As the government rolls out its My Health Record database, a major hack of a similar system in Singapore has highlighted the vulnerabilities of high-tech record sharing. By Lizzie O’Shea and Justin Warren.
The positives and perils of My Health Record
Last week, Singapore’s ministry of health admitted information from 1.5 million citizens had been copied in “a deliberate, targeted, and well-planned cyber attack” by hackers who were specifically going after the personal data of the country’s prime minister, Lee Hsien Loong. It took authorities a week to detect the breach, which, to be fair, is relatively fast given the average organisation takes more than six months.
The story came at an awkward time for the Australian government, at the end of the first week of the opt-out period for the My Health Record system; a week dogged by controversy.
My Health Record is a centralised database designed for sharing health information. In its ideal form, the system would mean any health-care professional around the country could access some of your medical records with just a click. Despite its origins in 2012 as an opt-in program, the Turnbull government changed the system to opt-out in 2016 – a move former Labor health minister Nicola Roxon had warned would be “a serious mistake” back in 2011. Australians have until October 15 to opt out. Everyone who does not opt out will have a record created for them automatically.
While there is bipartisan support for My Health Record as a concept, cracks appeared this week as Labor backbencher Pat Conroy called for the system to revert to opt-in, and Liberal MP Tim Wilson also declared he had withdrawn from the scheme. Labor has called on the government to extend the opt-out period.
In 2014, Britain’s National Health Service experimented with a similar program called care.data, which was highly controversial. Care.data was suspended before being scrapped in 2016 after a review, and it was revealed that patient data had been sold to insurers. Tim Kelsey, who led the program, is now the chief executive of the Australian Digital Health Agency (ADHA), which is responsible for My Health Record.
The question is whether Australia will be able to succeed where others have failed. Is My Health Record fit for purpose, or another accident waiting to happen?
Multiple experts have raised concerns about weaknesses in the system’s security and privacy controls. With an expected 900,000 medical professionals and more than 12,000 organisations having access, a breach could be only a matter of time. “With so many points of access, there will be people who do the wrong thing,” said Dr Trent Yarwood, an infectious diseases physician and health spokesman for digital advocacy organisation Future Wise.
The movie-plot hack of nefarious thieves in dark hoodies copying the entire database is certainly possible – as the experience of Singapore’s SingHealth shows. But there are other more mundane risks. A snooping spouse could use details pilfered from a wallet or purse to log on and browse through records. A mistake at the GP’s office could lead to sensitive test results being uploaded to the wrong patient’s record. Data breaches like these have already occurred, and more are likely if the system becomes popular. They are also very difficult to guard against in a system that defaults to sharing your data widely.
Vulnerable people, such as refugees and survivors of family violence, are particularly at risk. “It is vitally important that no sensitive health information, or any information that can identify the whereabouts of victims or family of domestic violence gets into the wrong hands,” said Di Fraser, Queensland’s minister for women and child safety. Fiona McCormack of Domestic Violence Victoria says technical abuse is now a standard feature of family violence. “Given perpetrators routinely gain access to their partners’ email, social media and computer passwords, as well as their mobile phone data, it’s not unreasonable to expect that they will also seek to gain access and monitor their partners via My Health Record,” she said. “Women may well be dissuaded from using health services for fear of being targeted.”
Dr Monique Mann of the Australian Privacy Foundation is concerned about who can access the system. “[My Health Record] is being packaged and sold for health reasons, so why do other agencies require access?” Although the government has said information will not be shared with law enforcement without a warrant, Mann points out that the governing legislation does not impose this requirement. The Australian Parliamentary Library took the unusual step of joining the debate on Tuesday, observing that “unless the ADHA has deemed a request unreasonable, it cannot routinely require a law enforcement body to get a warrant, and its operating policy can be ignored or changed at any time.” Health Minister Greg Hunt nonetheless rejected this claim, describing it as an error in analysis, stating that the policy was “clear, unchanging and absolute[ly] unconditional”.
Such a regime creates a deterrent for people seeking treatment for health concerns that intersect with criminal law, such as drug addiction or – in some parts of the country – abortion. It might also make doctors think twice as they learn more about the program. “It’s a very different model to current medical records, which are controlled by the doctor or clinic,” says Yarwood. He believes many doctors would never allow paper records to be used in this way and do not have the technical knowledge to be able to properly inform patients. “If you upload something to My Health Record, then you should consider the risks of your upload, not devolve responsibility back to the patient for not locking it down,” he says.
Many are also concerned about secondary uses of health data by non-government entities. The chief executive of health insurer NIB, Mark Fitzgibbon, showed his hand early, declaring “we desperately need this data to make the world a better place”. Local appointment booking app service HealthEngine got into hot water just last month when it was revealed to have shared patient information with personal injury lawyers. HealthEngine is one of several apps that have been granted access to the My Health Record platform, and ADHA scrambled this week to toughen the language in its contracts with app providers.
The controversy generated by My Health Record is unsurprising to many government technology watchers. They argue this is part of a long history of poorly executed big data projects by the Australian government. The online census and the data matching of tax and Centrelink records both ended in scandal, and yet the government does not seem to be learning from its mistakes.
As the Senate committee inquiry into digital delivery of government services reported this month, “Digital transformation is a policy area beset by soaring rhetoric and vague aspirations by government, largely unconnected to the actual policy activities actually undertaken.”
“There is a neoliberal ideal in government that we can make everything more efficient with technology,” says Mann. “But these big data omnishambles show the opposite is true.” She attributes the poor design and implementation of these technology projects to a failure to consult or collaborate with civil society. “These blunders are becoming entirely predictable. We have been saying this would happen but they do not listen.”
There are inherent tensions in designing a system that is secure and private but also designed to share information with multiple parties. Centralising data collection provides economies of scale, but without necessarily benefiting individual patients. A single, consolidated health dataset is extremely valuable for researchers, but also for insurers and cyber thieves. A distributed system, where each person retains control over their own information, would be more secure but it would also make easy sharing of data challenging.
When these large projects fail, the public tends to lose the genuine benefits they can provide. “Medical communication is actually a really important patient safety issue,” says Yarwood. Doctors and patients want to move beyond archaic systems, yet imposing myriad risks in exchange for relatively few benefits doesn’t feel like a fair trade. “There is lots of stuff on there that is not clinically useful,” says Yarwood, “And I can’t honestly say the benefits outweigh the risks.”
Tim Singleton Norton, chair of Digital Rights Watch, believes there must be a social licence for the program – a broader need for a culture of data sovereignty where medical information is understood as something that belongs to you but can be voluntarily contributed to public causes, rather than something that is harvested without informed consent. “We must ensure that platforms and corporates are operating under a rights-based framework, and that governments are equipped and willing to protect those rights,” he said. “People need to trust government that they are going to treat their information with respect, and not be lobbied to hand it over to private companies or convinced to give it away to law enforcement without proper safeguards.”
The government is reluctant to acknowledge everything is not going as smoothly as expected. But ignoring these problems will not make them go away. The independent reviewer of Britain’s care.data program, Dame Fiona Caldicott, observed, “Building public trust for the use of health and care data means giving people confidence that their private information is kept secure and used in their interests.” After her report was published, the program was scrapped. The Australian program may yet face a similar fate.
This article was first published in the print edition of The Saturday Paper on Jul 28, 2018 as "Health share debate".
A free press is one you pay for. In the short term, the economic fallout from coronavirus has taken about a third of our revenue. We will survive this crisis, but we need the support of readers. Now is the time to subscribe.
Letters & Editorial