Commentators and Journalists Weigh In On Digital Health And Related Privacy, Safety And Security Matters. Lots Of Interesting Perspectives - Week 44.

Note: I have excluded (or marked out) any commentary taking significant  funding from the Agency or the Department of Health on all this to avoid what amounts to paid propaganda. (e.g. CHF, RACGP, AMA, National Rural Health Alliance etc. where they were simply putting the ADHA line – viz. that the myHR is a wonderfully useful clinical development that will save huge numbers of lives at no risk to anyone – which is plainly untrue) (This signifies probable ADHA Propaganda)

-----

Note: I have also broadened this section to try to cover all the privacy and security compromising and impacting announcements in the week – along with the myHR. It never seems to stop! Sadly social media platforms get a large run this week and most weeks. Sadly there is also the need to recognize polly based risks to privacy!

-----

https://www.zdnet.com/article/gdpr-an-executive-guide-to-what-you-need-to-know/

What is GDPR? Everything you need to know about the new general data protection regulations

General Data Protection Regulation, or GDPR, is here. Here's what it means, how it impacts individuals and businesses - and how to ensure compliance.

By Danny Palmer | May 17, 2019 -- 13:33 GMT (23:33 AEST) | Topic: Security

What does GDPR stand for?

GDPR stands for General Data Protection Regulation. It's the core of Europe's digital privacy legislation.

How did it come about?

In January 2012, the European Commission set out plans for data protection reform across the European Union in order to make Europe 'fit for the digital age'. Almost four years later, agreement was reached on what that involved and how it will be enforced.

One of the key components of the reforms is the introduction of the General Data Protection Regulation (GDPR). This new EU framework applies to organisations in all member-states and has implications for businesses and individuals across Europe, and beyond.

"The digital future of Europe can only be built on trust. With solid common standards for data protection, people can be sure they are in control of their personal information," said Andrus Ansip, vice-president for the Digital Single Market, speaking when the reforms were agreed in December 2015.

-----

http://www.mondaq.com/australia/x/806384/Healthcare/The+UnHealthiness+Of+The+Australian+Health+Sectors+Data+Security

Australia: The Un-Healthiness Of The Australian Health Sector's Data Security

Last Updated: 17 May 2019

Article by Margie M. Tannock, Connor McClymont and Charlotte Osborne

Squire Patton Boggs LLP

More than twelve months after the commencement of the Australian Notifiable Data Breach Scheme,¹ statistics published by the Office of the Australian Information Commissioner (OAIC) have begun to reveal trends present in the 812 notifiable data breaches recorded in Australia between 22 February and 31 December 2018. One key trend is the clear susceptibility of the health care industry, which suffered one fifth of all data breaches recorded in Australia throughout 2018, the highest number on an  industry scale.

There is a cruel sense of irony that the services we turn to when we are vulnerable are themselves vulnerable, suffering data breaches that may harm us financially, psychologically or, in extreme circumstances, physically. The figures are stark, with 163 notifiable data breaches suffered by health sector businesses that are subject to the federal Privacy Act 1988 (Cth), which does not include the country's major hospitals operated under State jurisdictions. On top of these figures, the Australian Digital Health Agency, the agency responsible for administering the controversial 'My Health Record' system,² reported that a further 42 data breaches affected Australian My Health Records throughout 2018, which are also excluded from the statistics recorded in the OAIC's reports.

-----

https://www.lexology.com/library/detail.aspx?g=c1dc869f-f1ff-47a8-812a-9c1275befb22

Privacy Awareness Week (health information): health sector and the notifiable data breach scheme - 12 months on

K&L Gates

It’s been a little over a year since the notifiable data breach scheme was introduced in Australia. The Office of the Australian Information Commissioner (OAIC) issued its Notifiable Data Breaches Scheme 12-month Insights Report on 13 May 2019, detailing its insights to come out of the scheme’s operation over the past 12 months. As regular readers would no doubt be aware, the health sector was one of the top industry sectors to report breaches in the first 12 months of the scheme’s operation.

