Sunday 29 July 2018

When it comes to My Heath Record the words horse, stable, door, spring to mind


In January 2016 the Australian Digital Health Agency (ADHA) became a corporate Commonwealth established under the Public Governance, Performance and Accountability (Establishing the Australian Digital Health Agency) Rule.

It has a board appointed by the Minister for Health in whose portfolio it is situated and the board is the accountable body of the ADHA.

Currently Mr Jim Birch AM, Chair. Mr Rob Bransby, Dr Eleanor Chew, Dr Elizabeth Deven, Ms Lyn McGrath, Ms Stephanie Newell, Dr Bennie Ng,  Professor Johanna Westbrook and Michael Walsh sit on this board.

The executive team is headed by Tim Kelsey as CEO, with Professor Meredith Makeham as Chief Medical Adviser and Bettina McMahon, Ronan O’Connor, Terrance Seymour & Dr. Monica Trujillo as the four executive managers.

ADHA is also the designated Systems Operator for My Health Record which currently holds the personal health information of 5.98 million people across the country and will add the remaining 19 million after 15 October 2018 unless they opt out of being included in this national database.

Given the potential size of this database the question of cyber security springs to mind.

It seems that the Australian Digital Health Agency has not been independently audited for cyber resilience by the Australian National Audit Office (ANAO) ahead of beginning the mammoth task of collecting and collating the personal heath information of those19 million people.

Australian National Audit OfficePotential audit: 2018-19:

Management of cyber security risks in My Health Record

The audit would examine the effectiveness of the Australian Digital Health Agency’s management of cyber security risks associated with the implementation and ongoing maintenance of the My Health Record system.
My Health Record creates a record of Australians’ interactions with healthcare providers, and more than 5.5 million Australians have a My Health Record. The audit would focus on whether adequate controls are in place to protect the privacy and integrity of individual records.

It seems that the Australian general public still only has the honeypot's dubious word that it cannot be raided by unauthorised third parties.

Prime Minister Malcolm Turnbull has reacted to growing community concern about the number of agencies which can access My Health Records with a vague promise of "refinements" and with this outright lie; "The fact is that there have been no privacy complaints or breaches with My Health Record in six years and there are over 6 million people with My Health Records".

The Office of the Australian Information Commissioner has recorded complaints and at least 242 individual My Health Records have been part of mandatory data breach reports in 2015-16 to 2016-17, with nine of the 51 reported breach events involving "the unauthorised access of a healthcare recipient’s My Health Record by a third party".

BACKGROUND

Intermedium, 8 May 2018:

Re-platforming options for the My Health Record (MHR) system will soon be up for consideration, with an Australian Digital Health Agency (ADHA) spokesperson confirming that a request for information will be released in the next few months to inform plans to modernise the infrastructure underpinning Australia’s mammoth patient health database.

An open-source, cloud-based environment has already been flagged as a possibility for the MHR by Department of Health (DoH) Special Adviser for Strategic trategic Health Systems and Information Management Paul Madden at Senate Estimates in May last year. He also said that the re-platforming decision was one of many “variables” that needed to be squared away to accurately gauge how much the MHR system will cost beyond 2019-20.
“The variables in there include the re-platforming of the system to an open source environment, using cloud technology… which will be something we will not know the cost of until we hit the market to get a view on that”, Madden said last year. “Our commitment is to come back to the budget in 2019 to paint out those costs for the four years beyond.”
ADHA is scoping out MHR re-platforming options early, with the existing contract with the Accenture-led consortium not set to expire until 2020. As the “National Infrastructure Operator”, Accenture is tasked with running and maintaining MHR’s infrastructure. The prime contractor works with Oracle and Orion Health to provide the core systems and portals behind MHR.
Accenture was awarded the contract to design, build, integrate and test the then-personally controlled electronic health record system (PCEHR) back in 2011, and has signed 13 contracts worth a total of $709.53 million with DoH in relation to the MHR in that time. With the original infrastructure now over seven years old, ADHA recognise the importance of modernising the environment supporting the MHR....

The Sydney Morning Herald, Letter to the Editor, 26 July 2018. p20:

What happens to medical records when opting out?

Dr Kerryn Phelps reminds us that, if people don't opt out, the My Health Records Act allows disclosure of patients' health information to police, courts and the ATO without a warrant ("My Health Record backlash builds", July 25). This would be in addition to "health information such as allergies, medicines and immunisations" available for emergency staff.

How can the access be restricted to emergency staff? How can only certain categories of information be released when allergies and medication are part of general medical notes? I was not reassured by "serious penalties relating to the misuse of information do not apply to accidental misuse" on the website. I opted out.

My GP has told me that, nonetheless, she will be obliged to upload my records - which sounds credible since I have formally opted out with the government, not with my doctor's practice. So what happens - does my health record get kicked off "the cloud"? What exactly did I opt out of?

Denise De Vreeze [my yellow highlighting]

No comments: