Industry calls for more caution over MHR system

hand.jpg

As the Federal Government today pushes the button to create My Health Records for every Australian who wants one, the industry has stepped out asking for more transparency around security and secondary use of the records to enable people to make more informed decisions about it. 

The industry has also voiced out about data de- and re-identification, a global approach to cybersecurity issues as healthcare digitises, information security requirements of the future and blockchain as a way to alleviate some of the challenges associated with the My Health Record system.  

On 26 November 2018, the Federal Parliament passed legislation to strengthen privacy protections in My Health Records Act 2012 without debate or division.

The new legislation means that Australians can opt in or opt out of My Health Record at any time in their lives. Records will be created for every Australian who wants one after 31 January and after then, they have a choice to delete their record permanently at any time.

The date of 31 January follows much deliberation from the Federal Government to extend the opt-out date. Australians initially had until 15 October 2018 to opt out of the national health database, or a My Health Record was to be created for them by the end of that year. 

But following the opposition calling for an extension to the opt-out period, the public outcry against the potential for the data to be shared with police and other government agencies, a leaked government document detailing the Australian Digital Health Agency’s response to concerns and a raft of changes recommended by the Senate Inquiry into My Health Record, the Federal Government pushed this date back and relaxed its stance on when Australians can opt in or opt out of the system.  

Australian Academy of Technology and Engineering (ATSE) President Professor Hugh Bradlow said the collection of health data across the population will result in better health outcomes as it not only shows how effective interventions are, but also allows treatments to be personalised based on the experience of thousands of other patients.

“New forms of measurement (based on artificial intelligence) will also give patients far more significant information about institutional performance, practitioner performance, the outcomes of specific interventions, etc.” he said. 

The Society of Hospital Pharmacists of Australia (SHPA) Chief Executive Kristin Michaels said the My Health Record debate highlighted the need for an integrated ehealth system, accessible only to health professionals and set up at the request of health organisations, for the benefit of all Australians.

"All Australians, regardless of any illness or condition, deserve to get the highest-quality care,” Michaels said. 

“More often than many would think, patients are unable to explain the medicines they are already taking and for what conditions they are already being treated, particularly after a seizure or if unconscious. Many of these patients are unaccompanied. Sometimes this lack of information leads to errors that have serious impacts on people’s lives. 

“[Hence] hospital pharmacists have long called for a shared, electronic patient data system that links up a fragmented health system and empowers patients in their own care."

The issue of security 

However, University of Melbourne Department of Computing and Information Systems Cybersecurity Senior Lecturer Associate Professor Vanessa Teague expressed her concerns around the privacy implications of secondary uses of My Health Records not being accurately explained.

"The My Health Record privacy policy says: ‘It is expected that most applications which are assessed will be for the use of de-identified data. This is where your personal details are removed from the dataset and you cannot be identified.’ Unfortunately, removing obvious personal details (such as name, location, and date of birth) does not securely de-identify the data,” Teague said.  

“Both doctors and patients can be easily and confidently identified in a dataset… In the case of patients, this means that a few points of information, such as the patient's age and dates of surgeries or childbirths, is enough to identify the person and thus, retrieve all their Medicare bills and PBS [Pharmaceutical Benefits Scheme] prescriptions for many years.  

“Easy and confident re-identification has been demonstrated on numerous other datasets that were shared in the mistaken belief that they were de-identified. It is probably not possible to securely de-identify detailed individual records like My Health Records without altering the data so much that its scientific value is substantially reduced.” 

[Read more: My Health Record system data breaches rise | Game changer: Creator of FHIR writes about approaching critical mass and a growing data sharing revolution]

Teague said patients may choose to opt out of secondary uses of their data but are unable to make a “genuinely informed decision” if they are inaccurately told that their detailed record cannot be identified. 

“Even more importantly, those whose identifiable MBS [Medicare Benefits Schedule]-PBS records were already published in 2016 should be notified, because the earlier release could make re-identification of their My Health Records much easier,” she said. 

Harvard Medical School International Healthcare Innovation Professor Dr John Halamka also previously criticised the system for relying on outdated technology, saying that the $2 billion My Health Record was nothing more than “digitised paper” as it uses such “out-of-date” technology that crucial patient information on test results and diseases are unable to be read or shared by computers.

University of Wollongong School of Computing and Information Technology Professor Katina Michael said health data breaches, for some, could have a huge impact. 

