Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Community Affairs References Committee
11/09/2018
My Health Record system

ROBERTSON-DUNN, Dr Bernard, Chair, Health Committee, Australian Privacy Foundation

[17:19]

CHAIR: While you are settling in, can I double check you have had information on parliamentary privilege and the protection of witnesses and evidence?

Dr Robertson-Dunn : Yes.

CHAIR: We have your submission, submission No.1. I now invite you to make an opening statement and then we will ask you some questions.

Dr Robertson-Dunn : The Australian Privacy Foundation is the primary national association dedicated to protecting the privacy rights of Australians. We aim to focus public attention on emerging issues that pose a threat to the privacy of Australians. We have a membership with a wide range of experience in privacy, security, public sector administration, large-scale government information systems development, medical science, healthcare practice and law. My personal expertise is in information systems architecture and design, mainly in the context of the federal government. I'm a systems and automation engineer and I have a PhD in computer modelling of the human intestine. I do not claim to be an expert in medical science but I do have a strong understanding of the role of information in clinical medicine and the healthcare industry. I'm also a board member of the Australian Privacy Foundation and as I have said, chair of the Health Committee. I have no other affiliations or vested interests. My colleague Dr Bruce Baer Arnold sends his apologies; he is unable to attend tonight due to health reasons.

We thank the committee for accepting our submission and giving us the opportunity to discuss our concerns regarding My Health Record. Privacy is a trade-off, a compromise between benefit, cost and risk to all parties, healthcare providers as well as the Australian people. We do not believe that the claimed benefits of the My Health Record system justify the major and significant threats to the privacy of Australians in general and to patients and health providers in particular. Neither do we believe the government has done enough to inform the Australian people of the full consequences of being registered for My Health Record. The sheer existence of My Health Record is having a negative impact on certain sectors of the community. It has the potential for keeping some people out of the healthcare system to the detriment of everyone.

In our view, My Health Record is little more than a record-keeping system over and above existing record keeping systems run by and for health providers. My Health Record is the wrong solution to the wrong problem. The real problems facing healthcare in Australia have nothing to do with record-keeping. The healthcare system is siloed, fragmented and far from what is recognised as the future of healthcare—patient-centric care. Patient-centric healthcare is much more than a summary health record. It includes issues of funding, for example, the current fee for service is a major impediment to coordinated, patient-orientated care, especially with people with multiple chronic conditions. The underlying rationale of patient-centric care is that every individual is unique and so is their experience of illness, sickness and their journey back to good health.

New models of care are needed, supported by advances in technology, not driven by technology rooted in the past. There is certainly nothing wrong with giving those patients who want it better access to their health data. Our submission details a whole range of solutions to this problem that have almost zero cost to the government and which are far less risky to patients' privacy. Similarly, there are great advantages to improving communication between the fragmented parts of the existing health system but these are only stopgap solutions and need to be done with minimal negative consequences and minimum cost.

The world of clinical medicine is migrating towards a patient-centric model with the development of more advanced and sophisticated test instruments available at the time and point of primary care. Associated with these instruments is the need for better data acquisition that is analytical, diagnostic and has predictive treatment tools integrated with clinical record-keeping tools. These will not replace doctors; they will make them more effective and efficient. In the same way that engineers are supported by advanced technologies and tools, so too will health providers.

As these innovative tools become more available, the need for record keeping will drastically reduce. Doctors will have available data on the patient sitting in front of them, not what has been laboriously and inefficiently gathered in the past. My Health Record has no analytic or diagnostic capability, and it is hard to see how it could be ever developed. The federal government is stumbling down the path of automating the past, a path that will lead nowhere, which is casting large sums of money which could be better used—a path which is frightening people to the extent that it could damage their health.

