This blog is totally independent, unpaid and has only three major objectives.
The first is to inform readers of news and happenings in the e-Health domain, both here in Australia and world-wide.
The second is to provide commentary on e-Health in Australia and to foster improvement where I can.
The third is to encourage discussion of the matters raised in the blog so hopefully readers can get a balanced view of what is really happening and what successes are being achieved.
Quote Of The Year
Timeless Quotes - Sadly The Late Paul Shetler - "Its not Your Health Record it's a Government Record Of Your Health Information"
or
H. L. Mencken - "For every complex problem there is an answer that is clear, simple, and wrong."
Tuesday, November 26, 2019
Initial Press Responses To The Auditor General Report On The #MyHealthRecord.
The first we had was the AAP report.
Agencies fail My Health privacy audit
20 comments:
Bernard Robertson-Dunn
said...
Have you read Greg Hunt's media release about My Health record? https://www.health.gov.au/ministers/the-hon-greg-hunt-mp Surprise, surprise, there isn't one.
How about the AMA? https://ama.com.au/media/releases Nothing there.
Has anyone else realised the consequences of Recommendation 1?
This refers to the section: "Were privacy risks appropriately managed?"
"ADHA’s management of privacy risks was largely appropriate. Health and ADHA implemented system and consumer access controls. System controls included access requirements for healthcare provider organisations and various consumer controls (including identity verification requirements, the ability to set advanced access controls and the ability to permanently delete records).
The ADHA has not undertaken an end-to-end privacy risk assessment of the ongoing operation of the My Health Record system under the opt-out model. The last privacy specific risk assessment was completed in 2017 and, although ADHA funded the Office of the Australian Information Commissioner to conduct at least four privacy reviews between October 2017 and June 2019, none were completed in that period"
Referring to the Concept of Operation document on which the PCeHR was based, it said:
Access from the Provider Portal
Healthcare providers wishing to use the provider portal to access the PCEHR System will need to be linked to the healthcare organisation within the HI Provider Directory Service (HI-PDS) and will need to use a NASH token (e.g. smart card or USB token) asserting their identity to log in. Con-op page 65
The original NASH was never implemented which means that portal users can only be identified as far as their organisation, not the individual.
The NASH was supposed to identify individual healthcare service providers through use of a smartcard or USB.
There are two consequences arising from this failure ti implement the original NASH concept.
1. The system was not implemented as designed
2. There is a weakness in the end to end security
The biggest threat to security and privacy of a system like MyHR is via the end-points.
Anybody with even a passing knowledge of security and privacy knows this. I know that the ANAO were informed of this issue - I told them.
This is from the APF submission, that I authored
"In terms of privacy risk management, the My Health Record system has not been implemented as originally designed. The design called for identification of individual healthcare users of the system by means of two factor authentication. This was so that a patient could identify which individual had accessed their My Health Record. This functionality required implementation of the National Authentication System for Health (NASH) a component that was never implemented and there is no indication that it ever will be."
For the ANAO to say that "Implementation of the My Health Record system was largely effective" is a bit of a stretch
The questions are:
What did the ADHA tell ANAO about the failure to implement NASH and the subsequent weakening of end-to-end privacy?
If the ADHA told ANAO, did they realise the consequences?
Something smells wrong. Either the ADHA was not open and transparent or did not know about the risk and implementation failure
The fact that they have not done an end-to-end privacy risk assessment strongly suggests they don't want to hear the results and/or more importantly, to own up to the weak privacy protections in what was implemented.
The one person who probably knew all about this was Bettina McMahon. Funny that.
IMHO, the ANAO review raises more questions than it answers. Another one is the failure to solve the interoperability problem that has severely crippled the system in terms of reducing fragmentation of a patient's health data - objective #1. Rather than joining up existing repositories, myhr is now just a dumb document dump with little or no history.
What did the ADHA tell the AANAO about that?
I'm beginning to think that a call for the Senate to review the whole thing - the behaviour of the ADHA and the performance of the ANAO - would be a good idea.
I'll wait until next year. I wouldn't want to spoil anyone's Christmas.