She used the recent example from Singapore, where 1.5 million Singapore health records were breached in a highly targeted effort on SingHealth. Among the breached health records was Singapore Prime Minister Lee Hsien Loong's personal records.

“What does this tell us when one of the world's most advanced cybersecurity nations suffers such a large-scale attack? Plainly, that no one's personal information is safe, no matter the measures in place,” she said. 

"If we have learnt anything over the last four months, it is that electronic health records are hackable. We need not have to look too far to see that no system is impenetrable.” 

Michael also speculated that there is the possibility of a ramp up of blockchain initiatives to beef up on My Health Record security.  

“We will likely be told in the not too distant future that we wildly underestimated our security requirements and as such, must go one step further and protect our credentials,” she said. 

According to Professor Michael, this involves the implant of a 16-digit Personal Health Record (PHR) ID number into people that also reads vital signs while embedded. This technology then alerts first responders of ailments and medications without the need for the person to provide any information. 

[Read more: Australia leads the world in personal control of electronic health records | Is the My Health Record technology out of date?]

ATSE’s Bradlow said the industry needs to be “realistic” about it as the danger of data leaking due to cyber hacking is as true as hacking any other data system. 

“Let’s remember that many [healthcare professionals] have easy access to today’s paper-based health records – an electronic record is actually a step up in privacy. Within My Health Record, we can make it the default to require a patient access code,” he said. 

“A well-designed record system which is managed by a professional security organisation and has a clear audit trail, for example, provided by blockchain, can mitigate this risk significantly."

Source: Hafizah Osman, 31 January 2019, “Industry calls for more caution over MHR system”, https://www.healthcareit.com.au/article/industry-calls-more-caution-over-mhr-system

Note: Thank you Hafizah Osman— interestingly I was referring to the VeriChip experiment of the PHR that Dr John Halamka trialled for a short time and wrote about in 2006 here: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC1656959/

Data Expert Warns Encryption Laws could have Catastrophic Outcomes

encryption.jpg

A University of Wollongong data expert has labeled the government's proposed encryption laws delusional and warns they could have catastrophic consequences.

The changes would force technology companies to help police access encrypted messages.

Professor Katina Michael, from the School of Computing and Information Technology says the powers are unprecedented and have no oversight.

She is speaking to ABC reporter Kelly Fuller.

Citation: Katina Michael with Kelly Fuller, “Rushed Encryption Laws Herald a Watering Down in National Security”, ABC Illawarra: Radio, 6 December 2018, https://soundcloud.com/kelfuller/data-expert-warns-encryption-laws-could-have-catastrophic-outcomes

The escalating crypto-war in Australia and what it means for us

It was a sunny day in December 2015 and 14 people lay dead in San Bernardino, California after a mass shooting at the North Park Elementary School.

517264-pcmag-de-october-2016-cover-crypto-wars.jpg

I still remember the news footage taken from a helicopter hovering over a bullet-ridden black Ford Expedition, in which the perpetrators Syed Rizwan Farook and Tashfeen Malik had fled and were killed in, during a shootout with police.

There have been so many mass shootings in America since, including last year’s horrific killing of 58 concertgoers in Las Vegas, that the grim memory of San Bernardino has faded.

But the tragedy has had a lasting legacy in unexpected ways. In the months after the shootings, the FBI attempted to enlist the support of phone-maker Apple to gain access to Syed Rizwan Farook’s iPhone 5C as part of their investigation into what was being labeled a terrorist attack. The FBI wanted Apple to create a new operating system they could install on the dead shooter’s phone that would bypass security features. It would also serve to give the FBI access to iPhones in future criminal investigations too.

Apple famously refused, telling the FBI that giving in to a demand to “hack our own users” would set a precedent undermining the privacy of all iPhone users.

“While we believe the FBI’s intentions are good, it would be wrong for the government to force us to build a backdoor into our products. And ultimately, we fear that this demand would undermine the very freedoms and liberty our government is meant to protect,” he wrote in an open letter to customers at the time.

This was just a couple of years after the Edward Snowden leaks, which revealed the extent to which government security agencies were secretly gathering masses of internet data. The big tech companies, keen to shore up trust, rushed to introduce end-to-end encryption to services like WhatsApp, Gmail and iMessage, making the argument that if their customers’ data was invisible to them, they couldn’t hand it over to the authorities.

