Data, distrust, and the disastrous My Health Record

7 Comments

Cartoon by Chris Johnston

Plagued by sluggish uptake, clinician reticence and a substantial privacy backlash, the $1.2 billion My Health Record has proven, thus far, something of a lemon.

No amount of rebranding away from the unfortunately-acronymed PCEHR ('pecker') to My Health Record, or push to a coercive opt-out model can overcome the simple fact that it isn't very popular. After five years just five million Australians — one in five of us — have signed up for a record, and only 10,000 doctors, hospitals and other health providers are on board.

The putative benefits of an electronic health record have been expounded at length by the government, and are purported to include: less fragmentation of health data across a heavily siloed system; improved availability and quality of information; fewer adverse events and duplicated tests or treatments and improved coordination and quality of care overall.

Savings, of course, feature prominently — some $7 billion in direct costs every year, according to modelling done for the government. Untold billions more could be leveraged through sale of deidentified data (something that is already taking place).

But for success there must be buy-in, and for buy-in, there must be trust, according to the Productivity Commission. Both are lacking, and it is important to consider why.

In general terms, Australians have little reason to trust the government when it says it can protect their data. The 2016 Census distributed denial of service fiasco exposed fundamental infosec flaws; indeed, Cyber Security Minister Dan Tehan speculated that Australia had only managed to dodge the recent WannaCry ransomware attack because it fell locally on a weekend.

Wannacry threw Britain's National Health Service into disarray, highlighting the vulnerability of online systems hosting some of the most sensitive data about a country's citizens. A similar attack crippled the Ukraine and sent ripples across the globe last week, with hospitals among those affected.

Serious doubts were raised about the sanctity of health data already held by the Australian government this week after The Guardian revealed the Medicare details of any citizen were available for sale from the darknet, in real time — implying a live and active leak. Electronic health records are estimated to be 100 times more valuable than stolen credit cards, and healthcare is second only to financial organisations as the top target for data breaches worldwide.

 

"These unknown unknowns may be trivial, or they could be pivotal to a diagnosis or course of treatment. So too, the information never disclosed to a doctor for fear it may make it onto a public server — a chilling effect on clinical candidness."

 

Of even greater concern is its value to for-profit entities (insurers, pharmaceuticals and tech giants like Google's Deepmind) and those with legitimate access, according to medical specialist Trent Yarwood from technology thinktank Future Wise Australia. 'The real risk to privacy is the people entrusted with the data,' said Yarwood. 'The Red Cross data breach occurred because someone stuck a database on a public-facing computer; the AFP data breaches occurred the same way and so did the parliamentary mobile-number breach.'

Even more fundamental than technological vulnerabilities are the human ones — 'authorised people accessing the data improperly' to, say, snoop on celebrity patients or fish for ammunition to execute a personal enmity, he added.

Private firm Accenture Australia Holdings has been contracted to maintain the My Health Record system and its security controls; Accenture has, in turn, outsourced data centre management to a subcontractor.

Of course, this data is deidentified, but how robustly? University of Melbourne researchers triggered an investigation by the Office of the Australian Information Commissioner last year after revealing that they were able, via reverse engineering, to decrypt the provider IDs for a swathe of Medicare Benefits Schedule data published at data.gov.au. Patient IDs were not revealed, but the incident raised serious questions about security.

This is important given the Senate Select Committee on Health reported last year on a push to have restrictions on linking MBS and Pharmaceutical Benefits Scheme data eased so that researchers could match these datasets to information from a range of other sources — think Centrelink records, tax files and many other things besides.

Such linkages could reap rich fruit for population health and policy development, allowing for surveillance of things like adverse drug reactions and longitudinal assessment of risk factors and disease. But they also represent an unprecedented state-sponsored foray into some of the most fundamentally personal dimensions of a citizen's life. 'And I have no confidence that the data will be secure in the long term,' said Yarwood.

Unknown unknowns

The real worry with open season on health data is what Privacy Commissioner Timothy Pilgrim describes as 'function creep' — the erosion, over time, of limits on who can access the data and for what purposes. In the case of My Health Record, there are very real questions about where these limits lie, extending far beyond what have traditionally been understood as therapeutic imperatives into the judicial and law enforcement realms.

The legislation allows for information to be shared with a range of other government departments (Attorney-General, Defence, Veterans Affairs), law enforcement and courts, and for privacy controls set by the user to be overridden in somewhat nebulous circumstances, including where it is simply 'unreasonable or impracticable' to get consent (who gets to make this decision and on what grounds is not clear).

In terms of utility, the MHR is fundamentally flawed. To address privacy and autonomy concerns users are able to delete information and documents from their record (though there are limits and the process is far from straightforward). For clinicians, this makes MHR worse than useless — it could potentially be dangerous. In a sense, it's a doubly incomplete record: information is omitted, but the nature of these omissions — indeed, even the mere fact of them — are entirely obscured from the doctor.

These unknown unknowns may be trivial, or they could be pivotal to a diagnosis or course of treatment. So too, the information never disclosed to a doctor for fear it may make it onto a public server — a chilling effect on clinical candidness.

From an equity perspective there are also concerns — users must be literate (in both the traditional sense and in navigating the health system), proficient in English, have access to a computer and the internet and be competent with these technologies. Those that the AMA envisages as standing to benefit most from MHR — Indigenous Australians, mentally ill and older citizens and those living in rural and regional areas — are also at greatest risk of slipping through the gaps.

Until some of these questions are addressed, there cannot be a case for an opt-out model.

 


Amy CoopesAmy Coopes is a medical student, journalist and editor at Croakey.org. You can follow Amy on Twitter at @coopesdetat

Topic tags: Amy Coopes, health, data


 

submit a comment

Existing comments

There's also a fundamental problem - of concern to all of us (especially the elderly whose history may affect their last years) - that we have no way of uploading our medical histories (even if we've created them) prior to seeing our present medical advisers
Ian Bowie | 10 July 2017


Completely agree. GPs are now *forced* to upload summaries every quarter or lose practice funds (PIP). Patients routinely ask for info re mental health, anti-depressants, viagra etc to be not uploaded. This is a fact. The record is dangerous because incomplete and not updated across system. Is a dangerous totalizing bureaucratic fantasy when a simple key diagnoses, allergies , meds, opt-in or card in the wallet is enough. Patients tell us many many private things they do not want on govt servers. Specialists are not even computerised. Massive waste of public money. Clinically dangerous.
working GP | 10 July 2017


Governments are terrified of professional independence. One of the main reasons they gave us the original Medibank, thankfully modified as what we now know as Medicare - that great financial disaster for which patients in public hospitals now suffer.
john frawley | 10 July 2017


The elephant in the room is that the software development is outsourced so that control, appropriate usage and responsibility are lost. All of those are things needed for trust.
Peter Horan | 10 July 2017


I work in water data and I am very interested in pattern language ( Christopher Alexander). The framework by which things hang together. Is it possible that people don't trust My Health Data because the framework is unknown. It seems outcome driven not much thought is given to the framework or processes of the system. If it is like water data the framework is simply isn't discussed and processes are very fragmented. It seems the modern approach we only focus on the outcome and believe the details take care of themselves. There is no common knowledge of the framework of such systems making it difficult for people to trust them.
Ceelly | 11 July 2017


This is a very Australian mess, which is a paradigm example of so much else that afflicts us. In more or less equal measure attention to autonomy, privacy(perhaps a subset of that), control (ditto) and the common good , with a fair topping of paranoia ... making a sensible outcome, in this case optimal health care, impossible . As always , somewhere equally between the US and UK Approaches... which Guaratees a monster that costs huge amounts of money and doesn't work. Such is life!
Eugene | 11 July 2017


The issue of trust is fundamental and not helped by scare-mongering stories from USA. The design of any computer system ought help users do their tasks more easily and more accurately. Thus user participation in design and implementation is essential and seems to be lacking in the Australian system. When I had a short hospital stay in Denmark, I was told that my records would be available for the rest of my life at any hospital in Denmark and that penalties for misuse or unauthorised disclosure were very severe. Perhaps we could learn from the Danes!
Jim Boyle | 04 August 2017


Similar Articles

Awaiting the Referendum Council in NAIDOC Week

  • Frank Brennan
  • 04 July 2017

It is no disrespect to those Aborigines and Torres Strait Islanders gathered at Uluru to say that now is the time for the report of the Referendum Council to be scrutinised by our national politicians, and that our elected leaders should pay special heed to the observations of those Indigenous members of the federal parliament who have offered considered reflections on the way forward. In particular, our elected representatives should have regard to the views of Patrick Dodson who is now Bill Shorten's Shadow Assistant Minister for Indigenous Affairs and Aboriginal and Torres Strait Islanders.

READ MORE

Bookending Australia's history

  • Andrew Hamilton
  • 12 July 2017

Modern Australian history is bookended by the arrival of white settlers in which Indigenous Australians were expelled to the margins, and by the arrival of people seeking protection who were also expelled to the margins. Between these bookends lie the events, the people, the relationships, the enterprises and the experiences that compose the story of Australia. The bookends, though, are a bit shonky: not ideal for supporting proudly the heft of the history that lies between them. They need fixing.

READ MORE