Here’s the health sector at a glance:

• Of the 964 eligible data breaches notified to the OAIC from 1 April 2018 to 31 March 2019, health information breaches accounted for 249 notifications (just over a quarter of all notifications). This is consistent with international trends which often show the health sector as a leading reporter of data breaches.
• Human error was the leading cause of data breaches in the health sector, accounting for 55% of the breaches. This figure was relatively higher when compared to the average rate of data breaches in other industries due to human error (35%).
• Human error in the health industry typically involved sending personal information to the wrong recipients via email and other forms communication.

-----

https://www.theaustralian.com.au/business/technology/health-policy-debate-misses-the-mark/news-story/ba3da80d73e41064948aa6dc8e26a838

Health policy debate misses the mark

James Scollay

• 12:52PM May 16, 2019

Health policy might be centre stage this election, but there’s a glaring gap in the debate

With only a day to go before the federal election, it’s no surprise our country’s health has come into the firing line.

Cancer services, hospital funding, out-of-pocket costs - these issues warrant concerted policy attention. But while each party continues to pledge new promises, not one has addressed the technologies that will be required to deliver on these for all Australians. This, to me, is a grave oversight, and one that could hinder the delivery of safe, timely and effective care for patients.

Many of the pledges made by the coalition were announced in the federal budget. Here, the Coalition government announced $81.78 billion would be allocated to health, with the largest share directed towards medical services and benefits, pharmaceutical benefits, and assistance to public hospitals. However, interestingly, it excluded any mention of research and development in health technology, which we’re seeing health systems in other parts of the world take tremendous strides.

-----

https://www1.racgp.org.au/newsgp/professional/protecting-your-practice-from-a-notifiable-data-br

Protecting your practice from a notifiable data breach

The RACGP has again collaborated with the Office of the Australian Information Commissioner for Privacy Awareness Week.

Morgan Liotta

17 May 2019

The annual initiative is aimed at raising awareness of privacy issues and promoting the importance of protecting personal information, including general practice patient data.

Dr Penny Burns, GP and RACGP Expert Committee – Practice Technology and Management (REC–PTM) member, recently delivered an RACGP eHealth webinar on the Notifiable Data Breaches (NDB) scheme.

The RACGP webinars are designed to assist GPs and general practice teams understand the NDB scheme and their obligations for assessing and responding to potential data breaches in their practice.

The NDB scheme came into action in February 2018 and all general practices are obliged by law to report data breaches which meet the criteria of an ‘eligible data breach’.
-----

https://apo.org.au/node/236311

A content analysis of the consumer-facing online information about My Health Record: implications for increasing knowledge and awareness to facilitate uptake and use

1 Sep 2018

Louisa Walsh, Sophie Hill, Meredith Allan, Susan Balandin, Andrew Georgiou, Isabel Higgins, Ben Kraal, Shaun McCarthy, Bronwyn Hemsley

Health Information Management Journal

Description

Abstract

Background: Low health literacy, low levels of positive belief and privacy and security concerns have been identified as a significant barrier to personal electronic health record uptake and use. An important tool for overcoming these barriers is the consumer-facing information which accompanies the system. My Health Record (MyHR) is the Australian national e-health record system, for which a large suite of online resources exists to facilitate consumer registration and use. This study uses a number of different measures of health resource quality to assess the MyHR online consumer-facing information and identify any gaps or areas for improvement.

Objective: To analyse the quality and content of the online consumer-facing resources which support the uptake and use of MyHR.

-----

https://apo.org.au/node/236191

Notifiable Data Breaches scheme: 12‑month insights report

13 May 2019

Office of the Australian Information Commissioner

This report looks back on the last 12 months of the Notifiable Data Breaches scheme (NDB scheme). The NDB scheme introduced new obligations for Australian Government agencies and private sector organisations (entities) that have existing information security obligations under the Privacy Act 1988 (Cth) (the Privacy Act). For a little over a year, it has been a legal requirement for entities to carry out an assessment whenever they suspect that there may have been loss of, unauthorised access to, or unauthorised disclosure of personal information that they hold. If serious harm is likely to result, they must notify affected individuals so they can take action to address the possible consequences. They must also notify the Office of the Australian Information Commissioner (OAIC).

The requirement to notify individuals of eligible data breaches goes to the core of what should underpin good privacy practice for any entity—transparency and accountability. Being ready to assess and, if appropriate, notify of a data breach provides an opportunity for entities to understand where privacy risks lie within their operations, to address the human and cyber elements that contribute to data breaches and to prevent or minimise harm to individuals and the community. And, of course, prevention is better than cure. The requirements under the NDB scheme incentivise entities to ensure they have reasonable steps in place to secure personal information.

------

https://www.myhealthrecord.gov.au/news-and-media/my-health-record-stories/check-immunisation-status

Australians can check their immunisation status through My Health Record

15 May 2019 ADHA Propaganda

Being up to date on immunisations can stop the spread of serious disease.

Measles is one of the most contagious diseases in human history (1). If a single person has the virus, 90 per cent of those around will catch it. The measles virus lingers for up to two hours – so if you ride the train or walk the grocery aisles after an infected person, you’re exposed.

Thanks to immunisation, local cases of measles had been falling (2). In 2014, Australia declared the end of endemic measles, but a recent spike is bringing it back into public consciousness (2). There have already been 108 cases in Australia this year, compared to 103 for the whole of 2018 and just 81 in 2017.

This leaves 2019 on track to be Australia’s second-highest year for measles since 1997 (3). And Australia isn’t the only country experiencing this surge. Similar trends have emerged in New Zealand, Japan and the US.

-----

https://www.theaustralian.com.au/business/financial-services/data-privacy-worries-ease-survey-suggests/news-story/5bc14f9031c879e09d87b77dde33af50

Data privacy worries ease, survey suggests

Samantha Bailey

• 1:16PM May 13, 2019

Nearly 60 per cent of Australian consumers are willing to share significant personal data with banks and insurers in exchange for lower prices.

Meanwhile close to 50 per cent of consumers would part with personal data for increased convenience when applying for a product or filing an insurance claim.

In exchange for benefits like faster loan approvals or personalised offers based on their current location, Australians would be happy to share location data and lifestyle information with their bank or insurance company, according to a global survey by professional services company Accenture.

 “Most consumers are realising now that personal data has quite a lot of value,” Alex Trott, who heads up Accenture’s banking practice in Australia and New Zealand, told The Australian.

-----

https://www.theaustralian.com.au/world/whatsapp-flaw-lets-hackers-spy-on-activists/news-story/dcab49e55b609bf9ad4c63c62d6ce22e

WhatsApp flaw lets hackers spy on activists

• By Mark Bridge and Tom Knowles
• The Times
• 12:00AM May 16, 2019

Encrypted messaging apps should never be considered secure, experts have warned, after a flaw in WhatsApp allowed attackers to spy on activists.

The Facebook-owned firm admitted a weak spot in its app’s voice-call software enabled the installation of spyware in dozens of users’ phones by an “advanced cyber actor”, which may have been a nation state.

The flaw put all 1.5 billion users of the app at risk of compromise, including iPhone and Android users.

Experts said the case highlighted the ability of sophisticated attackers to exploit gaps in code to view messages on a target’s phone even if those mess­ages were encrypted in transit.

-----

https://www.itnews.com.au/news/labor-gets-set-to-pause-open-banking-525238

Labor gets set to pause open banking

By Julian Bajkowski on May 16, 2019 6:38AM

Husic flags major policy reset to push social equity.

Billions of tech dollars spent by major banks and their emerging competitors on new open banking capabilities could in days be left in limbo by an incoming Shorten government.

Labor’s Digital Economy shadow Ed Husic has told iTnews outstanding enabling legislation for the new Consumer Data Right will play second fiddle to other legislative imperatives, like reforming negative gearing and dividend imputation, in the event of an election win .

“Will it be an immediate or priority? I wouldn't necessarily say that would be the case, given what we have flagged as big priorities for us from negative gearing franking reform and the like,” Husic said.

At the moment open banking enabling legislation contained in new Consumer Data Right laws remain stranded in the Senate log jam that coincided with the Morrison government going to the polls.

