My Health Record: privacy, cyber security and the hacking risk
From today, Australians will have three months to opt out of a new digital medical record that can hold on to information for up to 30 years after they die.
The digital record, My Health Record, will be automatically set up for every Australian unless they opt out before 15 October.
It will track Australians’ allergies, medical conditions, previous or current medication, test results and anything else that is uploaded by your doctor – and share it between medical providers.
Doctors say it will improve the quality of care but others are urging people to opt out due to privacy and cybersecurity concerns.
So what are the pros and cons of My Health Record?
My Health Record has the backing of all of Australia’s peak health bodies, including the Australian Medical Association, the Royal College of Australian GPs, the Pharmacy Guild of Australia and others.
The president of the AMA, Dr Tony Bartone, said it would improve the care that patients receive.
“It will assist in reducing unnecessary or duplicate tests, provide a full PBS medication history (thus helping avoid medication errors) and be of significant aid to doctors working in emergency situations,” he said.
“My Health Record will support practitioners, particularly those who may be seeing a patient for the first time, to have access to the information they need to best care for the patient.”
Currently, 5.9 million people already use My Health Record and 6.46 million medical records have been uploaded to the system. A total of 6,498 GPs, 3,273 pharmacists and nearly a thousand hospital organisations have used it.
Bartone said privacy concerns were understandable and patients should make an informed decision whether to opt out.
“Health information is highly sensitive and we, as doctors, understand that,” he said. “My Health Record gives individuals absolute control over what data is in their record and who is able to view it. This will go a long way to allaying concerns about privacy.”
A spokeswoman for the Digitial Health Agency, which is overseeing My Health Record, said it was a myth that newborn children would be automatically signed up.
Parents can exclude their current children under 18 from My Health Record when they opt out and are given the choice with newborn children. New immigrants will also be given the opportunity to opt out.
The privacy problem
But privacy advocates say that, even with the safeguards, the system takes too much information, stores it too simply and shares it too freely.
If you cancel your record, any information already there will be retained for 30 years after your death or 130 years after your birth (if the date of death is unknown).
Any person who downloaded and stored your record will be able to still view that version of it after you cancel your record.
Bernard Robertson-Dunn, from the Australian Privacy Foundation, described it as an “uncontrolled, uncurated, data dump”. He said sensitive information could be shared with irrelevant people.
“Better sharing of health data among health professional is a good thing – as long as it is done in a controlled manner,” he said. “But if somebody has mental health issues, you don’t want that shared with a dentist or someone who looks at your feet.
“An ex-partner or someone stalking a patient could get at that health information. If you’re at risk from someone, that person might access data about you that identifies where you live or what doctor you’re using.”
He added that certain conditions still carried a stigma that made patients vulnerable to their information being misused.
“If somebody has a medical condition that might result in discrimination – specifically HIV or mental health problems – they don’t want their data shared. There’s vulnerable communities – the gay community, the HIV community, mental health sufferers – who feel at risk.”
Ralph Holz, an expert in cybersecurity from the University of Sydney, said it was also an issue that My Health Record was so centralised.
“It would be safe to assume that some attack is going to be successful,” he said. “There will be some data loss. That is inevitable. The contingency plan with how to deal with that is what is important.
“We always see a problem when we keep data in one place, especially if it is data that is a complete profile. There is a saying in computer science: once the data is out, it’s out. You can never get it back. The danger in building such systems is that it’s enough if they fail once.”
Holz said a breach would not affect individual patients but rather the system as a whole – hackers could use the data to hold the department to ransom, or release the data to third parties.
What are the safeguards?
Patients who don’t opt out of My Health Record but still want to control their privacy can ask for specific documents not to be added to the record, or remove them once they are up.
They can also restrict access to their record by setting special codes. One code – a record access code – blocks access to a patient’s entire record unless a user has their four to eight-character code.
Another code can be used to lock individual documents from access.
Users can also track every instance when their record is accessed. Alerts can be set up to flag when this happens.
However, Robertson-Dunn has pointed out that, once your record is downloaded or copied, that new version can be accessed or shared without notifying you.
The Digital Health Agency said any practitioners who downloaded information to their own system were still subject to Australian privacy laws and access was audited by the Australian Digital Health Agency.
Robertson-Dunn said the system should be reformed in two main ways: decentralisation to store information with medical providers rather than the government, and that My Health Record become opt-in, rather than opt-out.
“I wouldn’t give a stuff about my privacy if it helped me get better,” he said. “It is dynamic and it depends on context.”