happened; there are certainly very strong rumours that it has.
GOP Emails Hacked by Russia in 2016. Are “They Now Being Used to Blackmail GOP?
https://gallantgoldhillreporter.com/2019/02/18/gop-emails-hacked-by-russia-in-2016-are-they-now-being-used-to-blackmail-gop/
and the following was written before the election was decided:
How Russian Hackers Can Blackmail Donald Trump—and the GOP
https://www.thedailybeast.com/how-russian-hackers-can-blackmail-donald-trumpand-the-gop
“Tom Nichols, a professor of national security affairs at the U.S. Naval War College, told The Daily Beast, representing his personal views and not those of the War College: “The worst possibility is that the Russians are holding back what they've stolen from the RNC because it's valuable enough to keep in reserve until the president-elect is sworn in. This is a frankly terrifying possibility.” “
(GOP = Republican Party. RNC = Republican National Committee)
Of course, it may have already happened here in Australia and that’s part of the problem, we just don’t know – I certainly don’t and I’m not suggesting that it has. But it could in the future.
The question is, are our political parties and the public service ready for a “frankly terrifying possibility”?
The safest way to protect a system from hacking and any subsequent blackmail is to not have that system in the first place.
ok Bernard, let's not have a healthcare system.
@10:13 AM - I think clarification is appropriate. The technical definition of allergies does not include known/documented side effects for medications. "ADEs" is a very loose category that includes both genuine allergies, intolerances, and expected side effects. Most of these are only documented as 'allergies' if they are unexpected and provide a reason not to use the medication. However clinical judgement as to what to record varies widely, and I've often sat in meetings with leading allergists, emergency physicians etc and they usually agree to disagree on the boundaries here. With regard to your point: yes, that's how it works, sadly.
Grahame,
I said nothing about healthcare. The healthcare system needs data and better ways of dealing with those data. There are well known and obvious problems with defining, accessing and communicating such data, you go on to mention just a few. Focusing on those problems is critical and essential.
I was pointing out the risk to the government of them holding a large amount of personal/health data in a system with many security weaknesses.
Grahame,
and if I remember correctly, Dr Phelps, you and I all recommended to the Senate Committee that a distributed system was a far better solution.
Such a system would (or at least should) be harder to hack and if there were no central, government owned and run database it could not be a target of a sophisticated state actor.
> if there were no central, government owned and run database it could not be a target of a sophisticated state actor
I think that's the point of disagreement. I don't know why a state actor is not going to make a non-central, non-government owned and run database a target.
There is the economy of scale argument - if all the eggs are in a single basket then the value of the prizes goes up exponentially with minimal increase in cost. I don’t think the Kiwis will attack the governments health database as a prelude to formal invasion. It is still an extremely valuable target for non-state based actors.
Cyber aside, if the MyHR becomes the dominate constraint then it is highly likely our digitalised health information will quickly become stuck in a time warp. Governments are just not designed for this. It does neither industry or consumers any favours having Canberra controlling information this way.
I like western governments, leave them alone to do what they are designed to do.
"I don't know why a state actor is not going to make a non-central, non-government owned and run database a target. "
They might, but we are talking about risks to government.
A state actor would be looking for leverage over the government. The government is not responsible for non-government systems. Each individual owner is.
Maybe the recent hack of the Federal Parliamentary email system was just a dry run - or a warning.
yes the fat that a private health database is hacked is not a threat the government per se. But the bigger threat still arises from personal information being accessed.
Post a Comment