Australia's new digital health strategy has been labelled “incomplete”, with critics claiming it is short on detail about how sensitive medical records will be secured.
Australia’s state and territory health ministers approved the Federal Government’s Safe, seamless, and secure: Evolving health and care to meet the needs of modern Australia at a COAG meeting on Friday, giving the green light to automatically sign up citizens to My Health Record by 2018, with an opt-out function. By 2022, all of the nation’s healthcare providers will be connected to the digital platform.
But some, including managing director of IT consultancy PivotNine, Justin Warren, have raised concerns about a lack of detail.
“The strategy document is heavy on breathless positivity, and light on concrete detail about how it will achieve its lofty goals. Indeed, it doesn't specify concrete goals in many places at all,” he said.
According to Warren, information security is difficult to achieve, particularly when numerous apps and platforms will be allowing healthcare providers such as GPs, hospitals, pathology services, specialists and pharmacies to access the same system.
“What I've seen so far doesn't inspire confidence that the very real security issues are being adequately addressed,” he said.
“For example, when your myHR is created, it defaults to an ‘allow all’ access so that all health providers who provide you with services can see all your information.
It's not clear how myHR knows if a provider is one you deal with, so it would seem that any provider who can look you up would be able to see your data.”
The opt-out mechanism also appears to be flawed, he said, as a person’s record isn't deleted if they opt out but instead simply locked.
For Warren, #CensusFail, #notmydebt, the ATO's ongoing woes, the publishing of identifiable medical data by data.gov.au and the recent discovery of Medicare numbers up for sale on the dark web show the government doesn't have a good track record with cybersecurity, and the strategy doesn’t allay his concerns.
[Government denies cyber breach as Medicare numbers are traded on the dark web, Medicare numbers on the dark web — Government announces cybersecurity review into doctors’ portal]
“They can't just sit back and expect us to trust them. They don't have the required track record of trustworthiness, so they need to work harder to prove they can be trusted, and they don't seem to be inclined to,” he said.
“The lack of detail concerns me a lot, because if privacy and security were really a priority, those parts would have been designed in already and we'd have a good understanding of how the processes would work. We don't.”
The Australian Medical Association, the Royal Australian College of General Practitioners, the Pharmacy Guild of Australia and the Pharmaceutical Society of Australia, as well as the Consumers Health Forum, Medical Software Industry Association and Health Informatics Society of Australia voiced their support for the strategy in the ADHA’s media release on Friday. But medical specialist and a spokesperson for technology thinktank Future Wise, Dr Trent Yarwood, who has opted out of My Health Record, claims the digital health strategy “completely fails” to address how the Federal Government will secure health information on the portal in light of recent IT breaches.
“I have very little confidence that the myHR data will be managed any better, and don't believe that the potential health benefits justify the privacy risk associated with making healthcare data like this available to myHR,” Yarwood said.
In 2015-16 financial year, the Office of the Australian Information Commissioner received a mandatory data breach notification that MyGov accounts had been linked to the My Health Records of incorrect recipients, and another two notifications of unauthorised My Health Record access by a third party.
According to Yarwood, the strategy also assigns benefits to digital health that “will not ever occur”, such as patients no longer needing to repeat their medical histories to successive healthcare workers.
For health practitioners, My Health Record will also impose additional bureaucracy.
“Posting billing and quality data online for specialists, who work mostly as sole traders or contractors, will be a major imposition of red tape on medical specialists,” Yarwood said.
My Health Record is “insecure, clunky, evidence-free and not liked by clinicians,” according to health IT consultant and commentator on the field Dr David More.
“If it was useful for them they would have adopted it – as would have the public – but they have shown their indifference by needing to be dragooned into having a health record compulsorily,” More said.
Describing the strategy as incomplete, he said ADHA’s Framework for Action to be co-designed with industry, governments and healthcare providers by 2022, will determine the success or otherwise of the My Health Record roll out.
“So we have to wait to see any concrete plans with their associated costs, benefits, timetables and so on. It is this implementation plan that will be the making (or not) of the total package, of which I would argue we have now a good deal less than half I would suggest.”
According to the strategy, state and territory governments, private hospitals, aged care service providers, and community health services are investing in clinical information systems and ADHA would work to achieve integration across the range of technology, with a draft interoperability roadmap available in late 2018.
“By the end of 2018, a public consultation on draft interoperability standards will confirm an agreed vision and roadmap for implementation of interoperability between all public and private health and care services in Australia,” the strategy says.
“Base-level requirements for using digital technology when providing care in Australia will be agreed, with improvements in data quality and interoperability delivered through adoption of clinical terminologies, unique identifiers and data standards. By 2022, the first regions in Australia will showcase comprehensive interoperability across health service provision.”
To More, who says “we have been running around this track for a fair while already without getting anywhere much nationally,” the lack of detail could show that lessons have been learned from the mistakes of the past.
“What we have to date is a marketing document (largely for the myHR) for politicians to keep their interest up,” More said.
“We all remember how the 2008 National E-Health Strategy was agreed and approved by COAG but never funded so it never went anywhere. That plan actually had some real projects and objectives. I wonder will this vaguer one be easier to swallow.”