Tim Watts (Gellibrand, Australian Labor Party) Share this | Hansard source

Data governance and security is now one of the most talked about issues in our society. Most Australians are now used to receiving emails from companies or organisations informing them that their private information has been exposed in a data breach. Have I Been Pwned, a website maintained by Australian Troy Hunt, a Microsoft security expert, has logged nearly 5½ billion pwned user accounts across hundreds of confirmed data breaches. In fact, a US organisation that tracks data breaches found that, in 2018 alone, almost 800 data breaches have been confirmed, exposing over 27 million records. Since 2005, they've found almost 10,000 breaches, exposing one billion records.

It's hardly surprising, then, that the public are increasingly anxious about protecting their personal data when stored online. This was the context for the rollout of Australia's My Health Record, an online summary of Australia's key health information intended to give doctors access to patients' critical health information, like prescriptions, allergy tests and scan results. My Health Record has been a long time coming. It is a project with obvious potential benefits for individuals and our broader healthcare system. It has the potential to save lives, to improve a person's experience and to save money throughout the healthcare system. Given these potential benefits, it's unsurprising that this policy has been pursued across multiple governments on both sides of politics. But a project of this nature also has major risks.

Given the legitimate sensitivities associated with maintaining the confidentiality of private medical information, maintaining public confidence in this system was always going to be a major challenge and a major priority for the rollout of the My Health Record. But, when the current government decided to change the rollout of My Health Record—from something where Australians had to choose to opt in and provide informed consent to participate, to a system that people had to make a decision to opt out of and could become a part of without their informed consent or even their knowledge—the government dramatically underestimated the increased sensitivity that this would create and the public's anxiety with data security issues associated with it. It required a first-principles re-evaluation of the data governance for the project and an extensive public consultation and communications program to bring the public along with these changes. This has manifestly not occurred. The result has been a barrage of anger and confusion that has completely undermined the public's trust in the security and confidentiality of My Health Record.

This bill, the My Health Records Amendment (Strengthening Privacy) Bill 2018, which Labor supports, is a reaction to the public's anger to this bungled rollout. Before this bill, law enforcement bodies could access My Health Record information for certain purposes, such as the investigation of a criminal offence. Now this bill makes clear that such release of information to police or other law enforcement authorities can only be done with consent or a court order. This bill also responds to the public's anxieties over the storage of the information in My Health Record after they opt out. The My Health Record originally required the information to be retained 30 years after a person's death. This bill requires that an individual's My Health Record be deleted permanently if that person decides to cancel their record. But this bill doesn't go far enough. These are good measures, but we need to go further.

Unlike the government, Labor intend to move carefully here. As a result, we've referred this bill to a Senate inquiry with a view to the introduction of further amendments that could improve public confidence in the My Health Record. Labor are particularly concerned with two aspects of this bill. Firstly, we are worried that My Health Records could facilitate family violence. That's because the act may allow a non-custodial parent to create a My Health Record on their child's behalf without the knowledge of their former partner. That record may contain information about the location of recent doctor or pharmacy visits and may then be used by an abusive ex-partner to track a mother and child. Although the issue has been repeatedly raised by advocates against family violence, the government has refused to act. The second problem, this time raised by the trade union movement, is that employers could again access to the My Health Records and use those records to discriminate against workers on the basis of their content. The act is ambiguous at best about whether information from workers' compensation health checks can be passed on to employers. This bill needs to do more to protect women fleeing domestic violence and workers' information in the workplace.

Beyond our concerns with this bill, the Labor Party have received support from the Senate for a separate, broader inquiry that will review all laws, regulations and rules that underpin the My Health Record. We strongly believe that this inquiry is needed to exert greater scrutiny on the data governance structure prevailing in this shift to an opt-out system. The Minister for Health in response to the rising public anger about concerns to do with the security and confidentiality of this information repeatedly insisted in public that the My Health Record had 'military grade security' and was impenetrable. This frankly does nothing to answer the question as to whether this system has the ability to protect sensitive personal information. In fact, from my perspective, it merely undermines any confidence in his competence or that the government even understands the basic principles of data governance and security.

In response to the growing community uproar about the My Health Record, the minister issued a press release stating that the My Health Record is protected by:

… defence level encryption, secure gateways and firewalls, authentication mechanisms, and malicious content filtering.

He said that it would be monitored by the Australian Digital Health Agency's Cyber Security Centre for unusual activity. But what he failed to communicate and, more worryingly, to understand is that effective security online isn't about technology; it is about having a risk management system. The best military-grade technology—whatever that means—is worthless without an accompanying system built to manage a suite of other non-technology risks associated with the storage of sensitive data of this kind.

My Health Record has the potential to be the largest data honey pot ever created in Australia. The idea that hostile or criminal actors would seek access to this information is not a hypothetical concern. Hackers stole personal data about 1.5 million people from the Singapore government healthcare database in what the Singapore government described as a 'deliberate, targeted and well-planned attack'. Their system was breached because one computer belonging to SingHealth, one of the two major government healthcare groups in Singapore, was infected with malware through which hackers gained access to the non-medical personal data of 1.5 million healthcare patients, including the Singapore Prime Minister. Similarly in the United States hackers managed to steal records of around 21.5 million people from the US Office of Personnel Management. Large-scale data breaches like those in Singapore and the United States and breaches of a similar scale in Germany and the United Kingdom are equally possible in Australia, too. We shouldn't kid ourselves: we are a target as well.

To be confident in a risk management system for protecting data like this, all forms of information risks must be identified and appropriate risk management policies put in place. My Health Record has many forms of risks. In fact, you could consider it having hundreds of thousands of risks. That's in the form of every employee working in every clinic and every hospital in Australia who has access to these records, the so-called insider risk. It us naive ignorance at best and wilful neglect at worst for the minister to believe that technology alone would prevent incursions into government data systems. In fact, during the three months between March to June 2018 alone, the Office of the Australian Information Commissioner received 242 notifications of data breaches under the Notifiable Data Breaches scheme. Twenty per cent of these breaches came from healthcare providers, the largest single source of data breaches. This figure understates the data security risk in the health sector because public hospitals and community health centres are exempt from reporting data breaches under the Notifiable Data Breaches scheme.

There are almost 700 public hospitals in Australia that provide two-thirds of all hospital beds in the country and employ over 300,000 staff. Each and every one of those employees is a potential risk that a data governance system would need to manage. They are a risk because human error accounted for 60 per cent of data breaches by health providers. It was not malicious attacks from hackers, from state based actors or from cybercriminals; it was just human errors. The risk was not in the hardware or in the software but in the wetware. No military-grade technology can prevent information being given out by mistake because a clinic hasn't trained its staff.

Instead of only talking about the technology, the government needs to ensure that health providers around the country have good security practices. As the member for Canberra pointed out so presciently in her previous speech, we need basic cyber hygiene training for everyone touching this system. Health providers need to know who they can appropriately allow to access My Health Records and the level of access different that different types of staff should have to ensure that the systems to monitor use and access are in place. They need to have systems that detect unauthorised use and access.

Health providers need to know what to do if there is a data breach, including who they should notify and whether they need to notify authorities. When it comes to notifying authorities, understanding who you should notify and when is a near impossible maze to navigate. Private providers must follow the Commonwealth Privacy Act and report to the Office of the Australian Information Commissioner. Public hospitals and community health centres are regulated by the states. State parliaments haven't enacted similar breach notification schemes.

My Health Record adds a new layer of confusion for two reasons. Firstly, it has its own breach notification provisions that use a different legal test to the Privacy Act. This means the circumstances under which health providers must notify patients and authorities of a breach are different to that set out in the Privacy Act. Secondly, My Health Record can be accessed by patients as well as by the public and private hospitals; healthcare providers, including GPs and specialists; pathology and diagnostic imaging services; and pharmacies. That means that if a patient's information is lost or accessed unlawfully, whether a notification to the person affected is mandatory depends on which of these legal regimes applies. What law applies depends on where that person's medical records sit at the time of the breach.

If this sounds confusing, Dr Megan Prictor, a research fellow at the University of Melbourne and an expert on health technologies and data regulation, illustrates the extent of this confusion with an example. She cites an example of Ms Smith. Ms Smith invites visits a private specialist, Dr Jones, for advice on a health problem that requires surgery. Dr Jones puts notes on Ms Smith's condition into the private clinic's record. Ms Smith is then admitted to a state public hospital for surgery, as a private patient, under the care of Dr Jones. Whilst she is there, information about her surgery and her recovery are entered into the public hospital record by nurses and junior doctors. Both Dr Jones and the hospital also upload some information about Ms Smith's treatment to the national My Health Record.

In this scenario, if information about Ms Smith's surgery is accessed by hackers, then whether Ms Smith must be told about the breach depends on where the information was taken from. Under current legislation, consumers will be informed about data loss from a private healthcare provider or My Health Record but not from a major public hospital. If it was held in Dr Jones's private rooms, under the Commonwealth Notifiable Data Breaches scheme, Dr Jones must tell Ms Smith about the breach as well as inform the information commissioner. If the same information is taken from My Health Record, Ms Smith must still be informed but the specific notification criteria and the procedures are different. Finally, if the information is taken from the public hospital records, there is no legal obligation to tell her at all. As Dr Prictor so ably illustrates, the complexity of rules is confusing to both healthcare workers and patients alike. It's clear that, on the issue of data security, My Health Record actually adds a new layer of confusion and, in turn, a whole new set of risks to protecting sensitive and private health information.

To reiterate, data related risks are not limited to 'cybersecurity'. That's just one of a bucket of risks. We need to consider fraud risk, like we saw in a recent incident with the selling of Medicare numbers on the dark web. There's third-party risk, where healthcare providers subcontract services to a third-party provider and are given access to My Health Record, adding another layer of risk. Blustering about military-grade security technology really makes you wonder whether the minister understands these different forms of risk.

We need to get better at this. Data governance and managing public anxieties about data collection and use are not limited to the health sector. Governments around the world are moving towards delivering more services online to improve quality of services, to reduce costs and to collect more information that can be used to inform the development of better policies. These are legitimate reasons for collecting and storing private information, but they will also only increase the public's anxiety. There's a need to do some big-picture thinking about these issues as a whole-of-government effort, not just limited to one department or sector.

Crucially, we also need to bring the public and the medical profession along with our thinking, something that this government has manifestly failed to do. To date, only around 13,000 provider groups have signed up to the My Health Record. That might sound impressive, but that's out of around 900,000 health professionals who could have signed on. To have a useful system, we need most of these groups to sign on. Although most hospitals have access to My Health Record, most have never looked up the system because a patient may not have a record if it's empty. Although there are significant public anxieties about the system, at this point there's not enough information for it to be useful in a practical sense for either patient or doctor. And so we come to the current situation: an angry and confused public that distrusts the My Health Record, a database used by only a small proportion of health practitioners and a government that has completely misunderstood what it takes to protect patients' privacy and data security.

See this speech in context