My Health Record – Future Threats

As promised, this will be my third and final post on the My Health Record system. In this post is will briefly outline my concerns for MHR in the long term. I will try and keep this post brief, but if you would like to discuss any of the points I outline, please either contact me on Twitter or drop me an email. My concerns can be roughly grouped as, potential scope/mission creep; data and system security concerns; inter-project data linking and mining; and intergenerational data.

Before I get started, I want to address the revisions to the legislation that were announced by Greg Hunt’s office on Tuesday. As far as I am concerned, these revisions are entirely inadequate and designed to give the appearance of making concessions without making substantial changes. The revisions barely scratch the surface of the many concerns raised by both myself, and others, and the system still requires an opt-out rather than an opt-in, which would give the Australian people a genuine choice.

The first concern I raised above, scope/mission creep, is relatively easily understood. Scope/mission creep can occur in two ways, the first is that legislation can be introduced with a particular goal, however, future governments can reappropriate the legislation (and in this case, the data gathered) for other ends. This form of mission creep has happened with many of the domestic anti-terror laws introduced in Australia post 9/11 (see discussion of examples here and here). The other form of scope creep, is when legislation that infringes on civil liberties is introduced, it is softened by sunset clauses or the least offensive version is introduced, with a view to amending it later to broaden its scope. Sometimes the government of the day may not necessarily intend to make substantial amendments to further infringe on civil liberties, but future governments see the appeal of such amendments and introduce them. One small change here by one government, another there by a subsequent government, and, over time, our civil liberties are eroded further and further. Let me make clear, I am not saying that all governments have some Machiavellian intent—although some may—rather it is the cumulative reappropriation and amendments that cannot be foreseen when legislation is introduced. Now, whilst I realise that amendments must pass through the parliament, it is easier to persuade parliament of the need for amendments that are incremental, than to push through a highly controversial bill that takes the hardest line at the outset. Again, think about Australia’s anti-terror laws, some of which were only introduced because they had sunset clauses, which were then continually extended, for longer and longer periods each time. These concerns relate both to government uses of the data, but also to the potential for governments to authorise broader access to the data, such as to health insurance providers, pharmaceutical companies, etc.

With respect to the second concern raised, data and system security, this point is worthy of several posts alone—but don’t worry, I wont have time to write them. I will however very briefly provide some food for thought on these concerns, some of which are more comprehensively covered elsewhere. My first thought with respect to security of patient data is obviously the potential for hacking and/or leaking, and I fear this may happen in several ways. It may be that, given a big fat shiny new target, hackers enjoy the challenge of splattering egg on the government’s face by hacking and then releasing the data (as proof of their hack). It may be that, given the commercial worth of the data, it is targeted for other ends, such as spurned ex-lovers, celebrities, politicians, or other public personalities having their data sold or leaked to the media (see here, here (account required), and here). Finally, and I will cover this a little more in a minute, if foreign governments obtain and leak this data, it would cause significant disruption and further erosion of public trust in government—both desirable outcomes for foreign governments seeking to destabilise the Australian government of the day. With respect to hacking, it is also worth noting that the potential for accessing individual patients’ data is greatly expanded, if files are accessed and downloaded to the local network by treating healthcare providers, the patient at home (either for review, management, or ‘safe keeping’), or hospitals, each instance weakens the security of the data and increases the likelihood it may be compromised—essentially it is only as secure as each local network’s data hygiene, management and security practices. A further concern, and one I touched on above, is the potential for the data to become the target of cyber-warfare or cyber-terrorism operations. As societies, particularly those in the West, become increasingly reliant on online critical infrastructure management systems and storing of critical data on internet accessible means (either via networked machines or in the cloud) they become very attractive targets for foreign governments and actors seeking to destabilise and undermine the sovereignty of their enemies. As Clausewitz told us, ‘war is a continuation of politics by other means’, and, as is commonly understood, the more you can destabilize a country and sow discord among the people, the closer you are to winning the war (see Sun Tzu for more on this). We already know that power grids have been subject to probes and attacks by foreign actors, and it entirely conceivable that taking the MHR system offline, or subversively altering data, could wreak havoc. I will end my discussion of data and system security here, but this is by no means an exhaustive account of the threats and vulnerabilities of MHR, and these are one of my foremost concerns with the MHR system.