-----

https://itwire.com/strategy/australia-falling-behind-other-countries-in-ai-race-report.html

Thursday, 16 May 2019 02:47

Australia falling behind other countries in AI race: report

By Peter Dinham

Australia is losing the global race in artificial intelligence and will miss out on future jobs without major new investment to secure its position as a leading destination for AI research and development, according to analysis by the University of Adelaide’s Australian Institute for Machine Learning.

According to the analysis, Australia’s investment in AI as a proportion of GDP is nowhere near comparable countries like South Korea, Singapore, France, Germany and Japan.

And, the research found Australia was also “miles behind” the competition in terms of institutions dedicated to AI research.

AIML director Professor Anton van den Hengel says other countries are investing billions of dollars in AI research because it is a core driver of innovation, revitalising existing industries and helping create new ones.

-----

https://www.oaic.gov.au/agencies-and-organisations/my-health-record/

My Health Record

A My Health Record is an electronic summary of a patient’s health information. A registered healthcare provider organisation may view or add health information (such as diagnoses, treatments, medications and allergies) to the patient’s My Health Record in line with their access controls.

List of results

Using the My Health Record system

My Health Record access controls

Handling information in a My Health Record

-----

https://www.lexology.com/library/detail.aspx?g=e2055410-115d-477e-aef2-c9ee6df55d9c

How are AI regulatory developments in the EU and US influencing AI policy-making in Australia?

Corrs Chambers Westgarth

Australia May 8 2019

The EU’s recently released ‘Coordinated Plan on Artificial Intelligence’, and the introduction of the ‘Algorithmic Accountability Act’ as a bill in the US highlight the importance that governments around the world are placing on AI and its expected impact on society and the global economy.

As similar legal and policy developments start to emerge in Australia – the recent release of Data61’s Ethics Framework being one example – we consider whether the approaches being taken to regulate AI in key overseas jurisdictions like Europe and the US are influencing AI policy-making in Australia.

What is the EU’s Coordinated Plan?

The Coordinated Plan aims to foster the development and use of AI and robotics in Europe, and has a number of objectives, including the development of ethics guidelines and ensuring the EU remains competitive in the AI sector. The plan also proposes joint action by EU Member States in four key areas:

1. Increasing investment: At least €20 billion of public and private investments in research and innovation in AI through to the end of 2020.
2. Making more data available: Increasing data sharing across borders.
3. Fostering talent: Supporting advanced degrees in AI.
4. Ensuring trust: Developing Ethics Guidelines.

What are the EU Ethics Guidelines?

Of the four key areas, the Ethics Guidelines are of most interest from a regulatory perspective. The Ethics Guidelines proposed in the Coordinated Plan are designed to ‘maximise the benefits of AI while minimising its risks’.

Following the publication of draft Ethics Guidelines in December 2018 (which received more than 500 comments), revised Ethics Guidelines were released by the EU’s High Level Expert Group on Artificial Intelligence on 8 April 2019.

These are focused on creating a concept of ‘Trustworthy AI’, which is comprised of three core components which should be met throughout an AI system’s life cycle:

• the AI should be lawful, meaning it must comply with all applicable laws and regulations;
• the AI should be ethical, by adhering to ethical principles and values; and
• the AI should be robust, from both a technical and a social perspective (as even with good intentions, AI can cause unintentional harm).

-----

https://www.hospitalhealth.com.au/content/technology/article/dr-alexa-is-now-available-402934389

Dr Alexa is now available

By Chelsea Ukoha* and Bianca Phillips**
Monday, 13 May, 2019

---

In the future it is likely that voice recognition technologies will be utilised in mainstream health care, offering a diverse patient experience and reducing the administrative load on physicians, which is a major cause of burnout. It is estimated that by 2020, half of all internet searches will be conducted by voice-first rather than through typed search inputs.

Voice user interface (VUI) is a speech recognition technology that allows people to use voice as the input to control a range of devices. Google Home, Amazon ‘Alexa’ and Apple ‘Siri’ are examples. VUI can already analyse medical questions in order to achieve specific in-clinic uses and/or to aid healthcare delivery to patients within their homes. The recent announcement by Amazon that Alexa has achieved compliance with HIPAA has signaled that the vision for voice-first technologies is being realised, and demonstrates that voice-first health is an area that will need to be considered by early to mid-career healthcare professionals.

