Industry calls for more caution over MHR system

hand.jpg

As the Federal Government today pushes the button to create My Health Records for every Australian who wants one, the industry has stepped out asking for more transparency around security and secondary use of the records to enable people to make more informed decisions about it. 

The industry has also voiced out about data de- and re-identification, a global approach to cybersecurity issues as healthcare digitises, information security requirements of the future and blockchain as a way to alleviate some of the challenges associated with the My Health Record system.  

On 26 November 2018, the Federal Parliament passed legislation to strengthen privacy protections in My Health Records Act 2012 without debate or division.

The new legislation means that Australians can opt in or opt out of My Health Record at any time in their lives. Records will be created for every Australian who wants one after 31 January and after then, they have a choice to delete their record permanently at any time.

The date of 31 January follows much deliberation from the Federal Government to extend the opt-out date. Australians initially had until 15 October 2018 to opt out of the national health database, or a My Health Record was to be created for them by the end of that year. 

But following the opposition calling for an extension to the opt-out period, the public outcry against the potential for the data to be shared with police and other government agencies, a leaked government document detailing the Australian Digital Health Agency’s response to concerns and a raft of changes recommended by the Senate Inquiry into My Health Record, the Federal Government pushed this date back and relaxed its stance on when Australians can opt in or opt out of the system.  

Australian Academy of Technology and Engineering (ATSE) President Professor Hugh Bradlow said the collection of health data across the population will result in better health outcomes as it not only shows how effective interventions are, but also allows treatments to be personalised based on the experience of thousands of other patients.

“New forms of measurement (based on artificial intelligence) will also give patients far more significant information about institutional performance, practitioner performance, the outcomes of specific interventions, etc.” he said. 

The Society of Hospital Pharmacists of Australia (SHPA) Chief Executive Kristin Michaels said the My Health Record debate highlighted the need for an integrated ehealth system, accessible only to health professionals and set up at the request of health organisations, for the benefit of all Australians.

"All Australians, regardless of any illness or condition, deserve to get the highest-quality care,” Michaels said. 

“More often than many would think, patients are unable to explain the medicines they are already taking and for what conditions they are already being treated, particularly after a seizure or if unconscious. Many of these patients are unaccompanied. Sometimes this lack of information leads to errors that have serious impacts on people’s lives. 

“[Hence] hospital pharmacists have long called for a shared, electronic patient data system that links up a fragmented health system and empowers patients in their own care."

The issue of security 

However, University of Melbourne Department of Computing and Information Systems Cybersecurity Senior Lecturer Associate Professor Vanessa Teague expressed her concerns around the privacy implications of secondary uses of My Health Records not being accurately explained.

"The My Health Record privacy policy says: ‘It is expected that most applications which are assessed will be for the use of de-identified data. This is where your personal details are removed from the dataset and you cannot be identified.’ Unfortunately, removing obvious personal details (such as name, location, and date of birth) does not securely de-identify the data,” Teague said.  

“Both doctors and patients can be easily and confidently identified in a dataset… In the case of patients, this means that a few points of information, such as the patient's age and dates of surgeries or childbirths, is enough to identify the person and thus, retrieve all their Medicare bills and PBS [Pharmaceutical Benefits Scheme] prescriptions for many years.  

“Easy and confident re-identification has been demonstrated on numerous other datasets that were shared in the mistaken belief that they were de-identified. It is probably not possible to securely de-identify detailed individual records like My Health Records without altering the data so much that its scientific value is substantially reduced.” 

[Read more: My Health Record system data breaches rise | Game changer: Creator of FHIR writes about approaching critical mass and a growing data sharing revolution]

Teague said patients may choose to opt out of secondary uses of their data but are unable to make a “genuinely informed decision” if they are inaccurately told that their detailed record cannot be identified. 

“Even more importantly, those whose identifiable MBS [Medicare Benefits Schedule]-PBS records were already published in 2016 should be notified, because the earlier release could make re-identification of their My Health Records much easier,” she said. 

Harvard Medical School International Healthcare Innovation Professor Dr John Halamka also previously criticised the system for relying on outdated technology, saying that the $2 billion My Health Record was nothing more than “digitised paper” as it uses such “out-of-date” technology that crucial patient information on test results and diseases are unable to be read or shared by computers.

University of Wollongong School of Computing and Information Technology Professor Katina Michael said health data breaches, for some, could have a huge impact. 

She used the recent example from Singapore, where 1.5 million Singapore health records were breached in a highly targeted effort on SingHealth. Among the breached health records was Singapore Prime Minister Lee Hsien Loong's personal records.

“What does this tell us when one of the world's most advanced cybersecurity nations suffers such a large-scale attack? Plainly, that no one's personal information is safe, no matter the measures in place,” she said. 

"If we have learnt anything over the last four months, it is that electronic health records are hackable. We need not have to look too far to see that no system is impenetrable.” 

Michael also speculated that there is the possibility of a ramp up of blockchain initiatives to beef up on My Health Record security.  

“We will likely be told in the not too distant future that we wildly underestimated our security requirements and as such, must go one step further and protect our credentials,” she said. 

According to Professor Michael, this involves the implant of a 16-digit Personal Health Record (PHR) ID number into people that also reads vital signs while embedded. This technology then alerts first responders of ailments and medications without the need for the person to provide any information. 

