Quote Of The Year

Timeless Quotes - Sadly The Late Paul Shetler - "Its not Your Health Record it's a Government Record Of Your Health Information"

or

H. L. Mencken - "For every complex problem there is an answer that is clear, simple, and wrong."

Wednesday, December 21, 2022

The OAIC Has Delivered Its Digital Health Report For 2021-22. Care Is Needed!

This arrived last  week:

Annual report of the Australian Information Commissioner’s activities in relation to digital health 2021–22

For the full report please Download the print version

Executive summary

This annual report sets out the Australian Information Commissioner’s (Information Commissioner) digital health compliance and enforcement activity during 2021–22, in accordance with s 106 of the My Health Records Act 2012 and s 30 of the Healthcare Identifiers Act 2010 (HI Act).

The report provides information about digital health activities led by the Office of the Australian Information Commissioner (OAIC), including our assessment program, handling of My Health Record data breach notifications, development of guidance material, provision of advice and liaison with key stakeholders.

This was the 10th year of operation of the My Health Record system and the 12th year of the Healthcare Identifiers Service (HI Service), a critical enabler for the My Health Record system and digital health generally.

The management of personal information is at the core of both the My Health Record system and the HI Service (which are collectively referred to as ‘digital health’ in this report). In recognition of the special sensitivity of health information, the My Health Records Act and the HI Act contain provisions that protect and restrict the collection, use and disclosure of personal information. The Information Commissioner oversees compliance with those privacy provisions.

The My Health Record system commenced in 2012 as an opt-in system where an individual needed to register in order to get and share their My Health Record. In 2017, the Australian Government announced the creation of a My Health Record for every Australian. Following an opt-out period that ended on 31 January 2019, a My Health Record was created for everyone who had not opted out of the system.

In 2021–22, the OAIC received 14 privacy complaints relating to the My Health Record system with 10 remaining open at the end of the reporting period. We finalised 5 My Health Record system complaints, including 1 complaint from previous reporting periods.

We received 11 privacy complaints relating to the HI Service in 2021–22. We finalised 1 of those complaints received in 2021–22. There were no HI Service complaints from the previous reporting period.

Over the reporting period, there was a marked increase in the OAIC’s policy work in relation to the HI Service as well as an increase in complaints and enquiries about healthcare identifiers. This increase is primarily attributed to the inclusion of healthcare identifiers on COVID-19 vaccine certificates and the subsequent increased collection and overall visibility of healthcare identifiers. To help ensure compliance with the HI Act and encourage best privacy practice in relation to the handling of healthcare identifiers, the OAIC published privacy guidance to assist entities and individuals that collect a person’s COVID-19 digital vaccination certificate which contains an Individual Healthcare Identifier (IHI).

We received 3 data breach notifications during the reporting period in relation to the My Health Record system and closed 3 notifications.

We also carried out other digital health-related work including:

  • commencing one privacy assessment and progressing another assessment commenced in the previous reporting period
  • providing advice to stakeholders, including the Australian Digital Health Agency (ADHA), Services Australia and the Department of Health and Aged Care, on privacy-related matters relevant to the My Health Record system and HI Service
  • developing and promoting guidance materials, including publishing new resources about IHIs and developing and conducting consultation on guidance and a new template for healthcare providers to help them comply with security and access policy requirements under the My Health Records Rule 2016
  • presenting a webinar to healthcare providers on the OAIC’s Privacy and My Health Record assessments and providing panel members for a Q&A session, and
  • monitoring developments in digital health, the My Health Record system and the HI Service.

Here is the link:

https://www.oaic.gov.au/about-us/our-corporate-information/annual-reports/digital-health-annual-reports/annual-report-of-the-australian-information-commissioners-activities-in-relation-to-digital-health-2021-22

The full report (.pdf) is only 16 pages (very information sparse) and is worth only a quick browse!

The interesting part is on assessment of the way GP practices and handling #myHR security but we have no data right now but a report is due in early 2023. Will be interesting to read!

The AMA also came up with this overall summary and noted lots of data breaches.

Information Commissioner report on My Health Record and notifiable data breaches

Published 15 December 2022

Data for the January-June 2022 reporting period has been released by the OAIC.

The Office of the Australian Information Commissioner (OAIC) published its final privacy assessment report for 2022. The privacy assessment reports contain information about the obligations, compliance, and privacy risks of healthcare provider organisations relating to having a written policy (referred to as a Security and Access policy) under Rule 42 of the My Health Records Rule 2016.

The OAIC was notified of 396 data breaches from January to June 2022. The Privacy Act 1988 requires entities to take reasonable steps to conduct a data breach assessment within 30 days of becoming aware that there are grounds to suspect they may have experienced an eligible data breach. Once the entity forms a reasonable belief that there has been an eligible data breach, they must notify the OAIC and affected individuals as soon as practicable.

The OAIC Report can be viewed here: https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/notifiable-data-breaches-report-january-june-2022

Here is the link:

https://www.ama.com.au/ama-rounds/16-december-2022/articles/information-commissioner-report-my-health-record-and

At the same time this appeared with some interesting findings:

Tuesday, 13 December 2022 10:54

Australia now leads the world in data breaches following Medibank breach

By David M Williams

Australia now has the highest data breach density in the world, with breaches spiking by 489% this quarter (and it's not over yet). Globally, data breaches have decreased by 70.8% while Australian breaches have surged by 1,550%. In fact, Australia's data breach density is 24 times higher than the global average.

Australia, the lucky country, is decidedly unlucky with a series of data breaches - of which Medibank is the most notable, now making us the data breach capital of the world.

Surfshark is a privacy protection toolset developed to help its users control their online presence seamlessly. Its data breach monitoring research now finds an average of 22 Australian accounts are breached every minute this quarter. That is the highest quarterly spike this decade, coming from two breaches per minute last quarter. It's an increase of 489% and reflects 1.88 million Australian user profiles stolen already this quarter, up from 300,000 last quarter.

“Globally, data breaches have gone down by 70.8% from October to November. In Australia, however, data breaches have surged by 1550% - from 107,659 in October to 1,776,065 in November. This is largely due to the Medibank cyber attack, which resulted in 1.75 million breached email accounts.” - says Surfshark lead researcher Agneska Sablovskaja.

The Medibank data breach was Australia’s second-largest data breach in the past decade. With 1.75 million email accounts exposed, this breach comes second only to the 2020 Wattpad breach, which exposed 2.45 million Australian accounts.

7,387 accounts were leaked per 100K Australians during the first two months of this quarter - the highest breach density in the world. Australia’s data breach density is 24 times higher than the global average. Coming in second place is Russia at 3x lower (2,568/100K), and then Turkey in third place (2,421/100K).

Our friends across the ditch in New Zealand have a breach density of 532 accounts per 100K people - that’s almost 14 times lower than Australia’s. Last quarter, both countries had similar breach densities (1185/100K in New Zealand and 1255/100K in Australia).

More here:

https://itwire.com/business-it-news/security/australia-now-leads-the-world-in-data-breaches-following-medibank-breach.html

All in all it is good to know the OAIC is on the #myHR case and that so far we have had no major leaks (compared with the Optus and Medicare disasters!).

It is clear the threat environment is getting worse year by year and so we are going to be both more careful and alert!

I also suspect once we get data on the #myHR / GP security there will need to be more than a little work there!

Will be interesting to see how 2023 goes…. Hoping a bit better!

David.

No comments: