Good systems analysis requires adherence to a simple recipe – understanding who the stakeholders are and their needs, establishing design goals and working collaboratively to attain them. So how can the My Health Record system, which began in 2012 as opt-in and changed to opt-out 2018, be done better?
We like to think the stakeholders are healthcare recipients and providers Australia wide. We would regard privacy, security and utility of health information as key design goals. We would hope that the many design aspects such as legislative, governance, administrative, medical and technical, be developed in harmony.
Yet, all these aspects, when recently exposed to public scrutiny, have been found wanting.
Researchers at Deakin University Law School under Professor Danuta Mendelson were quoted in Australian Doctor in December 2016 saying, "The My Health Record system appears more suited to supply data for government agencies and researchers than it is suited to healthcare".
If the stakeholders rightfully were the Australian healthcare consumers and providers, we should be engaged in the design process and the design goals of utility, security and privacy should be achieved.
Key to the design process is the question, "Does the electronic health data need to be in an online central repository?"
If the stakeholders are those wanting access to big data about healthcare recipients and providers, the answer is, "Yes." If the stakeholders are Australia's healthcare recipients and providers, that answer may be different.
Rights campaigner and lawyer Lizzie O’Shea drew a good analogy on Weekend Sunrise in July last year when she said, "When you centralise information like this … it becomes very attractive to hackers. We’re also putting power into the hands of government to decide how that information is to be used."
"You wouldn’t cut a house key for every single plumber in the city, or every house painter [and] electrician… The same is true here; 900,000 medical professionals and 12,000 organisations have access to these records. Why would you design a system like that?” she said.
Much has been touted about the benefits of treating doctors, for example, having ready access to an unfamiliar patient's data. The benefits are acknowledged and assumed to be achievable only from a centralised repository of health data.
An online central repository accessible by hundreds of thousands of legitimate access points cannot be defended against cyber attack. An attacker need hack only one of these to gain access to every record in the database to see, copy and change at will.
A possible way forward
Germany implemented the first-generation of its system of smart eHealth cards in 1993 and this was then developed into the second-generation eHealthcare card in 2017. Data stored on the second-generation German eHealthcare card includes the insured person’s name, date of birth, address, gender, insurance number and coverage status.
In addition, there is an option for additional personal data to be stored on the card with a person’s consent, such as emergency data and medication, allergies or drug intolerance.
Currently, data is accessible by authorised healthcare providers on presentation of the eHealth card. There is no need for a centralised repository, which could be hacked or used for purposes other than for healthcare.
If a card is lost or damaged, it is replaced by the issuing authority and data restored from the backup performed at the most recent healthcare consult. The data format is also not constrained by the physical design of the eHealth card memory chip.
In the near future, a new generation of cards is expected to facilitate the exchange of medical information necessary for treatment, with the inclusion of emergency data, electronic medication plans and electronic patient records on the card.
Some other main benefits of the new and improved system are said to include the prevention of redundant medical examinations by different doctors and the online update of administrative data.
As such, the benefits of an eCard based system are:
- Patients control who and only who gets access to the data
- The entire database of health information is not in a centralised repository connected to the internet
- Patients don't need to be concerned about what present and future governments, as well as other non-healthcare organisations may do with their health data
- eCards are flexible about the way data may be stored and retrieved, enhancing the utility of healthcare data
- A comprehensive telematics infrastructure interface that provides secure communication of health data: eScripts, eReferrals, test results, health insurance, etc. updating the eCard at points of service.
A similar system could be designed for Australia, but the following need to be considered:
How do we make the data useful? It needs to be reliable, complete, up-to-date and stored in a manner which encourages meaningful, apt and rapid retrieval by the healthcare provider and associated recipient.
How do we make it secure? We make it virtually impossible for the data to be retrieved by unauthorised actors.
How do we make it private? We make it secure and prohibit use outside direct healthcare except only by informed explicit consent of the healthcare recipient.
It is possible for Australia to have an eHealth system that services healthcare providers and recipients as primary stakeholders, but Australia is a long way from making such a system a reality.
All aspects of the current My Health Record system design – legislative, privacy, health utility, security and technical – need a comprehensive overhaul.
To achieve this requires our governments to change the present system, which has shortcomings in legislature, privacy, healthcare delivery, security and technology.
There is a fundamental conflict between providing health data for government and non-government organisations, which the My Health Record system is geared to do, and providing an effective eHealth system which respects the privacy and trust of the patient-doctor relationship.
Specifically, privacy, powers of the Minister to make rules, substantial powers invested in the System Operator and delegation of these powers need to be reviewed and changed (the original draft legislation commissioned by the Department of Health was substantially changed before presentation to the Parliament 2012).
A focus on making the data relevant to immediate healthcare rather than value as cohort data needs to enliven the My Health Record use.
A realisation of the fundamental vulnerability of centralised data accessible over the internet needs to drive a new paradigm. The new paradigm must make it practically impossible for everyone's data to be viewed, copied, or changed by unauthorised actors.
This will allow for the use of data with informed consent, for example for research, so that it can be aggregated on a case by case basis rather than offering the totality of data by default as a smorgasbord.
The most succinct summary of My Health Record’s current state was given in a submission to the Inquiry by an unnamed person who "held a variety of roles at Commonwealth Department of Health":
"In my analysis, both the government and the system operator of My Health Record, the Australian Digital Health Agency... have grossly overstated the benefits to individuals of My Health Record... which is primarily a glorified Dropbox,” he wrote.
"The primary functionality of My Health Record is to facilitate secondary data usage, for government and non-government organisations, and that it is they that will be the primary beneficiaries of the system.
"In terms of its usefulness for clinical practice and for individual health record management and tracking, it is not fit for purpose, although not entirely useless. This is primarily because My Health Record is about medical records storage rather than providing an up-to-date and accurate medical history overview that can be quickly drilled down into.”
The only way the My Health Record can truly be Our Health Record rather than a “glorified dropbox” is if a smart eHealth card system similar to what Germany has in place is adopted.
Paul Power is the head of IT Consultancy to the medical profession, Power Associates. He also appeared as a witness and made submissions to the Senate Inquiry into the My Health Record system in 2018 and the Senate Inquiry into the Medicare card data breach in 2017.
Graham Grieve counters the case for smart eHealth cards with the argument that smartphones would work better. Read more.