My Health Record extension highlights lingering security, privacy concerns

As healthcare breaches continue unabated, one-third of Australians are uncomfortable with centralised health records

Credit: ID 94471947 © Aleutie |

Health minister Greg Hunt may have cited website interruptions as the reason for extending the opt-out period for the government’s My Health Record (MyHR) scheme, but the decision also gives more time to address privacy concerns that have seen frequently-compromised industry sectors rushing to boost data security.

More than 1 million Australians have already opted out of the scheme, which will consolidate and centralise sensitive medical information from a range of providers, and the final numbers are likely to be much higher after a last-minute stampede that this week sent the Department of Human Services’ opt-out website into meltdown.

It was an ignominious result for a strategy that has attracted scrutiny and criticism since it was announced. And despite the arguable benefits of an electronic healthcare record (EHR) – which the Australian Digital Health Agency (ADHA) has energetically spruiked with claims that EHRs can reduce prescription errors, improve service delivery to regional areas and better support cultural diversity – concerns over the privacy, security, and reuse of MyHR data have continued to taint the program’s adoption.

Best intentions had been scarred by the harsh reality of cybercriminal activity and its success in healthcare-related breaches such as the recent theft of 1.5m Singaporeans’ medical data.

The recently-released 2018 Unisys Security Index found that one-third of Australians are uncomfortable using a centralised EHR, with the top reasons cited as concerns over security and a feeling that they are not in control of their identities.

Such concerns also extended into the financial-services arena, with just 28 percent of respondents saying they are comfortable saving payment information and electronic keys onto phones or wearable devices for mobile payments.

And while 56 percent of respondents say they are comfortable using a single user IT and authentication to access multiple government services, just 41 percent said they were happy to do the same when accessing financial-services providers.

Such figures reflect a growing consumer awareness that “information is the new currency,” ForeScout senior director for Asia-Pacific and Japan Steve Hunter said in a statement. “Cybercriminals can steal health information and monetise it in various ways…. The reward from illegally trading private health data often renders it more valuable than credit cards.”

“Australian healthcare organisations need to build trust with Australian consumers, and the only way to do that is to demonstrate strong security measures that will keep individuals’ sensitive information private.”

Read more: The week in security: Too few security defences, too many security offences

Tighter controls aren’t stopping the breaches

The Australian Prudential Regulation Authority (APRA) recently issued new guidelines for financial-services organisations that squarely place the burden of cybersecurity on bank boards and requires them to notify APRA of any serious security incidents.

Such reporting has this year filled out a picture of financial-services and healthcare industries that are struggling to deliver as much security and privacy protection as they need to.

Recent quarterly figures from the Office of the Australian Information Commissioner (OAIC) found that the rate of reported breaches had continued unabated, with an average of 81 notifiable data breaches every month and 45 percent of those involving financial information.

Health service providers reported 45 data breaches – 19 percent of the total 245 incidents reported during the September quarter – and health information was compromised in around 22 percent of cases.

Those findings modulate the impact of a recent global review that found Australian consumers have more control over their digital health information than in similar systems in 50 countries.

Only Australia and France allow individuals to edit or author parts of their record, the review found, while just 32 percent of countries allow individuals to request corrections to their data and 28 percent allow individuals to specify which healthcare providers can access their data.

“We know through the important national conversation that is currently occurring that Australians expect and deserve strong safeguards, choice and control when it comes to their personal information,” says ADHA chief medical adviser Professor Meredith Makeham said in a statement.

“As the Agency responsible for My Health Record, we need to continue to improve the system in consultation with the Australian community and their healthcare providers.”

Australians now have until 31 January 2019 to opt out of the My Health Record program.

Tags aprahealth recordsOAICprivacy concernsMy Health Recordhealthcare breach

Show Comments