A glitch that was said to be fixed in 2016 still may be a problem. A researcher has been told that 1,000s of pages have been produced about the issue in 2018 but under the FOI request they require $14,000 to release the info:
“To be absolutely clear, the agency rejects any assertion that there is any clinical risk to patient safety or longstanding problem unresolved since 2016,” a spokeswoman said.
Spot the weasel-words.
The agency identified 95 documents with 4,192 pages relevant to the request. But it said processing Badge’s request would cost $13,894.77, with a deposit of $3,473.69.
That price is a pretty sure sign that someone’s pathologically incompetent.
2 Likes
I, too, opted into MyHealth records several years ago, but decided to opt out during the opt-out period. Since my initial adoption of the scheme there have been many indications of federal incompetence in handling major computer systems and also their privacy issues. Think Robodebt, ABS census, ATO inability to keep systems active when under high load. I had also become more aware of the honeypot nature of the data being collected, the increasing effectiveness of hackers to access protected systems, and the inadequacy of security legislation to protect MyHealth data.
I was surprised to find, when I checked while opting out, that in spite of quite a busy medical interval including cataract surgery, gall bladder surgery and a shoulder reconstruction, all with many blood tests, X-rays, CT scans and MRIs, my MyHealth record had recorded … zilch.
This led me to recognise another danger of the MyHealth data system: while the data it contains might be accurate, there is no way to be confident it is complete. Doctors using MyHealth data in emergencies are likely to assume what they see is complete.
I am confident that my decision to opt out is in my best health interest. Which is sad.
6 Likes
Just preliminary and tentative notification … an elderly relative of mine recently got a spam call that was ostensibly about “My Health Record”. I checked with MyHealthRecord and they would not ordinarily be calling people up about MHR. So I suspect that the call was a scam. I suppose this is either a new angle for identity theft or a new angle for getting remote access to a computer - my rello was wise enough not to allow the call to continue long enough to find out what exactly the scam was.
Presumably the scammer is taking advantage of the fact that as MHR is now opted in by default, about 90% of people are “in” and hence the scammer can call at random and the scammer has good odds of not hitting someone who has opted out. (This is in stark contrast with, say, bank phishing scams where there are too many banks and most of the time I get scam emails for banks that I am not with and hence don’t even need to give a second look to.)
4 Likes
This could be why…
Businesses will continue to store records when not in MyHealth and possibly be easier targets for unauthorised data access than systems like MyHealth. This is likely becauses many businesses don’t have the save level of security or monitoring, or internal IT resources than the government and as a result may be easier to target for information.
1 Like
Backup, backup, backup. Any entity that relies upon data should back its data up - including an offsite backup that does not overwrite existing data. That way, any encrypted data that is backed up offsite will not contaminate the useful data and the business should be back up and running in less than a day with minimal disruption.
The cost of backup is falling all the time, while the cost of not having a recoverable backup continues to rise as we rely more and more upon data.
4 Likes
Indeed, they must. Shortcomings of the MHR system mandate that.
Records held by practitioners are in multiple locations. That makes them very difficult to target. MHR is a single, large, juicy target. Irresistibly tempting. The distributed nature of practitioner records is a coincidental security feature.
As originally proposed, the then PCEHR would have contained no information. It was intended only to link to existing record systems. As implemented, MHR relies on copies and summaries of selected information that already exists in practitioner records.
Quite apart from the fact that not all information will be copied to MHR (so there are risks that what’s needed won’t be there, when it’s needed), there are risks of transcription errors (the copy differs from the original). Conditions change over time. There’s a risk that information won’t be updated.
The only way to address the risks with any certainty is to mandate that all practitioners use a single, centralised records system. Quite apart from the horror that would trigger in the libertarian Right, there’s a risk (verging on certainty) that some Totalitarian Capitalist future government will privatise the system.
1 Like
You think that’s the biggest risk? Based on the last census, and the ever-increasing ‘security’ state with its draconian powers to stop ‘terrorists… oh, and paedophiles’, I suggest that future governments would much prefer to have control over all the data they can gain about their citizens. It’s a ‘free’ world, right? And war is peace (as our Department of Defence would attest).
2 Likes
Sadly so. If today’s “Insiders” interview with Angus Taylor is any guide, up is down and black is white as well. 
1 Like
Can someone remind me again why politicians are considered less trustworthy than prostitutes? (Sorry to any prostitutes who may feel unfairly maligned by this comparison - I had to go with the alliteration.)
You have selected quoted me in relation to what was originally posted (a it like the media grabbing sound bights to create a headline). Yes, in theory, a MyHealth record is more attractive to target since it will have potentially more comprehensive records than the same traditional data sets stored on multiple locations/servers around the country/internationally. However, risks to the MtHealth is different to that of these potential multiple location as outlined in the previous post…
Any more comprehensive data set is more attractive, but if such are more secure, then the individual centre/practice data sets will be hacked in preference as they are easier to do so. When enough are hacked, simple data enquiry will allow those with the data to potentially start making more comprehensive sets of individuals with multiple hacked records.
The other is one may have the option to have ones records only on MyHealth. Our own particular GP allows this to occur and GP health records are only loaded onto MyHealth if requested and not their own (suspect less secure) data management system. Their own system has a record indicating that their GPs need to access MyHealth for records. I would feel that the records in MyHealth are less likely to be hacked or compromised that that at the local centre/practice.