FBI vs Apple

There were tense meetings between then-president Barack Obama and Apple chief executive Tim Cook, who didn’t resile from his position. Eventually, the FBI found a company that could break the phone’s encryption, paying them nearly US$1 million to do so. The issue died down as a technical fix broke the impasse. But politicians have continued to push the issue calling for new legislation that would force tech companies to allow law enforcement agencies access to encrypted systems.

In the wake of the San Bernardino massacre, President Trump made his feelings on the issue plain, calling for a boycott of Apple products.

“Who do they think they are?" He complained to the hosts of Fox & Friends.

Since then, he has been relatively silent on encryption, but his officials and US senators have been quietly working on the issue with a view to drafting encryption circumvention legislation that they know will face stiff resistance from the tech sector and its K Street lobbyists in Washington D.C.

Governments elsewhere have the same goal in mind as they struggle to track the online communication of suspected criminals and terrorists. An attack in London last May that saw a man drive his car into pedestrians, killing four people, opened the encryption debate in Britain.

The killer had apparently sent a message on the encrypted WhatsApp platform hinting at what he was about to do, moments before he ploughed into unsuspecting pedestrians. It led Theresa May to call for her security services to be given the ability to circumvent encryption systems.

Five Eyes stand together

The UK’s Investigatory Powers Act or ‘Snooper’s Charter’ introduced in 2016 gives British law enforcement agencies some powers to require network operators to remove “electronic protection” from communications and data. But it isn’t seen as strong enough to demand backdoors to encryption services, particularly for services delivered from outside the UK.

New Zealand introduced similar legislation in 2013, with the Telecommunications (Interception Capability and Security) Act. That requires internet providers to make their networks interception available to government agencies armed with a warrant. But it only applies to “network operators” - it is unlikely that the law could be used to demand Apple or Microsoft retrieve encrypted data for the New Zealand Police or the GCSB.

The issue hasn’t flared up in New Zealand in recent years, but our membership of the ‘Five Eyes’ security partnership with Australia, the United Kingdom, the US and Canada could propel us towards the legal changes other countries are pursuing.

Meeting earlier this year, the Five Eyes issued a joint statement stating their preference for technology service providers to “voluntarily establish lawful access solutions to their products and services that they create or operate in our countries”.

Then came the veiled threat:

“Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions.”

Backlash in Australia

Across the Tasman, the Liberal Government is pushing ahead with mandatory measures.

The so-called Assistance and Access Bill proposes three levels of assistance that tech companies and internet providers could be required to lend law enforcement agencies. At the lowest level, voluntary assistance could be offered, with the highest level of assistance seeing the country’s attorney general requiring tech companies to “build a new capability” into their systems to allow access to encrypted information.

The Bill has been slammed by Apple and other multinational tech companies as being too ambiguous and wide-ranging as well as by privacy and encryption experts.

“This is not a solution to the problem of just-in-time policing and border force security but an override on the freedoms of everyday Australians and Australian companies, or even those doing business in Australia,” says Professor Katina Michael, a technology and innovation expert at the University of Wollongong and Arizona State University.

“Privacy is a human right, and one way that right can be maintained in today's digital transactions is through encryption.”

Apple reiterated its call that breaking encryption systems will undermine security for everyone.

“This is no time to weaken encryption,” it wrote in a submission on the Bill.

“There is a profound risk of making criminals’ jobs easier, not harder. Increasingly stronger — not weaker — encryption is the best way to protect against these threats.”

The Australian Computer Society saw no reason to expedite the legislation which it described as “problematic”.

Technically, it can be done

But Dr Richard Adams, Adjunct Fellow in the School of Information Systems at Curtin University, said that while tech companies had an obligation to protect their customers’ data, they also had obligations to the “wider community”.

“The challenge is for manufacturers to meet the needs of both groups rather than adopt the best stance from a marketing/cost perspective,” he says.

With that in mind and the legislation putting the onus on the tech companies to come up with ways to grant security services access to encrypted services, it was time to consider what technical solutions could be offered to meet the government half-way.

“A simplistic solution on phone devices would be to store the data twice, once with the ‘user key’ and once with the ‘manufacturer key’ so the strength of the encryption itself would not be affected and the risk of having two ‘keys’ could be mitigated by the use of a very complex manufacturer key requiring physical access to the device,” he says.

“Obviously there would be push-back on the additional storage required and reduced battery life but the point is that from a purely technical standpoint it could be done relatively easily."

With the Five Eyes member countries all at different stages in pushing for stronger laws to deal with encrypted services, such technical efforts to assist governments will need more serious consideration.

