E-health records shambles about to befall Australia
The British experience of a similar scheme should be a warning. The Brits have spent many years and billions of pounds on a similar scheme and still have not got it working properly. And the British habit of "losing" masses of people's data is unlikely to be much different here. Anybody with medical records that might embarrass them should avoid this thing like the plague. I am going to register, however, just to see how it all goes. I like a laugh
The national electronic health record database to be launched on July 1 has both medical and security experts calling for better e-health controls.
Australia has no co-ordinated approach to e-health safety and security – and with the national Personally Controlled Electronic Health Record (PCEHR) just weeks away, the risk of a safety crisis is growing daily.
People who choose to register for a PCEHR from July 1 will have access to a range of their medical data from Medicare, and over time also doctor's summaries, pathology results, scans and prescriptions.
"I would rest more comfortably if DOHA [the Department of Health and Ageing] was more pragmatic about the risks involved in accessing personal health records," says Graham Ingram, who heads the information security emergency response centre AusCERT.
"At the moment DOHA is saying, don't worry, the transactions are secure. They are not highlighting the risks that are associated with accessing your information over the internet from a compromised machine."
Ingram wants DOHA to "drop the blanket assurance" that the PCEHR records are safe and says that the risk of identity theft is high, adding DOHA can't guarantee the security of records accessed on a private machine or through an internet café, for example.
A very public security breach occurred last month when DOHA's eHealth education website was defaced by a team of hackers known as 'LatinHackTeam' on May 17.
The hack involved a defacement to publiclearning.ehealth.gov.au. Defacements are the digital equivalent to a protest graffiti. In this case it included a homepage change with text celebrating it.
The changes were quickly removed from the DOHA site. A copy of the hack was documented on the Zone H defacements website.
IT security consultant Chris Gatford of HackLabs said the hack showed a critical security process, that should have blocked access to external editing of the site, wasn't followed.
Gatford said vulnerabilities could include a coding error, a software patch not applied or having no process to detect security vulnerabilities – all standard basic security processes that should be integral to such a major project.
Professor Enrico Coeira is the co-author of a paper published in the Medical Journal of Australia in April which calls for better clinical safety governance for e-health.
His collaborators on the paper include Dr Mukesh Haikerwal who heads Clinical Leadership, Engagement and Clinical Safety at the National E-health Transition Authority (NEHTA), which is spearheading the implementation of the PCEHR.
The writers call for the establishment of an independent, national, expert-based body to oversee e-health clinical safety governance, with the capacity "to investigate, analyse and act upon significant risks in the system."
The wide range of clinical software in existence throughout the health system is unregulated and unmonitored and the authors cite studies in e-health safety in Australia showing evidence of "past harms and future risks".
"It's important not to confuse safety and security," says Coeira.
"E-health security is about stopping people inadvertently or deliberately having access to information they are not supposed to, whereas safety is about whether a person can be harmed because information is wrong, or not delivered, or delivered to the wrong person."
Coeria says safety and security issues stretch beyond the issue over the vulnerability of the PCEHR records.
"E-health in the form of clinical software is being used everywhere right now – by every GP, every pharmacist, and every hospital – and it is entirely unregulated," Coeira says.
He says that without strong standards in place, something as simple as a flawed clinical software update could change the medication information in the clinical health records of a number of patients, unintentionally risking widespread harm.
"We know from research in other countries, that things can go wrong and patients can get hurt. We are not saying the PCEHR is unsafe. We are saying, we don't have any idea. And there is no national approach to governing how it is done, monitoring what goes on, and recording and responding to any problems."