That sounds like an excellent idea Bernard. Perhaps a supporting petition? There is more concern than just the myhr system negligence. As bad as cheating the Australian public is, there would appear to be serious issues internally with devastating results for individual.
A supporting petition is an excellent suggestion. To be meaningful and as effective as possible the following is required: 1. Two paras max
2. At least 20 - 25 names of credible experienced individuals; not just anyone, no rabble rowsers.
3. First step would be to 'elect a co-ordinator. I suggest Bernard should be the coordinating point of contact, should he be agreeable to that.
4. Second step would be for those prepared to commit to send an email confirmation to Bernard subject to him confirming contact details v iui a this thread.
5. Third step, co-ordinator prepares the petition
6. Fourth step, when invited, each person who has committed electronically signs, dates, and returns the petition to the co-ordinator ready for submission.
Excellent suggestion. I can think of 25+ credible people who should be signatories. But how many are prepared to add their name to the petition? Do they have the courage of their conviction?
Has anyone counted how many times interoperable/interoperability occurs in the ANAO review?
I'll save you the trouble. Zero.
As we know the ADHA is still working to implement some form of interoperablity, although I'm not sure if they are conflating it with secure messaging.
The high level architecture says:
"National E-Health Framework
The PCEHR System has been architected using NEHTA’s National eHealth Framework (NEHF). The NEHF is based on a combination of the Australian Government Architecture (AGA)3 and HL7’s Service Aware Interoperability Framework (SAIF)45.
The NEHF is used by the PCEHR System to help deliver consistent and cohesive eHealth specifications. The NEHF provides a common specification language for teams involved in working in eHealth, supports the identification of secure and interoperable services and assists in analysing eHealth solutions to ensure that they will deliver the intended outcome."
The NEHF says:
"A national approach to interoperability is vital to the Australian e-health agenda.
Interoperability contributes to enhanced healthcare delivery facilitating continuity of care and better decision making while delivering cost savings. Interoperability is also a state of readiness to deal with new technologies, clinical practices and changes in policies."
Without interoperability it is not possible to join up existing health databases (data repositories) which is the reason why the objective of reducing data fragmentation has not been achieved.
Did the ANAO review mention that a vital component of the NEHF was not fully implemented? No.
I wonder why not. Maybe they were not told. If they had been told, maybe they would have concluded that the MyHR had not been properly implemented.
Of course the ADHA might claim that it was not an opt-out issue. My response would be that an issue, especially a vital issue that has been there from the start, unless it has been addressed, (which this hasn't) is still a vital issue.
Maybe they should have told the ANAO and let them decide. That would have been the ethical thing to do.
Maybe someone's been a very naught boy.
Apart from the quotes, all of this is speculation. Maybe someone should ask the Auditor General.
Bernard there is no point in referencing NEHTA information or architecture documents. The PCEHR largely ignore them and ADHA dismissed anything that was NEHtA including years of stakeholder agreements and requirements. I doubt they could even understand them, the only Nehta people let are the used car sales people
The ADHA may ignore them but those documents are still on the ADHA website (apart from the Con-op which they are trying to ignore) and are important because they define was was funded and intended.
In the "objectives" section of the review the ANAO referenced the original intent i.e what was meant to be implemented.
That the ANAO only asked "Were objectives clearly specified?", not "Were objectives achieved?" is a major concern. It's like getting exam marks for neat writing.
With the ANAO review behind us we can review where we’ve got to
Myhr has been given a tick of approval by the ANAO. The ANAO asked all the right questions and got all the right answers. Nothing was hidden, all was revealed.
Apart from a few ratbags who are intransigent in their opposition to the government holding large amounts of personal and health data of questionable quality in a database attached to the internet, everyone is on side.
There’s a few minor security things to clear up and the ADHA needs to monitor and report on benefits realisation.
The ANAO didn’t have any concerns about the ePIP which is currently paying GPs to upload data, so it’s obviously an unnecessary expense which we assume is only temporary and will shortly be discontinued.
Data will soon start flooding in as consumers realise the benefits of the system and get their GPs to upload their history and health summaries. Consumer participation rate will rise to the predicted 98 per cent.
