My Health Record: Canberra is still missing the point

No, Minister. It's not just about law enforcement access to digital health records. The Australian government needs to address all the concerns. A media circus in a playground won't help.
Written by Stilgherrian , Contributor
(Image: Getty Images/iStockphoto)

"There's a lot of interest around the My Health Record system," said Anthony Kitzelmann, chief information security officer at the Australian Digital Health Agency (ADHA). Such understatement! But fears about the security of ADHA's IT systems shouldn't top our list.

The My Health Record systems achieved "96.7 percent compliance" with the Australian government's Protective Security Policy Framework (PSPF) and Information Security Manual (ISM) at the protected level for health data, Kitzelmann told the SINET61 cybersecurity innovation conference in Melbourne on Wednesday.

ADHA is "always keeping in mind that this isn't our data. It belongs to our citizens, and it has to be held to the highest standards," he said. While developing its security controls, ADHA consulted with organisations such as the Australian Medical Association (AMA), the Royal Australian College of General Practitioners (RACGP), and, allegedly, consumers.

While your writer did use the recent Singapore medical data breach to highlight the possibilities for misuse, no system can be perfect. There's currently no reason to believe that ADHA hasn't secured their systems to the best of their ability.

The real concerns were, and still are, the vast potential for misuse by the 900,000 healthcare workers who can access the system, ill-thought privacy controls, complex access control that will be difficult for ordinary humans to operate, the as-yet-unspecified "secondary use" of the data, and of course the extensive warrantless access by enforcement bodies.

Health Minister Greg Hunt has finally emerged from his state of denial, kinda. But apart from adding the ability to properly delete your record, his supposed backdown on Tuesday night really only addressed the last of those concerns.

Worryingly for Hunt, recent appearances have shown the minister thinks the privacy issues transmogrified a fortnight ago, when the medico associations raised their concerns.

"We've responded very quickly to the AMA and the College of GPs. They have spoken to us over the last couple of weeks, and therefore we have responded within a two-week period," Hunt told journalists earlier this week.

Must read: The My Health Record story no politician should miss

"The legislation dates back to the previous government in 2012, and it has operated without incident, without breach, without release, without any problems."

Yes, the minister is blaming Labor when the Coalition has been in government for five long years, and had plenty of time to address any legislation they thought deficient. It certainly didn't stop them repealing a carbon tax, nor changing the direction of the NBN.

Former AMA president Kerryn Phelps has described the concessions as woefully inadequate, and has called for a full parliamentary review.

Meanwhile, potential weaknesses have continued to emerge. For all the talk of serious criminal penalties for unauthorised access, including fines up to AU$126,000 and two years in jail, it turns out that ADHA isn't keeping a full audit trail.

"Within the My Health Record system, access is logged at the healthcare provider organisation level. Note that in order to gain access, individual healthcare providers must be registered with a national registration board (e.g. APHRA) and the System Operator," MyHealthRecord tweeted last week.

"Healthcare organisations are required to keep records of who has accessed a My Health Record. When requested, they must also provide us (the System Operator) with information to identify the person who accessed the record so that any action can be taken," they added on Wednesday.

That isn't exactly reassuring, given our experience with other systems that contain highly sensitive data, provide access across an entire organisation, and attract hefty criminal penalties for unauthorised access.

Take, for example, the Queensland Police intelligence database QPRIME. It was recently revealed that a woman had to go into hiding because a police officer gave her address to her violent ex-partner. Today it was reported that nearly 90 percent of police misuse goes unpunished.

"Security is only as good as your weakest link," said Alexandra Wedutenko, a partner at law firm Clayton Utz.

Also see: Private health providers called out in quarterly Australian data breach report

"Even if the Commonwealth department that looks after My Health Record is locked down to the nth degree, and it probably is, a GP in any GP office throughout Australia can access that data and do whatever they want with it."

Or any disgruntled dentist, nefarious nurse, or enraged endocrinologist.

"It's those sorts of things that go into the trust equation, and I don't think we necessarily know what we're trusting people to do with our data," Wedutenko said.

Dr Maria Milosavljevic, chief information security officer for the New South Wales government, reminded us that we need to design systems to handle things going wrong.

"We're focused on customer experience a lot, but we only focus on the good experiences. We don't stop and think, well, the worst possible things that can go wrong, let's ask ourselves how we design those out," she said.

Milosavljevic said that people are effectively regulating the government by saying "no" and opting out.

"It's quite a theoretically interesting perspective. I think people are starting to actually wake up," she said.

Meanwhile, it's hard to see the government itself waking up. ADHA, for example, is addressing the concerns by re-bleating their happy messages.

"BREAKING: The Australian Digital Health Agency has invited the media to a Sydney playground to film three generations of the one family who have a My Health Record," tweeted journalist Greg Dyett on Thursday morning.

Yeah, sure, that'll most definitely fix it.

Related Coverage

My Health Record legislation to match ADHA policy in government backdown

Medical records to be released only with a court order, and a promise of permanent deletion upon record cancellation, were announced on Tuesday night.

PM flags My Health Record 'reassurances' as RACGP expresses concern

Change appears to be coming to My Health Record, although the details are far and few between.

Ambiguity over access to My Health Record needs to end: AMA president

Australian Medical Association president Dr Tony Bartone says he will do 'whatever it takes' to clarify the discrepancy between ADHA policy and what is currently law.

My Health Record opt-outs tracking at less than 10 percent: Hunt

Everything is rosy for Australia's health minister when it comes to My Health Record.

My Health Record opt-outs will not sink system: Turnbull

Australian Prime Minister Malcolm Turnbull says the government's My Health Record won't be sunk by large numbers of people opting out of the system.

Tens of thousands opt out of My Health Record, but can Immigration and local councils view the rest?

The ADHA says it'll refuse access to medical records without a court order or warrant. But the law allows that policy to change at any time.

Cancelled My Health Record data to be kept in limbo

Those choosing to opt-out of the My Health Record service will still have their data visible if they reactivate their account.

Editorial standards