Tim Kelsey (centre) head of the Australian Digital Health Agency
As the privacy and security controversy surrounding the Turnbull government’s My Health Record debacle enters its third week, there were no concrete resolutions in sight to allay the concerns of the Australian people, whose rights were literally being politicised in the process.
So much has been said, including by Health Minister Greg Hunt, over the past several days in an attempt to allay Australians’ concerns. And many of it has been proven to be incorrect.
But what this fall-out has shown, if anything, is that many Australian people do, in fact, care about their privacy, especially when it comes to their deeply intimate and personal health records. They also care about whether the security of the system (not to be confused with “privacy”) is up-to-scratch, or safeguarded by bank- or “military-grade” protections, as the minster likes to claim.
And while the majority agree that there are benefits to centralising a health record, they have overwhelmingly rejected, in its current form, the health file the government has prescribed them.
The chance for a speedy recovery for My Health Record now lies with the Health Minister, along with Prime Minister Malcolm Turnbull, fixing myriad concerns with the legislation and implementation.
The key issues they face that must be resolved, however, are systemic and involve restoring trust. There are eight things the Turnbull government could do right now to fix this mess:
- Require a second factor of authentication for healthcare professionals beyond username and password;
- Set better default access restrictions. Optometrists shouldn’t be able to see everything, for instance;
- Close up the legislation surrounding warantless access by law-enforcement agencies and have it in law to require judicial oversight before a record is released;
- Move back to opt-in, use existing funds to advertise the benefits of opting in;
- If this is truly about control, make the My Health Records Act 2012 exempt from the Archives Act 1983. That way, people can actually purge their individual records or whole record entirely, not just have them “cancelled”;
- Make it opt-in for your data to be used for research purposes (it’s on by default once you have a record);
- Make it opt-in for each individual piece of health data to be uploaded (“Healthcare providers do not need to explicitly obtain permission from the patient before accessing or uploading information” to their record, a government document states, though patients are able to say they don’t want records uploaded); and
- Revoke third-party apps’ access to the data. Companies such as Health Engine cannot be trusted to hold this data, especially given their past tendencies to sell it.
As it stands, the system is designed to be as accessible as it could be. And while that means it can (and should) be accessed in life-threatening situations by those who need it, it places convenience before security, meaning those with malicious intent can (and will) penetrate it.
What bad people do with that information could have dire consequences on human life and be far more devastating than the benefits one might be likely to reap from a centralised record. Cast your mind back to when adultery website Ashley Madison was hacked, resulting in death by suicide of multiple individuals, including a pastor. Now imagine what’s possible, if not probable, with this system, whereby someone with a stigmatised health issue is outed by hackers.
None of this is fantasy either. And it doesn’t even take hackers for things to go badly wrong. In June 2016, it was revealed in South Australia that five healthcare staff had been sacked for spying on patient records. The spying scandal erupted “after it emerged 13 clinicians had hacked into Cy Walsh’s medical records without authority, after the son of murdered Crows’ coach Phil Walsh was brought to Flinders Medical Centre after the stabbing at the family home last year”.
All 13 staff have since been “disciplined”, News Corp reported at the time, while at least a further nine patients had their records browsed without authority by at least 24 SA Health staff.
Now imagine up to 900,000 healthcare practitioners having access to all 25 million Australians’ records, without the need to ask for consent to view them, per government documents.
“You do not need the consent of an individual to view their record, and you can access an individual’s record outside of a consultation, provided that access is for the purpose of providing healthcare to the individual,” government documents, which should alarm anyone, state.
Not enough thought has been given to the privacy and security of My Health Record information. This is information that, if leaked, cannot be refunded. Once it’s pilfered, it’s gone forever.
And so it might come as a further surprise that some of the security protections used to secure the data are not in fact bank-grade or military-grade. Take, for instance, the fact healthcare practitioners do not need to use two-factor authentication tokens, or codes, to access your records. In the military, such tokens, either software-based ones on smartphones or hardware fobs, are standard.
But in the My Health Record system, it is digital certificates and a healthcare professional’s computer username and password that protect the records. No key fob required.
And while there are hardware fobs in some instances which can access a portal containing the records, it is not mandatory for healthcare practitioners to access the records via this portal.
The only thing the government can do now is listen to the five former presidents of the Australian Medical Association, who are all calling for the opt-out roll-out to be delayed until all Australians can be truly informed about the risks the system places on their information, so that they can make an informed decision about whether or not they should have a shared digital health record.