Security and privacy are major issues with My Health Record. Notwithstanding these issues, there are two quite basic and fundamental questions that can and should be asked: why give your private detailed health data to the federal government? It has the potential to interfere in the trust relationship between patient and doctor, and you never know what the government could do with it. The second question is: can the Australian people trust this government or future governments not to change the legislation that covers the security, privacy and sale of their health data, and that has unintended consequences for the wellbeing of some or all Australians? We recommend, as a minimum, that the opt-out process should be halted and an independent review of the system be conducted. Thank you.

CHAIR: Thank you. Senator Di Natale, do you want to kick off this time?

Senator DI NATALE: Thanks very much. Can I go firstly just to the question of the design of the system. If you were starting again, what would you come up with?

Dr Robertson-Dunn : Having lived with this system from the beginning, I would go back to my original suggestion, which was part of the response to what they called the CONOP. There are two ways of collecting health information. One is to join together existing systems: it's a thing called interoperability, so existing health systems, a point of care, are joined together. You improve the flow of information between these systems. No data gets stored in the infrastructure that delivers this. There is a single copy of data, and it is always as up to date and accurate as it can be. It is for health providers. If patients need access to this data, they can be provided with access to the systems that already hold the data as is done in other countries at the moment. The alternative, which is the centralised government owned database, is by far the worst.

Senator DI NATALE: We've received submissions comparing it unfavourably to the German e-health system—are you familiar with the German system?

Dr Robertson-Dunn : I know it exists; I don't know the detail of the design.

Senator DI NATALE: And so you're advocating to move away from the notion of a centralised database to a more connected system of existing health information?

Dr Robertson-Dunn : Yes.

Senator DI NATALE: Is my understanding correct of what you're advocating for?

Dr Robertson-Dunn : Yes, exactly what I'm suggesting: an interconnected health data ecosystem. You have similar problems to the ones that have been addressed about identifiers, interoperability, standards of data and all those things. However, it is a far better solution because it concentrates the data at the point of care, which is where it belongs. One of the disadvantages of a centralised database system is that it can never be relied upon in times of emergencies when there are power failures, communication failures, biohazards and such like. A doctor wants local support where he's giving health care to the patient.

Senator DI NATALE: What you're saying is that there are technical problems with locating the data centrally somewhere else because access to that information can break down at some other point; whereas having data kept locally—for example, in a GP's surgery—is technically less likely to create problems?

Dr Robertson-Dunn : If you're building a resilient national information system, you do not put all your data in one place.

Senator DI NATALE: What about in terms of security—obviously that's the other dimension to this?

Dr Robertson-Dunn : Security is a similar issue; however, if someone hacks into a GP system, it is bad for the patients of that GP, but the scope is severely limited—it has far fewer records. If you get into the national database and you get complete access, I wouldn't feel like recommending that to the government.

Senator DI NATALE: One of the things that you say in your submission is that it was released in 2012 as opt in, voluntary, and you were asked to consent to have your data stored when you registered. Very few people have used it, in spite of over $1 billion having been spent on it. When you say 'very few', how many are we talking?

Dr Robertson-Dunn : It depends on how you define 'use'. The ADHA says that there are 6 million health records. That is not correct if you use the definition of who's got a shared health summary. ADHA's figures, which they released earlier this year, said about 20 per cent of the existing numbers of registrations—

Senator DI NATALE: Six million, yes.

Dr Robertson-Dunn : Twenty per cent of six million, 1.2 million, had a shared health summary uploaded, and that is in six years.

Senator DI NATALE: Why do you think that is?

Dr Robertson-Dunn : Nobody sees any value or use for it. When I say nobody, I mean very, very few people.

Senator DI NATALE: We've obviously had that discussion previously with previous witnesses, but what's your understanding about access by third parties?

Dr Robertson-Dunn : It depends on your definition of 'third party'. If you say that the primary participants in health care are the patient and the doctor, then anybody else is a third party, which includes the government and the Australian Digital Health Agency. They are third parties. The legislation that is being introduced seeks to limit access by third parties to the data—but not by the Australian Digital Health Agency. They should be considered a third party because, as far as I know, there is no legislation that restricts people who work for the Australian Digital Health Agency from accessing the data. IT professionals need access to the data to make sure the system is working. There are, as far as I know, no controls, other than the normal privacy stuff, but it's certainly not My Health Record legislation that protects it. If third parties included the government this thing would not exist.

Senator DI NATALE: What about—as we heard from Professor Phelps—the public health benefits, for example, monitoring epidemics and other public benefits?

Dr Robertson-Dunn : Public health benefits from—good access to high-quality health information is a definite benefit. There are a lot of misconceptions about My Health Record. One is that it is a comprehensive health record. It isn't. The shared health summary contains information, if people have uploaded it, on medication, immunisation, allergies and things called 'event summaries', whatever they might be—usually an indication if someone's had a problem. There's not much in there.

Senator DI NATALE: But isn't that an argument for saying, 'Actually, there's a lot of information that's not in there that may be sensitive and, therefore, we shouldn't be as concerned as we are'?

Dr Robertson-Dunn : In a way, yes. But the way the government is heading—they want to give everybody a health record; lots of information is automatically input into it—it will grow eventually, very slowly. At the moment there are 400,000 GP visits a day. If you look at the numbers produced by the government, the statistics, there are approximately 2,000 to 3,000 shared health summaries updated per day. That is 3,000 out of 400,000 GP visits. That is not exactly well used.

Senator DI NATALE: Finally, what do you think the chances are of this being hacked as it exists?

Dr Robertson-Dunn : To quote other people, because I can't say, 'If it's on the internet it will be hacked.'

Senator DI NATALE: So you think it's a certainty or a near certainty that, at some point, people's health records will be hacked?

Dr Robertson-Dunn : In terms of privacy, the risk isn't worth it.

Senator DI NATALE: Is that because of the model that's being used?

Dr Robertson-Dunn : Yes. It's a centralised database. In fact, being hacked on the internet is the least of the worries. The big problem is access to the system by authorised users. My Health Record exists for people to put data into it, like discharge summaries, which get downloaded to clinical medical systems where the legislation does not apply. As I've indicated in the submission, I think all prohibition and authorisations mean that any data that can be obtained from somewhere else or that goes somewhere else—none of the legislation applies. The only thing the legislation applies to is data collected by and for the My Health Record system.

Senator DI NATALE: I don't understand that last point. That's the current situation, isn't it?

Dr Robertson-Dunn : Yes. The legislation only applies to the data that's collected for My Health Record.

Senator DI NATALE: But what I'm saying is the existing situation, even without My Health Record, there are still those vulnerabilities to accessing data?

Dr Robertson-Dunn : Yes, definitely, but they are distributed and each one is a problem to the individuals concerned, but it is not putting all your eggs in one basket and acting as a big honey pot.

Senator WATT: Thanks, Dr Robertson-Dunn. I want to work to where what you do support and what you don't. For starters, do you accept that much of the information that is to be included in the My Health Record currently exists but is spread across a range of different locations often in a mixture of paper based and electronic records systems?

Dr Robertson-Dunn : By definition, all the data in My Health Record apart from a few documents, advanced care and planning and such like, exists somewhere else.

Senator WATT: So, in a sense, we already have a My Health Record; it is just that it is in a very fragmented, dispersed state at the moment?

Dr Robertson-Dunn : Yes. The problem is how to bring it all together and there is two-ways of doing it, in my view, a good way and a bad way.

Senator WATT: Can you remind me what you think is the good way?

Dr Robertson-Dunn : Join up existing systems so there is no data stored in the middle, which is the database. Those existing systems can access data in other systems. That has inherent security and privacy consequences in that you go and see a mental health professional, they keep their records and they can then guard that against other people. The people who need access to it need to provide a need to know. There is no need-to-know access control in this system.

Senator WATT: So is what you would suggest is a good system is a linked-up or joined-up system? Isn't that effectively what we have had in Australia up until the introduction of the My Health Record?

Dr Robertson-Dunn : No, because those systems have not been linked other than by facts. When the government says, 'My Health Record is better than facts,' yes, it is, but it is not better than the individual systems that already exist which need to be joined up.

Senator WATT: I'm not an IT person by any means—my staff will tell you that. I'm struggling to understand how you could put a system together that efficiently links that information. We have all seen doctors scribble notes, some of them these days are better at recording their information electronically better than others, but is it possible to design a system that does link up literally thousands of different record keeping systems, each with a different level of development, in a way that provides patients with the linked-up records that we get out of the My Health Record?

Dr Robertson-Dunn : It's a challenge. It is called interoperability and it depends what level of sharing of information you need. But we've just wasted six or eight years in building the wrong solution when we could have been spending it on better producing a system that would work. And you produce a system like that gradually. You don't suddenly build a big bang system; you let it grow.

Senator WATT: And forgive me if you've answered this already but do you know of anywhere in the world that's been able to design a joined-up system in the sort of manner that you are suggesting?

Dr Robertson-Dunn : Places like Singapore that do have a central health record, it is by far much smaller; it is more like a big hospital. I don't know of any specific solution along those lines because every country tends to be different. We have legislative problems that other countries don't have.

Senator WATT: Okay. I think that's probably it for the moment.

Senator MARTIN: Doctor, the majority of peak health bodies are supportive of My Health Record and the move to opt-out; they believe it will deliver significant clinical benefits. Are they wrong with their support?

Dr Robertson-Dunn : Yes.

Senator MARTIN: And do you want to expand a little bit more on your answer?

Dr Robertson-Dunn : The central myth is that it is a complete health record; it isn't. It's a secondary record which derives its information manually from other systems. It is inefficient in the way it gathers information. I put a calculation in the submission that I put in that said, if each GP spends three minutes considering whether to upload a shared health summary or actually does, it will cost between $500 million and $1 billion a year. I have no idea if anybody has done the costing side of My Health Record. Information put out by the government is all about benefits. I have never seen the cost, the business case, for this thing. Professor Phelps called for it. I asked the ANAO to do an audit based upon the business case, but they have declined to do so.

Senator MARTIN: So doesn't that already happen as well right now in regards to what a GP does or what a specialist does in recording the information at the time the patient is there for care and treatment? Doesn't that already occur, whether it is done manually or whether it is internal entry of data on their local server?

Dr Robertson-Dunn : They gather data for a particular purpose. That is for their experience with the patient at the time and point of care. There is a lot of detailed data. If you're in hospital, there is a huge amount of detailed data and, at the end of your hospital stay, you get a discharge summary. Somebody has to produce that discharge summary and upload it into the system. A GP needs to follow the guidelines of the AMA, which is a 27-page document to manage the information that is uploaded into My Health Record. There needs to be a translation and transformation of information in those detailed systems for My Health Record.

Senator MARTIN: I suppose my point there is that the current system is not foolproof?

Dr Robertson-Dunn : No, it is not.

Senator MARTIN: So, when we started talking about My Health Record—in your evidence that you're giving in regards to that, people entering up data that's not a full health record—you're saying that's not foolproof either, but you're also saying it has benefits. How would you assess the current privacy controls in current hospital and GP settings?

Dr Robertson-Dunn : In current systems?

Senator MARTIN: Yes, the current privacy controls in current hospital and GPs services?

Dr Robertson-Dunn : Well, they tend to be varied and distributed. If there were some major problems, we'd hear about it. We do hear about some of them, about information leaking out of GP systems and people getting into systems where they shouldn't. Yes, it does happen. But, because they're distributed, the impact is very small.

Senator MARTIN: But there's still an impact?

Dr Robertson-Dunn : There always will be an impact. In fact, legislation cannot stop this.

Senator MARTIN: We just heard evidence from the Australian Healthcare and Hospitals Association in relation to a death of a patient where their pathology records were faxed to the wrong address. Wouldn't you think or believe that the My Health Record would have benefited that patient as those health experts just said?

Dr Robertson-Dunn : It is possible, but there has been instances where the wrong data has gone on to the wrong health record in exactly the same way.

Senator MARTIN: Yes, but if we had the centralised data and it was entered into that base—

Dr Robertson-Dunn : There has been reports of people looking at their health record and discovering things that don't apply to them.

Senator MARTIN: Thank you, Chair.

CHAIR: Thank you. Does anybody else have any other questions?

Senator DI NATALE: Can I just ask how you respond to the claim from the Australian Digital Health Agency—they have a paper which outlines myths, and they say that one of their myths is, 'My information is protected and can't be hacked'. They say that's a myth.

Dr Robertson-Dunn : I don't understand.

Senator DI NATALE: They've put out information that says that it is a myth to say that your information isn't protected and can be hacked. Do you think it's an accurate statement to say that's a myth? Or do you think actually they are being misleading in the way they describe that? What I heard from you was that it was likely that at some point this information will be hacked, and yet the Australian Digital Health Agency is saying to people, 'Well, actually that's a myth; it is not going to happen'?

Dr Robertson-Dunn : I think both are somewhat suspect statements. You cannot say that it will not happen and you cannot say that it will happen. There is a risk. But the bigger risk is the normal flow of information from My Health Record into other systems.

Senator DI NATALE: So that's your bigger concern. Your bigger concern is not so much the possibility of somebody coming in and trying to access that information for whatever purposes, illegally, but more that the information will be passed on to other parties who seek to benefit from that?

Dr Robertson-Dunn : Or just out of interest. It's a myth that only health professionals can access My Health Record. The president of the AMA was on radio this morning detailing that you have to have certain—

Senator DI NATALE: AHPRA registration.

Dr Robertson-Dunn : Exactly. That is not true.

Senator DI NATALE: Can you elaborate?

Dr Robertson-Dunn : Read the legislation—sorry, I'm not telling you to read—

Senator DI NATALE: I think you mentioned IT professionals may need to be able to access it, but who else?

Dr Robertson-Dunn : There's that side of it. The legislation says that a health provider, which is an institution, needs to be registered and have appropriate access to the system. An employee of a health provider can, as part of their duties, access My Health Record, which means a receptionist, a practice manager or a dental assistant who works for the health provider can legally access the system. You do not need to be a registered health professional. Drawing a really long bow, if you have a pharmacist or pharmacy that is family run and on the weekend one of the children help out, if they are assisting the pharmacist to prepare medication, technically, they can view a My Health Record. There is no legislation that stops it. I'm not saying it does happen, but, as a scenario, it is possible.

Senator MARTIN: Doctor, are you aware there has never been a security breach of the My Health Record and that the system is designed to the highest level and it is monitored around the clock?

Dr Robertson-Dunn : I know of those statements. I have no reason to disbelieve it. My response would be: well, there's not much in it. It is not a target of hackers yet. When over 20 million people have their data there, it will become a target.

Senator MARTIN: Everything's a target. It depends on what stage you want to try to infiltrate it or not and to test the firewalls in the security, I suppose, at any stage during it. At this stage, no-one has, that we know of, attempted, let alone broken the security levels of My Health Record.

Dr Robertson-Dunn : There are probably more than two potential, let's say, attacks. One is from a disinterested party on the internet who just wants to hack and get into data and maybe sell it. The other one is somebody with a specific interest in an individual and, for instance, where they might live or something about their health record. That is an easier way in. It is probably easier to do that via social engineering through a hospital or through a medical centre.

CHAIR: As there are no future questions, thank you very much. We will now suspend for the dinner break.

Pr oceedings suspended from 17:48 to 18:32