A whole range of physicians will find the data essential and valuable in their treatment of patients. Pharmacists will be happy. Those like Priceline who have their own medicine management systems will have no problem supporting three systems, myhr, the new eScript system and their own. The benefits to everyone will be so great there will be no need to pay pharmacists. If that was likely to become an issue the ANAO would have raised it and they didn’t, so that’s good.
The system is on track to reap over $14b worth of savings by 2027 minus a few expenses.
There were no concerns raised about the efficiency of the technology platforms on which the myhr is running so that’s another good thing.
All the ADHA has to do now is to go to market to find someone who can keep the thing running as-is and they can concentrate on solving the secure messaging and interoperability problems.
I guess that means any talk of re-platforming or redeveloping the system will go away – everything is fine and dandy – no reason to change anything. There are no funds allocated for re-platforming anyway. The funding will barely cover operating costs.
We’ll get improved health outcomes; a much more efficient health system; avoided duplication of diagnostic tests. It will put the person at the centre of their healthcare and enable innovation and developments in healthcare.
It’s all there in black and white in the ANAO review. All the ADHA has to do now is deliver.
so the replatforming will be self funding, any transition costs will come out of savings. That sounds reasonable. Anything else is probably unacceptable.
Re my sarcastic rant at 8:59am, I was telling it like I assume ADHA wants it to appear to the general public and the main stream media, both of whom have generally ignored the whole thing.
IMHO, both the ANAO and the ADHA have failed to take into account the views, opinions and roles of the two main users of the system - GPs and the public. A proper assessment of the implementation of myhr needs to take into account these communities, otherwise it is like Jeremy Knibbs said in his article
"It’s like giving NASA a tick of approval for how they built a rocket to get to the moon, but failing to check whether it had any chance of actually getting there"
MHR audit clearance is a giant red herring http://medicalrepublic.com.au/mhr-audit-clearance-giant-red-herring/24226
The ADHA and the ANAO can say all they like about the success of the implementation but unless the public and GPs are engaged and committed, it will most probably just languish in the cyber dust.
It is telling that the ANAO has done nothing to publicise the thing since people were registered, have developed no training and/or education material for the public, who are now responsible for the privacy and quality of the data in their own record.
Apart from the registration level now at 90%, not much has changed since before it was made opt-out. Many of the comments I've seen on various social media display a serious misunderstanding of the system, mostly negative.
It's difficult to know if we are now at the end of the beginning or the beginning of the end as the government runs out of excuses. Re-platforming will be much harder to justify now.
As I said in my rant, it's up to ADHA to deliver. They can't do that from within the bubble they've been hiding in. They need the hearts and minds of the Australian people. The ANAO review didn't cover that rather critical aspect of the implementation.
If anyone is still interested in this supposed performance review, I was looking at Section 3. Risk Management.
Sub para 3.10 is headed “ADHA shares My Health Record risks with other system participants, including: … * healthcare recipients — whose health and personal information is stored in the My Health Record system; …"
Risks associated with all the other system participants are commented on except for healthcare recipients – the public.
I can’t find any reference to risks that might apply to healthcare recipients, to an assessment of those risks and any mitigation of those risks – whatever they may be.
The ANAO’s conclusion to the whole section on Risk Management included this gem:
“Management of shared cyber security risks was not appropriate and should be improved with respect to risks that are shared with third party software vendors and healthcare provider organisations.“
IMHO, this is quite astounding. There is no evidence that either the ADHA or the ANAO consider that the risks to the Australian people are worth worrying about.
Furthermore, neither the media or the people are interested enough to be concerned.
These Gateway reviews are based on very old OGC approaches. They are never tailored as initially intended. That is why so many rubbish programmes are established. You need to satisfy individual boxes. Surprised they don't employ software to generate the dam things.
As Long Live T.38 is correct even if make in jest. All those wedded to ADHA and it's MyHR simply ”axe the facts” in order to do whatever they wish regardless of harm.
I think what they mean is that risks to MHR security are increased through cybersecurity holes in external systems as MHR information is accessed through and sits in them so ADHA can't continue to say 'not our problem'. ANAO have said that they need to look outside their own systems to address the risks to their own system (i.e. to protect the public's information).
20 comments:
Have you read Greg Hunt's media release about My Health record?
https://www.health.gov.au/ministers/the-hon-greg-hunt-mp
Surprise, surprise, there isn't one.
How about the AMA?
https://ama.com.au/media/releases
Nothing there.
RACGP?
https://www.racgp.org.au/gp-news/media-releases
Silence.
What has Tim tweeted about it?
Nothing
@AuDigitalHealth is blithely ignoring it all and still promoting the thing.
Talk about head in the sand.
Well surely the Pharmacy Guild will have something good to say.
Has anyone else realised the consequences of Recommendation 1?
This refers to the section: "Were privacy risks appropriately managed?"
"ADHA’s management of privacy risks was largely appropriate. Health and ADHA implemented system and consumer access controls. System controls included access requirements for healthcare provider organisations and various consumer controls (including identity verification requirements, the ability to set advanced access controls and the ability to permanently delete records).
The ADHA has not undertaken an end-to-end privacy risk assessment of the ongoing operation of the My Health Record system under the opt-out model. The last privacy specific risk assessment was completed in 2017 and, although ADHA funded the Office of the Australian Information Commissioner to conduct at least four privacy reviews between October 2017 and June 2019, none were completed in that period"
Referring to the Concept of Operation document on which the PCeHR was based, it said:
Access from the Provider Portal
Healthcare providers wishing to use the provider portal to access the PCEHR System will need to be linked to the healthcare organisation within the HI Provider Directory Service (HI-PDS) and will need to use a NASH token (e.g. smart card or USB token) asserting their identity to log in.
Con-op page 65
The original NASH was never implemented which means that portal users can only be identified as far as their organisation, not the individual.
The NASH was supposed to identify individual healthcare service providers through use of a smartcard or USB.
There are two consequences arising from this failure ti implement the original NASH concept.
1. The system was not implemented as designed
2. There is a weakness in the end to end security
The biggest threat to security and privacy of a system like MyHR is via the end-points.
Anybody with even a passing knowledge of security and privacy knows this. I know that the ANAO were informed of this issue - I told them.
This is from the APF submission, that I authored
"In terms of privacy risk management, the My Health Record system has not been implemented as originally designed. The design called for identification of individual healthcare users of the system by means of two factor authentication. This was so that a patient could identify which individual had accessed their My Health Record. This functionality required implementation of the National Authentication System for Health (NASH) a component that was never implemented and there is no indication that it ever will be."
For the ANAO to say that "Implementation of the My Health Record system was largely effective" is a bit of a stretch
The questions are:
What did the ADHA tell ANAO about the failure to implement NASH and the subsequent weakening of end-to-end privacy?
If the ADHA told ANAO, did they realise the consequences?
Something smells wrong. Either the ADHA was not open and transparent or did not know about the risk and implementation failure
The fact that they have not done an end-to-end privacy risk assessment strongly suggests they don't want to hear the results and/or more importantly, to own up to the weak privacy protections in what was implemented.
The one person who probably knew all about this was Bettina McMahon. Funny that.
IMHO, the ANAO review raises more questions than it answers. Another one is the failure to solve the interoperability problem that has severely crippled the system in terms of reducing fragmentation of a patient's health data - objective #1. Rather than joining up existing repositories, myhr is now just a dumb document dump with little or no history.
What did the ADHA tell the AANAO about that?
I'm beginning to think that a call for the Senate to review the whole thing - the behaviour of the ADHA and the performance of the ANAO - would be a good idea.
I'll wait until next year. I wouldn't want to spoil anyone's Christmas.
That sounds like an excellent idea Bernard. Perhaps a supporting petition?
There is more concern than just the myhr system negligence. As bad as cheating the Australian public is, there would appear to be serious issues internally with devastating results for individual.
A supporting petition is an excellent suggestion. To be meaningful and as effective as possible the following is required:
1. Two paras max
2. At least 20 - 25 names of credible experienced individuals; not just anyone, no rabble rowsers.
3. First step would be to 'elect a co-ordinator. I suggest Bernard should be the coordinating point of contact, should he be agreeable to that.
