My Health Record – Is it an IT relic of the past and 'not fit for this purpose'?

The security of digital health information has been the subject of recent controversy. Australians should be able to make an informed decision as to who has access to their health information. They have until 15 November 2018 to opt out to preclude a My Health Record being created by the end of the year. As of September 2018, 900,000 Australians, 3 % of the population, have opted out.1

The creation of a My Health Record will effectively allow approximately 900,000 healthcare providers access to an individual's health information. This arguably provides a vulnerable interface open to malicious or criminal attacks and/or human error(s).

The laws underpinning the My Health Record as well as records held by General Practitioners and private hospitals currently permits the sharing of records with the police, Centrelink, the Tax Office and other government departments if the information is "reasonably necessary" for a criminal investigation or to protect tax revenue. This is concerning, particularly as some Australians have recently discovered that a My Health Record has been created without their knowledge or consent. Others have reported that their My Health Records attached to the myGov accounts of the wrong people.

IT experts have stated that the use of a Google function on the My Health Record opt out page, leaks information to Google's global servers which contravenes a privacy policy that data will be contained within Australia.

The creator of the FHIR2 standard, Grahame Grieve, who has provided technical advice to the My Health Record program since its inception, called for an overhaul of the national health information platform, which he says was built on technology that was state-of-the-art in 2007 and that the standards and overall design of My Health Record are "not fit for purpose".3

A leaked Australian Digital Health Agency document detailed numerous concerns about My Health Record, including doctors' being unable to sign up, unsecure details of children in care, a communications strategy which did not adequately reach vulnerable groups, technical problems and clinician burden(s) amongst other issues.

On 15 August 2018, the Senate referred the My Health Record system to the Senate Community Affairs References Committee for inquiry and report. The expected reporting date is 8 October 2018. The main reference items included, but were not limed to: the expected benefits of the My Health Record system; the decision to shift from opt-in to opt-out; the Government's administration of the My Health Record system roll-out; the necessary measures to address community privacy and security concerns and a comparison of My Health Record alternatives internationally.4

Few would deny the potential value to patients and clinicians of a national source of secure, accurate patient data, but the current access control arrangements arguably places confidential medical information at risk. The system is also heavily reliant upon patients and treatment providers uploading accurate data.

Whilst there is clear benefit in the centralization of data in order to facilitate a timelier and accurate diagnosis in certain circumstances, we await the outcome of the inquiry as to whether the My Health Record is deemed a fit and proper system to provide the requisite integration of secure health care data within Australia. According to Grahame, Australia is clearly lagging behind other countries, which is "holding back innovation and improvements to the Australian Healthcare system." 5

Like with any other industry, in order to improve the protection of health care information, cyber security requires ongoing collegiate commitment by many organizations. Even basic practices, such as informing staff about potential cyber scams and the importance of regularly changing passwords can go a long way towards protecting health information data.

Footnotes

1 CEO Tim Kelsey, of the Australian Digital Health Agency Submission 31, to the Senate Inquiry on the My Health Record August 2018, 20 September 2018

2 The Fast Healthcare Interoperability Resources standard is published through HL7 - the leading international healthcare standards provider http://hl7.org/fhir

3 Grahame Grieve, Director and Community Lead for the FHIR standard, Submission to the Senate Inquiry on the My Health Record August 2018, 7 September 2018 cited at

http://www.healthintersections.com.au/?p=2850

4 Parliament of Australia, My Health Record System, cited at https://www.aph.gov.au/Parliamentary_Business/Committees/Senate/Community_Affairs/MyHealthRecordsystem

5 Above at 3

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.