Back to the paper future
In a nice bit of timing, Pulse+IT asked readers in our poll last week whether, following Greg Hunt's ill-advised comment that he could guarantee the My Health Record won't be hacked, you thought health data security could ever be guaranteed. Nope, the vast majority of you said, and just as well as more details emerged about the ransomware attack on the Melbourne Heart Group cardiology practice in January.
While these sorts of attacks have been going on for years – there was a spate of them affecting Australian GPs way back in 2012 – there is now of course much heightened public awareness of health data security, particularly following the fear-mongering over the My Health Record exercise. (It came as no surprise to see that a researcher from the Australian Strategic Policy Institute, which receives funding from the defence industry, was hauled in by the ABC to link the Melbourne Heart Group attack to the alleged honeypot that is the My Health Record.)
While ransomware attacks on healthcare are increasingly sophisticated, hackers still seem mainly interested in extracting money out of their victims. It is still very much the case that real health data breaches happen not so much due to malign external players, but to basic human error and, unfortunately, poor behaviour and plain old fashioned snooping from within the sector. There were reports just this week from Canada about a number of hospital staff who had accessed the electronic medical records of patients involved in a fatal bus crash in Saskatchewan in 2017. This mirrors a similar episode in South Australia in 2016 when staff took a sticky beak at the pathology results of a mentally ill young man who killed his famous father.
This week we also found out that some consumer apps were sharing medical data with Facebook, with the user then targeted for advertising. Hmm.
The Melbourne Heart story saw a number of commenters on various sites raise the question of whether going back to paper would be a prudent step. This ignores of course that fact that data breaches happen all the time on paper. We were discussing this issue this very week on Pulse+IT's Facebook page, where we discovered that among the weird and wonderful places that faxed clinical records turned up were the butcher, the smash repair shop and the hairdresser. We ourselves have heard of the newsagent in a rural Queensland town that used to receive discharge summaries from a regional hospital meant for the town's GP, and that went on for years.
However, while unauthorised access, snooping and basic human error are often the culprits, a quick look at the Wall of Shame published by the US Department of Health and Human Services' Office for Civil Rights shows that hacks are very much on the increase, and they are not just after money these days but actual data.
Just like in the US, where Congress is currently asking what can be done to boost healthcare cybersecurity, industry and governments here are struggling with what to do about it. Perhaps our own Wall of Shame could draw attention to the problem and raise awareness in the industry. Let us know what you think.
Some of our other top stories for the week were HISA's appeal to allied health practitioners to provide feedback on the role of the profession in digital health, and the news that the 17 million or so people who did not opt out of the My Health Record could now access theirs, if they have a MyGov account.
The Australian Digital Health Agency revealed this fact in an update to a statement on the My Health Record website last Friday, but didn't bother telling anyone. As ever, the agency's communication strategies can only be described as baffling.
That brings us to our poll question for the week: Should Australia and New Zealand set up a healthcare data breach Wall of Shame?
Last week we asked: Can health data security ever be guaranteed? Clear cut this one: 93 per cent said no, just seven per cent said yes.