The alternative is heavy-handed legislation that is not fit for purpose, rammed through by governments with a larger law enforcement agenda.

But Michael says we also need to consider the threat to privacy posed by the companies that are opposing efforts to circumvent encryption, which are wielding immense power themselves through their access to masses of our data.

“The complexity here is in the fact that private corporations like Apple, Google, Facebook, Amazon and Microsoft are amassing so much personal data that citizen data rights are being equally eroded by corporations themselves who share the data with third parties,” she says.

“We need to take a step back as Australians and ask ourselves why these private corporations are fighting this government bill together?”

Fork Over Passwords or Pay the Price

Fork Over Passwords or Pay the Price, New Zealand Tells Travelers

air nz.jpg
As of this week, travelers who fail to unlock their devices risk prosecution and potential fines of 5,000 New Zealand dollars, about $3,295.

The law applies to both foreign visitors and returning New Zealand citizens.

Mr. Brown, the customs spokesman, said that once a password was supplied, “preliminary searches” would be carried out with a traveler’s phone or computer set to flight mode, and officers would explore only files saved to the device, not website histories or any information uploaded to cloud-based storage.

A device could be confiscated for further examination only if the preliminary search led officials to believe that was warranted, although Mr. Brown admitted that failure to provide a password could be grounds for seizure.

The move drew criticism from civil liberties advocates, who said digital devices contain far more private information about a person than luggage does and should therefore be subject to greater protection from searches.

Katina Michael, a professor at the University of Wollongong in Australia who specializes in surveillance issues, said most countries’ laws allowed officials to confiscate devices, often for a period of weeks, if passwords were not provided or illegal activity was suspected. But she said the new fines in New Zealand added a “scare factor” to pressure people, who often do not know their rights when entering a new country, to hand over their codes.
But a spokesman for New Zealand’s Council for Civil Liberties, Thomas Beagle, told Radio New Zealand that it was not clear what constituted “reasonable suspicion” and that there was no way for travelers to challenge a forced search of their devices.

In 2017, New Zealand border officials conducted 537 preliminary searches of devices, and customs officials said they did not expect that number to increase under the new law.

In the United States, forced searches of devices at the border have increased in recent years and have been subject to lawsuits, in which civil liberties activists claim the examinations are invasive and unlawful.

Professor Michael said there had also been an increase in digital searches and device confiscations at the Australian border.

Tech for Good: The Role of ICT in Achieving the SDGs

What opportunities and challenges do digital technologies present for the development of our society?

https://vimeo.com/288621991

https://vimeo.com/288621991

I truly believe that we can harness technology for good. That information and communication technology is key to achieving the Sustainable Development Goals. But more than this? We need to be human. Being human means that we can achieve anything together through compassion, care, foresight, and long-term sustainability. Right now we use technology in ways that helps us to gain access to critical information, but also as a means to become more engrossed in ourselves and our personal interests alone. What about the public interest? What about public interest technologies like those being suggested by the SDG Academy an all of its speakers? Think on doing this rewarding course. It takes a mission critical view of how technology can be used (or abused) as a tool for dis(empowerment). We have a choice- from our perspective the choice is easy- we MUST use technology for good.

The trailer for the magnificent SDG Academy. Here are courses delivered by the SDG Academy. More about the free online courses here.

My involvement was in 3 MOOCS related to: privacy, data rights, security and ethics, with a heavy emphasis on human rights throughout. Stay tuned for more.

About this course

Tech for Good was developed by UNESCO and Cetic.br/NIC.br, the Brazilian Network Information Center’s Regional Center for Studies on the Development of the Information Society. It brings together thought leaders and changemakers in the fields of information and communication technologies (ICT) and sustainable development to show how digital technologies are empowering billions of people around the world by providing access to education, healthcare, banking, and government services; and how “big data” is being used to inform smarter, evidence-based policies to improve people’s lives in fundamental ways.

It also addresses the new challenges that technology can introduce, such as privacy, data management, risks to cybersecurity, e-waste, and the widening of social divides. Ultimately, Tech for Good looks at the ways in which stakeholders are coming together to answer big questions about what our future will look like in a hyper-digitized world.

This course is for:

Technology specialists who want to understand more about how ICT is being used to improve people’s lives around the world.
Sustainable development practitioners who need to understand the opportunities and limitations of technology in a development context.
Advanced undergraduates and graduate students interested in the key concepts and practices of this exciting and ever-changing field.

What you'll learn

  • ICT can improve access to knowledge and services, promote transparency, and encourage collaboration

  • Responsible collection and use of data requires governance, security, and trust

  • ICT projects should be contextualized and inclusive

  • Technology is not neutral! Be aware of bias in design and implementation

 Hide Course Syllabus

Course Syllabus

Module 1: Welcome to the Digital Age

  • Introduction to the Course

  • Bridging the Digital Divide

  • Three Approaches to ICT for the SDGs

Module 2: Technology for Governments and Citizens

  • Equity and Access to Services

  • User-Driven Public Administration

  • It's All About the Data

  • The Open Government Approach

  • Case Study: Aadhaar in India

  • The Challenges of Digital Government

Module 3: ICT Infrastructure

  • Enabling ICT: The Role of Infrastructure

  • Promoting Digital Inclusivity

  • Innovations in Infrastructure

  • Building Smart Sustainable Cities

  • ICT as Infrastructure: A Look at Societal Platforms

Module 4: ICT Innovations in Health

  • Achieving Universal Health Coverage

  • Improving Healthcare Delivery

  • Involving the Community

  • Evidence in Action: Success Stories of ICT and Health

  • Emerging Challenges and Opportunities

Module 5: Learning in Knowledge Societies

  • The Ecosystem of ICT for Education

  • Education for a Connected World

  • Sharing Knowledge: ICT, Openness, and Inclusion

  • Measuring ICT and Education: Frameworks

  • Measuring ICT and Education: Data and Indicators

  • Rethinking ICT for Education Policies

Module 6: Promoting Financial Inclusion

  • An Introduction to Financial Services

  • The Potential of Digital Platforms

  • Mobile Payments for Marginalized Communities

  • ICT for Enabling Access to Credit

  • Replacing the Cash Economy

  • The Challenges of ICT-enabled Financial Inclusion

Module 7: Measurement and Metrics

  • Managing Data for the SDGs

  • ICT Innovation for Statistical Development

  • Engaging with Data: Communications and Citizen Empowerment

  • Case Study: Brazil’s Cetic.br

  • Measuring ICT

  • ICT for Monitoring the SDGs

  • Limitations of ICT for Monitoring the SDGs

Module 8: Artificial Intelligence

  • An Introduction to Artificial Intelligence

  • Who Drives the Agenda on “AI for Good”?

  • Implications for Discrimination and Exclusion

  • The Human Side of AI: Risks and Ethics

Module 9: Concerns for our Digital Future

  • Privacy and the Importance of Trust

  • Knowing your Data Rights

  • Cybersecurity

  • The Downsides of Digital

Module 10: The Way Forward

  • The New Workforce: Six Points about the Future of Work

  • The Meaning of Work in the Digital Era

  • The Open Movement

  • Closing Thoughts on ICT for the SDGs

Original link here: https://www.edx.org/course/tech-for-good-the-role-of-ict-in-achieving-the-sdgs

Is it the end of privacy?

east side.png

Citation: Katina Michael with Eric Gyors, March 28, 2018, "Is it the end of privacy?", EPISODE: Wednesday Drive – 4:00pm 28th Mar 2018https://eastsidefm.org/episodes/wednesday-drive-400pm-28th-mar-2018/

 

Now that Facebook have acknowledged "mistakes", what's next?

abcnews.png

Citation: Katina Michael with Joe O'Brien, "Now that Facebook have acknowledged "mistakes", what's next?" ABC 24 hrs: Mornings with Joe O'Brien, channel 24, 11am-11.12am.

obrien.jpg

Joe O'Brien is the host of ABC News 24's morning news program and was previously co-host on ABC News Breakfast. Joe has more than 20 years experience in journalism and has been with the ABC since 1995. He presented the 7pm ABC News programs in both Queensland and New South Wales, and regularly presented the national Midday Report on ABC TV. Joe's extensive reporting experience covers everything from drought and floods to sport and politics. He was first based for the ABC in Rockhampton, and then in Brisbane as a reporter and presenter. Follow @JoeABCNews

Psychometrics, big data, data-driven approaches, microtargetting, and you

The damning evidence is mounting on CA. Today it was announced that CEO Alexander Nix has been suspended from his position given a Channel 4, UK covert sting recording.

Citation: Katina Michael with Cassie McCullagh, March 21, 2018, "Psychometrics, big data, data-driven approaches, microtargetting, and you", ABC Sydney Radio: FOCUS: http://www.abc.net.au/radio/sydney/programs/focus/focus/9549448