4. Second step would be for those prepared to commit to send an email confirmation to Bernard subject to him confirming contact details v iui a this thread.
5. Third step, co-ordinator prepares the petition
6. Fourth step, when invited, each person who has committed electronically signs, dates, and returns the petition to the co-ordinator ready for submission.
7. The co-ordinator does the rest.
A suggestion worth considering.
I'm getting advice from elsewhere about the most effective way to raise/pursue this.
Excellent suggestion. I can think of 25+ credible people who should be signatories. But how many are prepared to add their name to the petition? Do they have the courage of their conviction?
Has anyone counted how many times interoperable/interoperability occurs in the ANAO review?
I'll save you the trouble. Zero.
As we know the ADHA is still working to implement some form of interoperablity, although I'm not sure if they are conflating it with secure messaging.
The high level architecture says:
"National E-Health Framework
The PCEHR System has been architected using NEHTA’s National eHealth Framework (NEHF). The NEHF is based on a combination of the Australian Government Architecture (AGA)3 and HL7’s Service Aware Interoperability Framework (SAIF)45.
The NEHF is used by the PCEHR System to help deliver consistent and cohesive eHealth specifications. The NEHF provides a common specification language for teams involved in working in eHealth, supports the identification of secure and interoperable services and assists in analysing eHealth solutions to ensure that they will deliver the intended outcome."
The NEHF says:
"A national approach to interoperability is vital to the Australian e-health agenda.
Interoperability contributes to enhanced healthcare delivery facilitating continuity of care and better decision making while delivering cost savings. Interoperability is also a state of readiness to deal with new technologies, clinical practices and changes in policies."
Without interoperability it is not possible to join up existing health databases (data repositories) which is the reason why the objective of reducing data fragmentation has not been achieved.
Did the ANAO review mention that a vital component of the NEHF was not fully implemented? No.
I wonder why not. Maybe they were not told. If they had been told, maybe they would have concluded that the MyHR had not been properly implemented.
Of course the ADHA might claim that it was not an opt-out issue. My response would be that an issue, especially a vital issue that has been there from the start, unless it has been addressed, (which this hasn't) is still a vital issue.
Maybe they should have told the ANAO and let them decide. That would have been the ethical thing to do.
Maybe someone's been a very naught boy.
Apart from the quotes, all of this is speculation. Maybe someone should ask the Auditor General.
Bernard there is no point in referencing NEHTA information or architecture documents. The PCEHR largely ignore them and ADHA dismissed anything that was NEHtA including years of stakeholder agreements and requirements. I doubt they could even understand them, the only Nehta people let are the used car sales people
The ADHA may ignore them but those documents are still on the ADHA website (apart from the Con-op which they are trying to ignore) and are important because they define was was funded and intended.
In the "objectives" section of the review the ANAO referenced the original intent i.e what was meant to be implemented.
That the ANAO only asked "Were objectives clearly specified?", not "Were objectives achieved?" is a major concern. It's like getting exam marks for neat writing.
Axe the Facts
With the ANAO review behind us we can review where we’ve got to
Myhr has been given a tick of approval by the ANAO. The ANAO asked all the right questions and got all the right answers. Nothing was hidden, all was revealed.
Apart from a few ratbags who are intransigent in their opposition to the government holding large amounts of personal and health data of questionable quality in a database attached to the internet, everyone is on side.
There’s a few minor security things to clear up and the ADHA needs to monitor and report on benefits realisation.
The ANAO didn’t have any concerns about the ePIP which is currently paying GPs to upload data, so it’s obviously an unnecessary expense which we assume is only temporary and will shortly be discontinued.
Data will soon start flooding in as consumers realise the benefits of the system and get their GPs to upload their history and health summaries. Consumer participation rate will rise to the predicted 98 per cent.
A whole range of physicians will find the data essential and valuable in their treatment of patients. Pharmacists will be happy. Those like Priceline who have their own medicine management systems will have no problem supporting three systems, myhr, the new eScript system and their own. The benefits to everyone will be so great there will be no need to pay pharmacists. If that was likely to become an issue the ANAO would have raised it and they didn’t, so that’s good.