Not necessarily. As outlined above, most medial practitioner or specialist centres have lax security systems compared to that used over government data systems. In the past few years, these smaller practices/centres have been the target of hackers as they are easier to ‘break’ into sue to this more lax security. Some have been reported in the media, but there will potentially be score more that didn’t draw similar attention (as they may not have been known by the practive and/or they occurred prior to the mandatory reporting requirements). There are some examples which made the media:
https://www.healthcareit.com.au/article/medical-records-victorian-hospital-get-hacked
Like financial information hackers, it is financial providers which are hacked over the ATO, as the providers security is not up to the same standard as that of the ATO. If comprehensive data sets were only of interest to hackers, why has there not been any reported successful hacks of the ATO, where there are ongoing reports of hacks of financial information of financial service providers (and they do try but have not been successful like that of pervice providers)? The reason is the government continually invests in the security of its systems, like some in the private sector who only respond when a problem arises.
There have also been reports of data breaches in the MyHealth system, but these breaches did not relate to successful penetration of the system by hacking, but through unauthorised access through the portal by individuals who misrepresented/fraudulently gained access.
The claims that the MyHealth is a higher risk for hacking than individual service providers/practices/centres is a misnomer as evidence/reality has shown.
1 Like
Has anybody actually implied that?
Means that it’s at higher risk of being targeted. Can you deny that?
It’s not a comparison though. Criminals get two bites at the cherry - they can attempt to hack the medical practice and they can attempt to hack MyHealth. If either hack is successful then the personal information of the relevant patients is in the hands of the criminals.
More of a concern would be that once they have hacked the medical practice, there is no need to hack MyHealth because most likely the medical practice has authorised access into MyHealth and most likely the medical practice has unrestricted access to most records in MyHealth, whether the record relates to one of their patients or not.
3 Likes
Lately, I’ve had far more experience of the (NSW public) health system than I’d have liked. Mentioning MHR almost universally drew mirth. One ambulance officer laughed out loud. Even at this early stage, there have been instances of wrong information in MHR. We seem to have a potentially deadly situation.
From what I’ve seen over the past few months, the biggest issue is that the system relies on information being copied. The totality is vast and system resources are limited, so only a small subset can be copied. Already, there have been problems with information being transcribed inaccurately or not kept up to date.
Both sides of politics have a lot invested in MHR. I feel that, in a different political environment, we’d be hearing far more about the system from the health sector.
No piece of information should exist more than once (backups excluded). Achieving that requires records in every medical practice to be accessible and available. That implies that all systems are operational and interconnected, every minute of the day, every day of the year.
Relying on the Internet is asking for trouble, I gather that it’s possible to run logically-separated networks over the same physical infrastructure. We should establish a network dedicated to health. Of course, first we need the physical infrastructure. That’s a different issue, but one that we’ll need to address in parallel.
For a system to work as originally proposed (linking existing medical records), the records must be open and the data readily accessible. That effectively rules out proprietary closed source systems. There are plenty of alternatives though. We’ll need to standardise formats and access protocols. If the health sector can’t decide, then government will need to lead.
A lot of the problem is historical. Medical professionals are accustomed to working in isolation. I recently had test results mailed to my GP. Practice staff scanned the pages into their records management system. My GP then printed the scan and faxed it to a specialist with his referral. The specialist received a fax of a print of a scan. I saw the print; it looked like a 1-bit (black & white) scan of the colour original. We need to do better.
As a side note, watching my GP hunt & peck 1-finger type the referral was painful. What we can do about the fact that medical professionals are not generally typists, I don’t know. Maybe allowing voice-mail referrals (which would be even less accessible than PDFs)?
2 Likes
An article regarding medical apps providing users’ data to other parties, some of which are not even in the health industry.
2 Likes
Strangely, their hand-writing remains as incomprehensible as it has ever been. I have no idea how pharmacists manage to interpret these scribbles.
3 Likes
… maybe all the drugs are the same, its all placebo and nobody has a clue 
Either that or they activate the drugs to purpose based on chemicals in the water or signals to your electricity smart meter?
I think previously I mentioned my concerns with the operating philosophy of MHR when one of their partners, HealthEngine, was found to be profiting from selling patient info and was allowed to continue the relationship.
HealthEngine again in the news for poor conduct, let’s see if anything happens by way of termination from MHR. Is there anyone responsible for MHR?
3 Likes
While not condoning the actions of HealthEngine, is it correct to report the relationship between MyHealth Record (MHR) as a partnership?
I could find no description of the relationship as a partnership.
MHR advises that they have authorised Apps to access MHR records on behalf of individuals that have given the App permission.
Perhaps there is some more detail to come that can demonstrate if and how HealthEngine exceeded it’s authorisation in accessing any MHR data of an individual given it had permission from the owner of the data?
Or it was able to access records without authorisation?
In respect of HealthEngine’s actions MHR is very succinct and strict in what is not permitted (prohibited)!
Authorised third party apps give you secure ‘view only’ access to your My Health Record. These apps do not permit any storage of My Health Record information on their systems. They are also prohibited from using My Health Record information for secondary purposes – such as passing information to a third party.
If HealthEngine has not complied should it also loose access? It would send a very clear message to the share holder/s of all similar services. There are no second chances.
It’s also important to note that users of HealthEngine interact exclusively with the App when making medical appointments which is not part of the MHR functionality. Users are also providing personal information and medical information exclusively to Apps such as HealthEngine when making a booking or seeking a service?
Any misuse of this personal user data is outside of the MHR system, and likely not captured by the MHR protection?
P.S.
AFAIK you do not need a MHR to use or be part of HealthEngine. It creates a profile for you and also canvassed health professionals to bring patients (customers) to them in return for HealthEngines booking and client delivery systems.
1 Like
While not condoning the actions of HealthEngine, is it correct to report the relationship between MyHealth Record (MHR) as a partnership?
It was reported as such I recall. Maybe the misbehaving has lead to a modification of the relationship.
1 Like