[Read more: Australia leads the world in personal control of electronic health records | Is the My Health Record technology out of date?]

ATSE’s Bradlow said the industry needs to be “realistic” about it as the danger of data leaking due to cyber hacking is as true as hacking any other data system. 

“Let’s remember that many [healthcare professionals] have easy access to today’s paper-based health records – an electronic record is actually a step up in privacy. Within My Health Record, we can make it the default to require a patient access code,” he said. 

“A well-designed record system which is managed by a professional security organisation and has a clear audit trail, for example, provided by blockchain, can mitigate this risk significantly."

Source: Hafizah Osman, 31 January 2019, “Industry calls for more caution over MHR system”, https://www.healthcareit.com.au/article/industry-calls-more-caution-over-mhr-system

Note: Thank you Hafizah Osman— interestingly I was referring to the VeriChip experiment of the PHR that Dr John Halamka trialled for a short time and wrote about in 2006 here: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC1656959/

What is the Internet doing to our heads?

We spend more time online than offline, so what is all this screen time doing to our heads?

Presenter/Producer: Cheyne Anderson
Presenter: Ellen Leabeater

Speakers:
Lawrence Lam - Professor of Public Health, University of Technology Sydney
Katina Michael - Professor, School of Computing and IT, University of Wollongong
David Glance - Director Centre for Software Practice, University of Western Australia

Think: Digital Futures is supported by 2SER and the University of Technology Sydney.

2ser.com/thinkdigitalfutures

Consider following below on SoundCloud.

Citation: Cheyne Anderson, Ellen Leabeater, Lawrence Lam, Katina Michael, David Glance, April 23, 2017, "What is the Internet doing to our heads?", 2SERFM Think: Digital Futures, https://soundcloud.com/thinkdigitalfutures/what-is-the-internet-doing-to-our-heads

Nice to see it made available here also: https://www.ivoox.com/what-is-the-internet-doing-to-our-heads-audios-mp3_rf_18287880_1.html

ANALYSIS: Human Microchipping Poses Dangers to Health, Privacy

WASHINGTON, April 30 (RIA Novosti), Lyudmila Chernova – Although hardly a
novel idea, microchipping humans arouses justified concerns about risks to health and
privacy, experts told RIA Novosti Wednesday.

“Along with the potential risks to health, there is a real risk to freedom and privacy, one
of the key purposes of RFID is the tracking technology. Besides, numbering people is
very dehumanizing. It turns you into a barcode on the package of meat that’s get
tracked like inventory,” said Dr. Katherine Albrecht, an RFID microchip and consumer
privacy expert.

Katina Michael, an associate professor at the University of Wollongong, echoed the
opinion, stating that implanting automatic identification technology for non-medical
purposes could entail the total loss of the right to privacy.

“There is a grave danger in it, as someone who gets an implant does not have control
over bodily privacy. They cannot remove the implant on their own accord. They do not
know when someone is attempting to hack into their device, no matter how proprietary
the code that is stored on the device, and no matter whether the implant has built-in
encryption,” Michael told RIA Novosti.

In 2007 Albrecht and Associated Press Reporter Todd Lewan revealed to the public
studies that showed microchips cause cancer when they are implanted into laboratory
animals. The finding led to the suspension the VeriChip company’s work.
“In our research we found that between one and ten percent of laboratory animals
implanted with radio frequency microchips developed cancer adjacent to and even
surrounding the microchips,” Albrecht said.

“Pacemakers can also cause cancer, but in a case of a pacemaker where the alternative
is literally dying, it is worth the risk. However, in a case of something like an
identification microchip or dosages of drugs being delivered to the body, that does not
make any sense. Most people would prefer to simply take those drugs themselves than
run the risk of an implant,” she added.

Dr. Michael also explained that implanting microchips is not new in the health industry,
as society has already adopted implantables for a variety of uses. However, implantables
for medical applications or for the identification of animals have a number of
documented health side effects in line with Dr. Albrecht’s opinion.

“People with microstimulators have described … varying levels of neurological response
that were not as prescribed, … or health implications such as infection, or even ongoing
stress,” said Michael, adding that there are a whole gambit of health issues that no one is
really studying properly.

The expert claimed that these kinds of technologies are being tested already, but have
not yet been approved by the FDA for use as medical devices.

However, Albrecht said that the FDA appears to have never looked at the studies
pointing to the dangers.

“One of the things I learned is that the FDA relies on the company that’s looking for the
approval to provide the evidence of the safety and of the danger of the product. They
don’t do independent research, and I think there is a very serious potential to having the
companies be the ones that determine the safety of their own product,” she said.

The VeriChip Corporation implanted identification microchips into diabetic and
Alzheimer's patients as a trial with Blue Cross Blue Shield in 2007. The trial was stopped
due to cancer risks.

In recent years, advocates of the technology have promised neural implants that could stimulate the brain to help people with depression, implants that would deliver certain
amounts of medication which may be remote controllable. The technologies involved
are not new, and neither is the argument on their appropriateness.

Tags: microchipping, privacy, technology

Lyudmila Chernova, April 30, 2014, "ANALYSIS: Human Microchipping Poses Dangers to Health, Privacy", Ria Novosti [РИА Новости], http://en.ria.ru/business/20140430/189481760/ANALYSIS-Human-Microchipping-Poses-Dangers-to-Health-Privacy.html