My Health Records System: Opt-in or Opt-out?
According to the Australian Government, My Health Record is an electronic summary of a person’s health information. Healthcare providers are able to add information about a consumer's health to their My Health Record, in accordance with the consumer’s access controls. This may include information such as medical history and treatments, diagnoses, medications and allergies.
Benefits of the MyHealth Record System
There is constant debate around the MyHealth Record system coming online in Australia by the end of 2018. Opt-in or Opt-out? So far thousands have opted out and some predict over 25% of Australians will have opted out by the November 15 deadline. MyHealth Record is a great idea in principle where all doctors could get to see the same information, removing the duplication of effort and the unnecessary step of repeating the same procedures or tests. The main benefit is that by having a centrally stored record, it will eventually make healthcare management for patients and their doctors easier, safer and could be life-saving in the event of an emergency. We have all been to the GP for a check-up where we get asked the same questions we were asked last time, “Do you have any allergies?” or “What medicines are you taking?”. Imagine where GP’s have access to this level of information immediately, especially in emergency situations where you may be unconscious or unaware of your surroundings.
Why are so many Australians opting out?
Connected to the MyHealth Record system will be almost 6 million people, 13,000 health professionals and around 6,500 GP’s. But that’s where the problem starts. “The edge”, which is the term given to the users and devices that access the system creates an enormous attack surface and the information could be easily hacked. A third of all data breaches globally relate to health data, with Anthem Blue Cross being the largest breach back in 2015 when almost 80 million patient records were stolen including names, addresses, social security numbers and insurance information. We also had the WannaCry ransomware attack last year where National Health System computers in the UK were encrypted causing appointments to be cancelled and surgeries delayed.
More recently hackers stole health records of 1.5 million Singaporeans including Prime Minister Lee Hsien Loong in the city-state’s biggest ever data breach.
Closer to home and since the Notifiable Data Breach scheme came into effect in February, almost 50 disclosures have been from healthcare, making it the biggest target of hackers in Australia. As well as getting access to names, date of birth and address information, hackers can also get access to someone’s prescription history, blood type and medical conditions making the data more valuable on the dark web than credit card information.
How healthcare professionals can ensure data is kept safe
Now back to the MyHealth Record system, Health Minister Greg Hunt said "it's arguably the world's leading and most secure medical information system at any national level". The problem is not the system itself, it’s the fact that healthcare workers are not trained in cybersecurity best practices and is common to have information on shared systems with generic credentials. Even with individuals having separate systems and passwords, again it’s common for passwords to be easily guessed, even written down on a post-it-note attached to the device. It’s also common for systems to remain unlocked throughout the day to make it easy to get to the information when it’s needed.
Is there a solution to this? You could make sure that all your systems are up to date on system patches and that you have a patch strategy to make sure you stay protected. You could also deploy an application whitelisting technology to make sure that when a GP clicks on that attachment within email that says ‘Test results’ that the associated ransomware can’t execute locally and infect the machine. You also need to have a security awareness program to continually reinforce the threats of cyber-attacks which may also help. The problem is that the surface attack is so vast that it’s going to be almost impossible to protect all 13,000 healthcare individuals accessing the system, and for that reason I think it’s only a matter of time before a breach on the system occurs.