Alexa is HIPAA compliant

As mentioned, Amazon’s  voice-interactive device ‘Alexa’ is now HIPAA compliant through the new Alexa Skills Kit. The Alexa Skills Kit enables Alexa to be utilised in particular healthcare capacities to transmit patients’ protected health information (PHI) in compliance with the Health Insurance Portability and Accountability Act (HIPAA).

-----

https://itwire.com/security/efa-urges-australians-to-take-steps-to-protect-online-privacy.html

EFA urges Australians to take steps to protect online privacy

By Sam Varghese

Digital rights organisation Electronic Frontiers Australia has urged Australians to do three things to protect their online privacy: get a password manager, review their Facebook settings and turn on two-factor authentication.

The organisation's advice was issued on Tuesday, during Australian Privacy Awareness Week, and it also urged people to visit the dedicated website that the Office of the Australian Privacy Commissioner has created to mark the week.

In a statement, EFA said a password manager like 1Password, Lastpass or KeePass could help a user to have a unique, strong password for every site visited.

-----

https://www.computerworld.com.au/article/661600/200-million-record-breach-why-collecting-too-much-data-raises-risk/

200 million-record breach: Why collecting too much data raises risk

A large direct marketing list now circulating on the grey market reveals highly sensitive data on 200 million U.S. citizens. Was it really necessary to collect it all?

J.M. Porup (CSO (US)) 14 May, 2019 20:00

If you don't collect it, no one can steal it.

Sometimes the best way to secure customer data is not to collect it in the first place. While it can be tempting to "collect it all" just in case, most enterprises need far less data on their users to market to them effectively. Reducing the amount of data collected means that in the inevitable event of a breach, the repercussions will be far less severe.

"One of the things we're hearing from consumer brands is that they're doing less," Gerry Murray, director of marketing and sales technology research at IDC, says. "They're becoming more thoughtful about 'what do we want to know about you?'"

"For most commercial purposes you don't need to know that many things about a person, and sometimes you're better off not knowing," he adds.

-----

https://www.ausdoc.com.au/opinion/oops-heres-right-way-correct-medical-records

Oops! Here's the right way to correct medical records

Emma Gibson

Ms Gibson is a risk adviser at Avant.

14th May 2019

In recording the complexities of a patient’s life, mistakes happen.

Patients may ask for sensitive information not to be included in their record, or they may ask you to amend or delete a previous entry.

What are your obligations? 

Can you omit information?

If the information is clinically relevant, you need to include it. As outlined in the Medical Board of Australia’s Code of Conduct, doctors are required to ensure their medical records are complete, accurate and up-to-date.

That means sometimes a sensitive diagnosis or history will need to be included.

If patients are concerned about this, you should be able to provide them with some reassurance that the record will be confidential.

Most software allows you to make a separate ‘confidential’ record and include details in the notes that the patient disclosed sensitive health information but asked you not to record this.

-----

https://www.theaustralian.com.au/business/technology/consumers-want-control-over-privacy-online/news-story/f847889b843d06b3244fd3d7e2dea430

Consumers want control over privacy online

Supratim Adhikari

• 12:30AM May 14, 2019

Australian consumers are increasingly choosing to be more private on the internet, with a larger number of them opting against sharing their personal details with mobile apps.

With privacy now a hot-button issue globally, the latest instalment of professional services firm Deloitte’s annual Privacy Index study shows that community expectations around the use of their data are starting to harden.

According to Deloitte’s Privacy Index 2019 study, 89 per cent of Australian consumers have denied a mobile app access to their location, photos, camera or contacts. Meanwhile, 63 per cent of the respondents in the study said they had deleted apps due to privacy concerns, and 46 per cent were likely to provide false personal information when engaging with an app.

The trends pose a challenge for businesses as they look to engage with their customers across digital channels. Deloitte’s national privacy and data protection lead David Batch said brands needed to rethink the privacy attributes of their apps. “Key considerations that companies need to take seriously are: ‘what are you doing with my data?’ and ‘how are you protecting my privacy?’,” he said.

