Industry calls for more caution over MHR system

hand.jpg

As the Federal Government today pushes the button to create My Health Records for every Australian who wants one, the industry has stepped out asking for more transparency around security and secondary use of the records to enable people to make more informed decisions about it. 

The industry has also voiced out about data de- and re-identification, a global approach to cybersecurity issues as healthcare digitises, information security requirements of the future and blockchain as a way to alleviate some of the challenges associated with the My Health Record system.  

On 26 November 2018, the Federal Parliament passed legislation to strengthen privacy protections in My Health Records Act 2012 without debate or division.

The new legislation means that Australians can opt in or opt out of My Health Record at any time in their lives. Records will be created for every Australian who wants one after 31 January and after then, they have a choice to delete their record permanently at any time.

The date of 31 January follows much deliberation from the Federal Government to extend the opt-out date. Australians initially had until 15 October 2018 to opt out of the national health database, or a My Health Record was to be created for them by the end of that year. 

But following the opposition calling for an extension to the opt-out period, the public outcry against the potential for the data to be shared with police and other government agencies, a leaked government document detailing the Australian Digital Health Agency’s response to concerns and a raft of changes recommended by the Senate Inquiry into My Health Record, the Federal Government pushed this date back and relaxed its stance on when Australians can opt in or opt out of the system.  

Australian Academy of Technology and Engineering (ATSE) President Professor Hugh Bradlow said the collection of health data across the population will result in better health outcomes as it not only shows how effective interventions are, but also allows treatments to be personalised based on the experience of thousands of other patients.

“New forms of measurement (based on artificial intelligence) will also give patients far more significant information about institutional performance, practitioner performance, the outcomes of specific interventions, etc.” he said. 

The Society of Hospital Pharmacists of Australia (SHPA) Chief Executive Kristin Michaels said the My Health Record debate highlighted the need for an integrated ehealth system, accessible only to health professionals and set up at the request of health organisations, for the benefit of all Australians.

"All Australians, regardless of any illness or condition, deserve to get the highest-quality care,” Michaels said. 

“More often than many would think, patients are unable to explain the medicines they are already taking and for what conditions they are already being treated, particularly after a seizure or if unconscious. Many of these patients are unaccompanied. Sometimes this lack of information leads to errors that have serious impacts on people’s lives. 

“[Hence] hospital pharmacists have long called for a shared, electronic patient data system that links up a fragmented health system and empowers patients in their own care."

The issue of security 

However, University of Melbourne Department of Computing and Information Systems Cybersecurity Senior Lecturer Associate Professor Vanessa Teague expressed her concerns around the privacy implications of secondary uses of My Health Records not being accurately explained.

"The My Health Record privacy policy says: ‘It is expected that most applications which are assessed will be for the use of de-identified data. This is where your personal details are removed from the dataset and you cannot be identified.’ Unfortunately, removing obvious personal details (such as name, location, and date of birth) does not securely de-identify the data,” Teague said.  

“Both doctors and patients can be easily and confidently identified in a dataset… In the case of patients, this means that a few points of information, such as the patient's age and dates of surgeries or childbirths, is enough to identify the person and thus, retrieve all their Medicare bills and PBS [Pharmaceutical Benefits Scheme] prescriptions for many years.  

“Easy and confident re-identification has been demonstrated on numerous other datasets that were shared in the mistaken belief that they were de-identified. It is probably not possible to securely de-identify detailed individual records like My Health Records without altering the data so much that its scientific value is substantially reduced.” 

[Read more: My Health Record system data breaches rise | Game changer: Creator of FHIR writes about approaching critical mass and a growing data sharing revolution]

Teague said patients may choose to opt out of secondary uses of their data but are unable to make a “genuinely informed decision” if they are inaccurately told that their detailed record cannot be identified. 

“Even more importantly, those whose identifiable MBS [Medicare Benefits Schedule]-PBS records were already published in 2016 should be notified, because the earlier release could make re-identification of their My Health Records much easier,” she said. 

Harvard Medical School International Healthcare Innovation Professor Dr John Halamka also previously criticised the system for relying on outdated technology, saying that the $2 billion My Health Record was nothing more than “digitised paper” as it uses such “out-of-date” technology that crucial patient information on test results and diseases are unable to be read or shared by computers.