The system is on track to reap over $14b worth of savings by 2027 minus a few expenses.
There were no concerns raised about the efficiency of the technology platforms on which the myhr is running so that’s another good thing.
All the ADHA has to do now is to go to market to find someone who can keep the thing running as-is and they can concentrate on solving the secure messaging and interoperability problems.
I guess that means any talk of re-platforming or redeveloping the system will go away – everything is fine and dandy – no reason to change anything. There are no funds allocated for re-platforming anyway. The funding will barely cover operating costs.
We’ll get improved health outcomes; a much more efficient health system; avoided duplication of diagnostic tests. It will put the person at the centre of their healthcare and enable innovation and developments in healthcare.
It’s all there in black and white in the ANAO review. All the ADHA has to do now is deliver.
That's a relief. "I feel better now".
so the replatforming will be self funding, any transition costs will come out of savings. That sounds reasonable. Anything else is probably unacceptable.
Re my sarcastic rant at 8:59am, I was telling it like I assume ADHA wants it to appear to the general public and the main stream media, both of whom have generally ignored the whole thing.
IMHO, both the ANAO and the ADHA have failed to take into account the views, opinions and roles of the two main users of the system - GPs and the public. A proper assessment of the implementation of myhr needs to take into account these communities, otherwise it is like Jeremy Knibbs said in his article
"It’s like giving NASA a tick of approval for how they built a rocket to get to the moon, but failing to check whether it had any chance of actually getting there"
MHR audit clearance is a giant red herring
http://medicalrepublic.com.au/mhr-audit-clearance-giant-red-herring/24226
The ADHA and the ANAO can say all they like about the success of the implementation but unless the public and GPs are engaged and committed, it will most probably just languish in the cyber dust.
It is telling that the ANAO has done nothing to publicise the thing since people were registered, have developed no training and/or education material for the public, who are now responsible for the privacy and quality of the data in their own record.
Apart from the registration level now at 90%, not much has changed since before it was made opt-out. Many of the comments I've seen on various social media display a serious misunderstanding of the system, mostly negative.
It's difficult to know if we are now at the end of the beginning or the beginning of the end as the government runs out of excuses. Re-platforming will be much harder to justify now.
As I said in my rant, it's up to ADHA to deliver. They can't do that from within the bubble they've been hiding in. They need the hearts and minds of the Australian people. The ANAO review didn't cover that rather critical aspect of the implementation.
Bernard in para 6 of your 5:40 PM comment you meant to say ".... it is telling that that ADHA has done nothing to publicice the thing ...."
@7:06 PM
Correct. Thank you.
If anyone is still interested in this supposed performance review, I was looking at Section 3. Risk Management.
Sub para 3.10 is headed “ADHA shares My Health Record risks with other system participants, including:
…
* healthcare recipients — whose health and personal information is stored in the My Health Record system;
…"
Risks associated with all the other system participants are commented on except for healthcare recipients – the public.
I can’t find any reference to risks that might apply to healthcare recipients, to an assessment of those risks and any mitigation of those risks – whatever they may be.
The ANAO’s conclusion to the whole section on Risk Management included this gem:
“Management of shared cyber security risks was not appropriate and should be improved with respect to risks that are shared with third party software vendors and healthcare provider organisations.“
IMHO, this is quite astounding. There is no evidence that either the ADHA or the ANAO consider that the risks to the Australian people are worth worrying about.
Furthermore, neither the media or the people are interested enough to be concerned.
These Gateway reviews are based on very old OGC approaches. They are never tailored as initially intended. That is why so many rubbish programmes are established. You need to satisfy individual boxes. Surprised they don't employ software to generate the dam things.
As Long Live T.38 is correct even if make in jest. All those wedded to ADHA and it's MyHR simply ”axe the facts” in order to do whatever they wish regardless of harm.
I think what they mean is that risks to MHR security are increased through cybersecurity holes in external systems as MHR information is accessed through and sits in them so ADHA can't continue to say 'not our problem'. ANAO have said that they need to look outside their own systems to address the risks to their own system (i.e. to protect the public's information).
Post a Comment