-----

https://www.computerworld.com.au/article/661545/government-apps-among-least-trusted-when-it-comes-protecting-privacy/

Government apps among the least-trusted when it comes to protecting privacy

Trust in privacy practices of government, finance sector drops, 2019 Deloitte Australian Privacy Index reveals

Rohan Pearce (Computerworld) 14 May, 2019 00:01

The 2019 Deloitte Australian Privacy Index reveals that consumers are far less inclined to trust apps produced by governments, financial institutions and the health sector compared to other sectors.

The index is based on a survey of 1000 consumers about the brands they trust the most and the least when it comes to protecting their privacy, as well as a Deloitte analysis of the privacy practices of branded mobile apps (the study only considered iOS apps).

The final index drew on the analysis, the consumer survey, as well as breach and complaints data published by the Office of the Australian Information Commissioner (OAIC).

The IT sector topped the index when it came to consumer trust, followed by real estate, and travel and transport.

-----

https://itwire.com/government-tech-policy/encryption-law-labor-says-no-repeal,-but-promises-urgent-amendments.html

Tuesday, 14 May 2019 04:45

Encryption law: Labor says no repeal, but promises 'urgent' amendments

By Sam Varghese

The Australian Labor Party has ruled out repealing the encryption law that was passed last year if it is elected, but says it will speedily incorporate the 170-odd amendments that were drafted, but not included in the law.

Labor's Shadow Minister for the Digital Economy Ed Husic told iTWire in Melbourne on Monday that the government had pledged to include the amendments as soon as parliament resumed sitting this year.

"We've said consistently since December last year that we wanted to see the recommendations of the bipartisan parliamentary committee into the encryption bill reflected in the law," he said.

-----

https://www.theaustralian.com.au/business/technology/amazon-speakers-violating-childrens-privacy-compliant/news-story/7ff3bcaa2de2f9ef4cd145f2451a4aff

Amazon speakers violating children’s privacy: compliant

• By Betsy Morris
• The Wall Street Journal
• 2:05PM May 9, 2019

Amazon.com is improperly recording and preserving the conversations of young users through its Echo Dot Kids devices, according to a complaint to be filed with US federal regulators by a coalition of privacy and child-advocacy groups.

The complaint, which alleges Amazon stores the data in the cloud even after parents actively try to delete it, is one of the first to accuse the company of the sort of privacy abuses that have embroiled Facebook and Alphabet’s Google.

It claims that Amazon’s practices violate federal law protecting the online privacy of kids, and calls on the Federal Trade Commission to investigate. The Wall Street Journal reviewed a draft version of the complaint, which the advocacy groups say they intend to file with the FTC today.

A spokesperson for Amazon said the company is compliant with federal privacy laws and that its privacy policies are disclosed on the company’s website.

-----

https://www.computerworld.com.au/article/661520/cyber-incidents-leading-cause-data-breaches-affecting-australians-oaic-says/

‘Cyber incidents’ leading cause of data breaches affecting Australians, OAIC says

Malicious acts rather than human or system error are the leading cause of breaches covered by Australia’s mandatory reporting scheme

Rohan Pearce (Computerworld) 13 May, 2019 10:48

So-called ‘cyber incidents’ continue to be a leading source of data breaches that threaten Australians’ privacy, according to figures released by the Office of the Australian Information Commissioner (OAIC).

The OAIC this morning released its latest quarterly report on the Notifiable Data Breaches (NDB) scheme. In the three month period ended 31 March the OAIC received 215 notices of breaches under the NDB scheme, which requires organisations to notify the commissioner and affected individuals if a data breach is likely to result in serious harm.

Sixty one per cent of the reported breaches related to malicious or criminal attacks. Of those 131 breaches, 87 — 66 per cent — involved ‘cyber incidents’, which the OAIC said includes phishing, malware, brute-force attacks, or compromised or stolen credentials. Other breaches involved insider threats (19), social engineering (7), or theft of paperwork or a storage device (18).

Human error accounted for 35 per cent of breaches overall, while 4 per cent were attributed to system faults.

-----

Comments welcome!

David.