Digital rights groups Electronic Frontiers Australia and Future Wise today expressed their disappointment in the management of privacy and security of the My Health Record system, as highlighted by the Australian National Audit Office (ANAO)’s report released on Monday 25 November 2019. They called on the Australian government to engage seriously with the complex issues of data privacy and security.
The ANAO report, Implementation of the My Health Record System, validates the concerns that civil society shared during the My Health Record opt-out saga. The government had to be forced, by widespread outcry, to tighten the security of the system, yet the ANAO’s report shows that the Australian Digital Health Agency (ADHA) has been unable to take the security of Australians’ health data seriously.
In 2018, the private health service provider sector reported the most notifiable data breaches of any industry sector and yet ANAO found that ADHA’s management of shared cyber security risks “was not appropriate”. It is astounding that this should be the case after over seven years of production use of the My Health Record system. It raises serious questions about ADHA’s commitment to cyber security of the My Health Record system.
The report also found that only 8.2 per cent of requests by third parties to get "emergency access" to patients' records met guidelines. ADHA itself assessed that use of this function had a ‘very high’ inherent privacy risk, and yet ADHA has been unable to demonstrate that Australians’ sensitive health data is being accessed appropriately.
This is particularly alarming as monthly use of this so-called emergency access has increased from 80 instances per month in July 2018 to 205 instances in March 2019. More alarming still is that some responses received from specific healthcare provider organisations about their use of emergency access indicated a “potential contravention of the [My Health Records] Act”, and yet ADHA did not notify the Information Commissioner about any of these instances.
“It is deeply concerning that the ADHA has not yet undertaken all of the recommended steps to improve security. In some cases, there is no risk assessment or mitigation strategies to protect information assessed as high and very high risk,” said Dr Trent Yarwood, a medical specialist and health spokesperson for Future Wise.
“Improper access by an authorised user like a healthcare worker snooping on record of their friend, or ex-partner, or even a celebrity is a much more likely to occur than an external hack. So when ADHA say the system has never been hacked, it does not mean people’s private information hasn’t been breached, because clearly it is happening” Dr Yarwood continued.
“We call on the government to move beyond lazy, simplistic, and divisive rhetoric about cyber security and to engage seriously with the work required,” said EFA Chair Lyndsey Jackson. “These are complex issues that require serious people willing to engage with the complexity, and to do the hard work required to keep our data private and secure. Australians deserve nothing less.”
Trent Yarwood - Futurewise
0403 819 234
Lyndsey Jackson - EFA
Electronic Frontiers Australia is Australia’s leading independent, not-for-profit organisation promoting and protecting digital rights since 1994.
About Future Wise
Future Wise is an independent organisation which focuses on technology, health and education and their impacts on modern society. More information is available on their website: https://futurewise.org.au