24 September 2018

MHR caught in glare of Senate spotlight

MyHealthRecord Technology

The My Health Record has come under sustained criticism in a Senate inquiry, with witnesses warning that the system’s current platform was outdated and insecure.

Australian Digital Health Agency CEO Tim Kelsey revealed that 900,000 people had exited the MHR since the opt-out phase started in July. The figure included those who quit using call centres or the website; paper forms had yet to be counted.

But Mr Kelsey said that this was a good result, as the agency had expected “significantly higher” opt-out levels, and ADHA polling showed public awareness of the MHR opt-out had risen to 59%.  

In other evidence last week, technology experts advised the Senate Community Affairs Committee the current MHR model was outmoded and lacked proper privacy controls.

Grahame Grieve, a long-time technical adviser on the MHR, said industry insiders feared that more investment in the system as it stood “will increase the focus on forcing it to look like a success, to the exclusion of any other approach – just like we’ve been doing for the last 10 years”. 

“This investment and political focus hurts innovation, even outside the system, because it’s too big a risk for institutions and their vendors to invest in anything else,” he said.

Mr Grieve, the creator of the Health Level 7 standard for interoperability known as FIHR, called for a more nimble approach. 

During the past decade, industries were being transformed by a superior “distributed” model harnessing “a set of federated systems that act together”, instead of the centralised database used by the MHR.

“But the My Health Record is still frozen as if all this hasn’t happened: inconvenient, inflexible, with poorly controlled information-access rules.”

Mr Grieve said he had seen these difficulties coming with the MHR, “partly because of limitations in the technical standards we used”. 

“As a result, I created a new set of standards based on the web so that healthcare could use the same methods as other industries. I wanted to see healthcare transformed too,” he said.

The FIHR (pronounced “fire”) standards have been chosen by US tech giant Apple to link its Health Record smartphone app with hospital records. US and Dutch authorities have also picked FIHR to build distributed health-record systems.

Paul Shetler, a former head of the government’s Digital Transformation Agency, told the inquiry that the MHR posed inevitable security risks as a centralised “honey pot” open to 900,000 practitioners.

 He also described the access controls for patients as “shocking”.

 “I believe that My Health Record represents an excellent opportunity for Australia to think big and do the right thing and take the lead worldwide on data and privacy. But … we must admit the shortcomings of our current approach in terms of functionality and data security,” he said.

“Doing nothing is not an option any more – in its current form the program will fail,” he said.

Mr Shetler criticised the decision to make the MHR an opt-out scheme, saying: “If it was something that people wanted, you would never need to mandate the use. People would be clamouring for it, because it’s free.”

Professor Meredith Makeham, a Sydney GP and the ADHA’s chief medical adviser, told the inquiry that offering tighter privacy controls as a default, such as a patient-set PIN, would reduce the MHR’s usefulness.

“The difficulty would be that with a record access control set as a default, the clinical benefit of the system relating to medications safety would be very much potentially closed down,” she said.

 “[Difficulty] would arise for a clinician who was trying to view the My Health Records of patients who were coming through, say, an emergency situation or through their rooms,” Professor Makeham said.

Of the 6.1 million My Health Records, 16,848 consumers had added passcodes blocking access, and 4109 had limited access to certain documents, the Senate’s Community Affairs Committee was told.

More than 136,640 had activated notifications to alert them when a healthcare organisation newly accessed their records or a health summary was added.

The committee also heard that 51 clinicians were on ADHA contracts, including one doctor who had received more than $1.1 million over the past two years. 

Senator Lisa Singh asked whether it was “legitimate” for the agency to present “clinicians’ perspectives” in its submission to the inquiry without clarifying their status as paid contractors. 

Agency officials said the contracts did not bind clinicians to take or communicate a certain view of the MHR, and their input was essential to make the system fit for purpose.