University of Wollongong School of Computing and Information Technology Professor Katina Michael said health data breaches, for some, could have a huge impact. 

She used the recent example from Singapore, where 1.5 million Singapore health records were breached in a highly targeted effort on SingHealth. Among the breached health records was Singapore Prime Minister Lee Hsien Loong's personal records.

“What does this tell us when one of the world's most advanced cybersecurity nations suffers such a large-scale attack? Plainly, that no one's personal information is safe, no matter the measures in place,” she said. 

"If we have learnt anything over the last four months, it is that electronic health records are hackable. We need not have to look too far to see that no system is impenetrable.” 

Michael also speculated that there is the possibility of a ramp up of blockchain initiatives to beef up on My Health Record security.  

“We will likely be told in the not too distant future that we wildly underestimated our security requirements and as such, must go one step further and protect our credentials,” she said. 

According to Professor Michael, this involves the implant of a 16-digit Personal Health Record (PHR) ID number into people that also reads vital signs while embedded. This technology then alerts first responders of ailments and medications without the need for the person to provide any information. 

[Read more: Australia leads the world in personal control of electronic health records | Is the My Health Record technology out of date?]

ATSE’s Bradlow said the industry needs to be “realistic” about it as the danger of data leaking due to cyber hacking is as true as hacking any other data system. 

“Let’s remember that many [healthcare professionals] have easy access to today’s paper-based health records – an electronic record is actually a step up in privacy. Within My Health Record, we can make it the default to require a patient access code,” he said. 

“A well-designed record system which is managed by a professional security organisation and has a clear audit trail, for example, provided by blockchain, can mitigate this risk significantly."

Source: Hafizah Osman, 31 January 2019, “Industry calls for more caution over MHR system”, https://www.healthcareit.com.au/article/industry-calls-more-caution-over-mhr-system

Note: Thank you Hafizah Osman— interestingly I was referring to the VeriChip experiment of the PHR that Dr John Halamka trialled for a short time and wrote about in 2006 here: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC1656959/

Consumer Digital Touchpoints Online: It's messy

I asked everyone from Facebook to data brokers to Stan for my information. It got messy

It is almost impossible to understand your full Facebook data footprint. (Credit: ABC) 

It is almost impossible to understand your full Facebook data footprint. (Credit: ABC) 

28 April 2018

By technology reporter Ariel Bogle

Brands I've never heard of have my details.

Deciphering your Facebook data can be like leafing through a corporate-owned teen diary.

In 2007, one of my first comments was telling a friend she had a "fashionable mullet", but my online data footprint has exploded since then.

I downloaded my data from Facebook in an effort to understand how brands target me with personalised advertising — an activity that accounted for 98 per cent of the social giant's 2017 revenue.

Your name, age and location are the least of it. Every like, link and interaction can add to your profile, whether it's an inferred political preference — are you liberal or conservative? — or an interest in board games.

But as Wired has detailed, Facebook's data download provides an incomplete picture.

To fix that, I asked for my personal data (you can too, thanks to the Privacy Act) from everyone from data brokers to advertisers.

What did I find? That understanding who knows what about you online is a sisyphean undertaking. One that takes dozens of emails and almost one month.

What do data brokers know?

Ever heard of a data broker? If you haven't, that's no mistake.

"They rarely have a public presence," said Sacha Molitorisz, a digital privacy researcher at the University of Technology Sydney.

"My guess is there is an intuition somewhere there, that what they're doing might not be palatable to customers."

Data brokers are companies that may gather online and offline information — census data, surveys and purchase histories, for example — to create consumer profiles that they serve to advertisers.

In the market for a new car? An expectant mother? These are the types of insights they look for.

If advertisers want to reach these people, they can source special audience information from data brokers and target ads to them on Facebook.

This is allowed under Facebook's Partner Categories program, but after the Cambridge Analytica scandal, the company said it would be winding the option down.

A Facebook spokesperson said ad campaigns run this way would end by October 1, 2018.

For now, though, Facebook works with three providers in Australia: Quantium, Axciom and Experian.

I contacted all three and asked for my personal data. All three said they had nothing — but that's not the whole story.

How am I targeted?

Earlier this year I was served a Facebook ad for 100% Pure New Zealand. Facebook told me it was based on a dataset provided by the data analytics firm Quantium.

But if Quantium doesn't have my personal details, how does it target me?

The tourism ad was sent to two consumer segments — "outdoor enthusiasts" and "travellers" — a Quantium spokesperson said.

The company received de-identified purchase data, likely from Woolworths Rewards program, which was then used to create anonymous groups likely to purchase something based on their past shopping behaviour.

My de-identified data was probably in there. Then, apparently, Quantium matched it up with my de-identified data from Facebook.

"Publishers like Facebook de-identify their users' personal data utilising the same encryption algorithm used by Quantium," the Quantium spokesperson said.

"The de-identified data from both parties is passed into a secured anonymisation zone for matching purposes. This allows the two datasets to be matched without using any personal information."

In some cases, it gets more mysterious.

In Settings, Facebook lists the advertisers it says are running ads, using contact lists they uploaded to the platform.

Experian said it had no personal information about me, but Experian Data Quality is listed as having uploaded my contact information to Facebook.

A company spokesperson said it could not confirm why I was connected to Experian Data Quality.

"Based on the information you provided to us, we again confirm that Experian's Data Quality and Targeting (Marketing Services) in A/NZ does not hold any personal information on you," she wrote in an email.

Who else has your email?

Brands are only meant to upload contact lists to Facebook for advertising if they have permission to do so.

In the case of the video streaming service Stan, seeing its ad on Facebook made sense — I'm a subscriber, and apparently, I've watched the TV show Billions.

A Stan spokesperson said the ad I saw was intended to remind people "who may be fans of the show" that a new season was available.

It does this to highlight content the company thinks subscribers are interested in, using its internal analytics.

"We matched your encrypted email to data held by Facebook to facilitate the surfacing of that content," she added.

(I also asked for all my personal data from Stan, and the hours of television I've watched makes for a terrifying spreadsheet, by the way.)

 

The contact list mystery

But Stan is not the only brand that has my information.

As I write this article, there are more than 300 brands that Facebook lists as having my contact information — the majority of which I've never heard of.

There's a sushi restaurant in Perth, for example, called Tao Café. I've never visited.

I got in touch, and Tao Café office manager Annette Sparks was equally baffled about its appearance on my list.

But she said that the food delivery company Deliveroo ran ads on behalf of the company, and suggested that's how my contact details may have been bound up with the sushi venue.

So, onto Deliveroo.

While they couldn't discuss my personal situation, a spokesperson said Deliveroo does provide "marketing support" to its restaurant partners — essentially, it runs ads promoting them as part of the delivery service.

Did Deliveroo then share my email with cafes from Perth to Singapore? The company said no.

"Under no circumstances does Deliveroo share any customer details with restaurants or other third parties as part of these marketing campaigns," the spokesperson said.

I'm left none the wiser about why Tao Café was on the list — and there are other mysteries too.

According to Facebook's list, various American political candidates have my contact information.

As does the official Facebook page of the actress Kate Hudson.

What can I do?

Mark Zuckerberg has said Facebook users own their data, but it's an unusual kind of ownership.

Ownership feels largely meaningless when your data is scattered around the internet.

There is no one company to blame. The architecture of online advertising is set up this way.

"The issue is that in the digital space … personal data is very much sought after, and there are all [kinds of] different players who stand to benefit from access to that data," Mr Molitorisz said.

"There needs to be greater transparency with how our data is used."

This is the reality of surveillance capitalism, according to Professor Katina Michael, a privacy expert at the University of Wollongong.

Our data is a valuable commodity, and time is not on our side when it comes to understanding who wants it and where it's going.

"We don't measure it, we don't write it down like we do calorie-controlled diets," Professor Michael said. 

"We don't realise how much we're giving away."

Ariel Bogle, April 28, 2018, "I asked everyone from Facebook to data brokers to Stan for my information. It got messy", ABC Radio Nationalhttp://www.radioaustralia.net.au/international/2018-04-28/i-asked-everyone-from-facebook-to-data-brokers-to-stan-for-my-information-it-got-messy/1752610

Mandatory Data Breach Notification (2017 Amendment to Privacy Act)

Today I had the pleasure to speak to Meredith Griffiths, reporter of the ABC, on the newly enacted Mandatory Data Breach Notification (MDBN) that take effect on Feburary 28, 2018.

Some of the main points I made in the interview with the help of my colleagues at the Australian Privacy Foundation (primarily David Vaile) were:

MDBN doesn't go far enough because:

  1. small business, <$3m annual turnover are exempt from MDBN
  2. self-assessment of "serious harm" is ambiguous (on what test to companies come forward? and only if PC agrees it is serious? what if slightly serious on one view, and very serious on another- do companies take the easy way out and not disclose?)
  3. companies are given 30 days to make a data breach notification to the privacy commissioner (too long for customers to be kept in the dark and thereafter how long might it take the Privacy Commissioner to determine 'seriousness' and/or publicly response with an unenforceable determination)
  4. what about data breaches offshore (how do Aussies respond to loss of their PI abroad)?
  5. what about 'open data' re-identification thru AI/machine learning?
  6. OAIC is overloaded, slow, determinations are also unenforceable and very rare.

So where does this really leave us? We have a law that neither prevents breaches of personal information nor compensate individuals for privacy breaches. What we need to do is consider the outcomes of the ALRC from 2008 that stipulated we need a tort on the serious invasion of privacy so that individuals CAN sue other individuals (like hackers), or companies (like Google) or government agencies for breaches in their privacy (whether accidental or deliberate or through some form of negligence).

The lack of auditability of the new law means that current practices that rely on de-identification to safeguard people's personal information, say in the case of OPENGOV data initiatives, may not be enough down the track as the threat of increases from machine learning algorithms that can look at patterns of information and highlight individuals like finding a needle in a haystack. The issues of going down this path are grave- including the potential for re-identification and bringing several disaparate treasure troves together like social media data, and government data, and personal records together to be analysed.

Links to MDBN include:

https://www.oaic.gov.au/media-and-speeches/statements/mandatory-data-breach-notification

https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme

https://www.oaic.gov.au/media-and-speeches/news/retailers-check-out-mandatory-data-breach-reporting-obligations-and-prepare-for-2018

Having a statutory tort of serious invasion of privacy (like in the UK and US) or a common law tort (like in New Zealand), allows individuals to sue other entities depending on the severity of the privacy breach. Why is Australia lagging so far behind other advanced digital nations? When will this legislation be amended?

Already, we are seeing large ICT companies set up "shop-fronts" in Australia with NO enforceable penalties to international misdemeanours when it comes to amassing treasure troves of data, and data breaches offshore. How do we hold these companies accountable when they are taking in a lot of business from Australian consumers and yet seem to be let out in the "wild" to do as they please, storing data on the Cloud either in the USA or Ireland. Bruce Schneier called this "data as a toxic asset". As the toxicity rises, we can expect major pollution spills.

For now, at least we can say that the MDBN is a step in the right direction despite that it falls short through exemptions and loopholes. It can have some reputational impact on "data addicts" that don't do the right thing via their subscriber base, but little more. Sadly, large corporations can handle this reputational damage in their "risk appetites". The fines are also "measly" when it comes to government or regulatory action, and so corporate and government entities in particular are left to their own devices here in Australia. While well-meaning, it seems that it is nothing more than a theatrical show- data hosts are still not responsible for bettering their security practices or urgently responding and fixing a breach.

Data is a bit like mental illness. You can't see it. It is not tangible. You cannot put a price on mental health, and you cannot put a price on your personal data. While we can manage damage to property very well, because we can see a scratch on a car, or the loss of inventory, we cannot see data as we see a broken arm.

We already have very weak Privacy Legislation- Australia needs to get serious like Europe (through the General Data Protection Regulation, considered the gold standard) has on the value of personal identifiable information (PII). Both the liberal and labour governments need to listen to the commissioned reports by the Australian Law Reform Commission, and act on the implementation of statutory tort legislation with respect to intrusions of privacy. There is no reason why this has not happened yet.