​My Health Record stands up cybersecurity centre to monitor access

Those who choose to keep their My Health Record will also have a real-time log of who has accessed their information.
Written by Asha Barbaschow, Contributor

By the end of this year, all Australians will have a My Health Record, an online record of medical information, providing they don't choose to opt out of the service.

Speaking at the National Press Club on Thursday, Tim Kelsey, chief executive of the Digital Health Agency -- the agency charged with overseeing the My Health Record and ensuring citizen information is secure -- addressed a handful of security and privacy concerns the health record raises.

One measure addressing such concerns is a cybersecurity centre that will monitor My Health Record.

"My Health Record operates to the highest cybersecurity standards in Australia and is independently audited on that basis by a number of organisations on that basis, including the Australian Signals Directorate," Kelsey said.

"The agency has set up a national cybersecurity centre to ensure constant, multi-layer surveillance of My Health Record ... since the system was launched in 2012, there has been no breach."

Another security control, Kelsey explained, is the requirement to have an access code or PIN on the individual's My Health Record.

Additionally, users will be able to see a real-time audit log of who has accessed their record, and they can also set an SMS alert that notifies them of that occurrence.

Users can withhold a document from the view of their clinician, too.

"All instances of access by a clinician are attributable directly to that person and recorded in real-time," Kelsey said, noting that incorrect usage will be punishable via a custodial prison sentence of up to two years. "People are quite rightly concerned over the privacy of their information, and that's why they have a right to make a choice."

That choice is the option to opt out.

Currently, more than 5.7 million Australians have a My Health Record, and those who don't want one will have from July 16 to October 15, 2018, to opt out.

"It is essential everyone is able to make a decision on participation," Kelsey said.

Those who don't opt out will have the record automatically created, and once the individual or a clinical professional activates it, it will start to populate with data including the last two years of their Medicare Benefits Schedule (MBS) and Pharmaceutical Benefits Scheme (PBS) information.

Other information sources will only upload into the record as they happen, for example when the individual visits a GP or gets a blood test.

Users can also upload their own information.

Key clinical documentation will eventually be uploaded, such as pathology reports, discharge summaries from hospitals, and medications dispensed, Kelsey explained.

After it is cancelled, no data will be attributed to it until its reactivated, at which time two years' worth of PBS and MBS data from that date will be re-populated.

Another privacy concern is on the third-party use of My Health Record information.

The government earlier this month published guidelines on the third-party use of data generated by My Health Record.

Direct access to or release of My Health Record data is only to an Australian entity, the guidelines state, and data released for secondary use is to be stored in a facility within Australia.

The framework restricts access to de-identified data, noting that it cannot be used solely for commercial and non-health-related purposes. Kelsey on Thursday confirmed this means the likes of insurance companies cannot use it to set premiums, as one example.

According to Kelsey, when a My Health Record has been cancelled, the contents of the record is dumped as per government data removal procedure, and becomes unavailable for secondary use.

With all Australians slated to have a My Health Record by 2018, the 2019 goal is for every registered clinician being provided with a secure means of communicating digitally with their colleagues without "resorting to paper or the dreaded fax machine".

By 2022, Kelsey said the first selected regions in Australia will have connected all their care services so that clinicians have cross-organisation access to information.

"Digital technology will be the most important enabler of high-quality sustainable health and care in Australia," Kelsey said.

"We are at the start of a journey; the history of technology in healthcare has been very mixed, we must manage our expectations -- technology has transformed other industries ... and it will change the experience of healthcare, but this will take time and patience, this is an evolution much more than a revolution."

The My Health Record framework for action will be published in July, which will describe a roadmap for the delivery of the three key principals of the Digital Health Agency and the online record.

Touching on the three principals, Kelsey said they will be centred on participation, empowering people to take more control of their health and care; collaboration, which will require the co-design of services; and innovation.

"MHR is a part of the solution; it will not solve all the information challenges of modern Australian healthcare, but it is an important step forward ... one of the key digital health basics," he said. "If the world is full of faxes, it will not be full of precision medicines -- let's get the digital basics right."


Editorial standards