OAIC Notifiable Data Breaches Quarterly Statistics  1 April – 30 June 2018

SOURCE: OAIC Notifiable Data Breaches Quarterly Statistics Report 1 April – 30 June 2018

Moving along to inter-project data concerns, I would be interested to know if anyone in Government (or otherwise) tracks the various disparate mass public data banking projects that are currently underway. For example, in the news recently we’ve seen a number of stories (see here, here and here) relating to private companies collecting and storing (and selling) consumer DNA in databases, these companies usually either offer ancestry searches, genetic screening, or, sometimes ‘tailored’ health solutions (see photo below). Further, many governments—including here in Australia—already collect and store DNA for ‘law enforcement’ purposes (see here for an interesting article on the efficacy of DNA in law enforcement). There are also numerous other initiatives collecting and health and other identity related data, such as, individuals’ genomic and biomarker information (see here and here)—which can be used for ‘targeted’ and personalised healthcare; biometric databases (facial recognition, retina scanning, etc); clinical registries, which record information on various conditions, diseases, and medical event outcomes for epidemiology and preventative medicine; and, of course, individuals’ metadata, which, whilst not necessarily health related, certainly collects identifying and behavioral information. In isolation, some of these initiatives seem worthwhile, however, there is a very real concern that the data could be cross-referenced or linked. The first concern here is that de-identified data is more likely to become re-identifiable the more data points you have at your disposal. Second, the potential for ‘predictive’ uses of the data are far more attractive when there is so much information available to mine—you may think of me a conspiracy theorist but if it becomes possible to identify genetic predispositions for violence, crime, mental health problems, etc, and that data is cross-reference against medical history and behavioral outcomes indicating the same, for some governments, the temptation to use it predictively (and preemptively) may seem to good to refuse. Even were governments not to proceed down this path, access to the above data, particularly if combined, would have enormous potential for companies seeking to target market to individuals, and would make the temptation to combine and on-sell it very attractive. Obviously everyone wants the best possible healthcare outcomes, and least crime possible, however as a community we need to evaluate the efficacy and potential benefits vs harms of these technologies, if used collectively, or in isolation. In addition, as I have maintained throughout, where practicable, individuals should be afforded the opportunity to weigh the risks and benefits of participation, based on complete and comprehensive disclosure. Whilst there is not yet evidence these databanks will be linked, it seems highly likely it will happen at some point in the future, this is a potentiality that many individuals would not necessarily take into account when making decisions regarding participation in individual data banking projects. Furthermore, I have yet to see any evidence that Government is assessing this potential in the ethical evaluation and future planning of these technologies and databanks—I believe this is a serious concern.

Looking for an opportunity to compromise your privacy? How about trying this DNA tests kit for weight management, which is available at Chemist Warehouse now…

Finally, related to inter-project databanks, and yet somewhat distinct, the potential for intergenerational datamining or cross-referencing is surely inevitable. My concerns here are two-fold. In the shorter-term, I would like to know how Government could assure the Australian public that treating practitioners will not access patients’ family members medical records. I know we are often asked about our family medical history, but (similar to the argument I have made in previous posts) it is currently at our discretion what information we disclose and when, particularly when the information may have stigma associated with it or predispose doctors toward certain diagnostic avenues (mental health, addiction, etc). My second concern with intergenerational data banking, is that whilst the current policy is to retain the data for 30 years post death (130 years if date of death is unknown), that is very likely to be extended, which would provide governments with longitudinal, intergenerational data on you, your children, their children, and so on. There is no doubt there are potential public health benefits to access to longitudinal, intergenerational health data, but, as I have maintained throughout, we each have a right to decide for ourselves whether we wish to disclose that information, and how we are comfortable with that information being used.

Well that is it for now on MHR. My attempt has not to give an exhaustive account of the failings and dangers of the MHR system, rather to give some insight into my most pressing thoughts and concerns on the system. As you may have guessed, I will opt my children and I out of the MHR system—for me, the risks just outweigh any potential benefits. I hope I have helped you to make an informed decision for you and your family—as the government should have done in the first place. I will continue to remain vocal on the need for the system to become opt-in, and the need for greater data and individual privacy protections in the system. If you’ve made it this far, thanks for reading.

/end rant