Audit finds centralized database puts patient privacy at risk

A review of Australia’s controversial My Health Record scheme has concluded that it does, as experts have warned, present security risks to the public.

My Health Record is an electronic healthcare system designed to provide Australians with seamless healthcare across different medical services.

Earlier this year, it was changed from an opt-in to an opt-out scheme, despite concerns about privacy and security.

In its review of the system, published on Monday (November 25), the Australian National Audit Office (ANAO) concluded that the A$1.5 billion ($1 billion) project is “largely effective”, although poor management of shared cybersecurity risks, including inadequate controls over access to patients’ records, remains a pressing issue.

In terms of privacy, the ANAO found, emergency access to patients’ records was widely being misused.

“Monthly use of the function increased from 80 instances in July 2018 – prior to the transition to an opt-out model – to 205 instances in March 2019... in only 8.2% of instances was it used as intended,” reads the report.

Meanwhile, four privacy reviews – which had received funding from the Office of the Australian Information Commissioner – were never completed by the Australian Digital Health Agency, the body responsible for implementing the My Health Record system.

The conclusions come as no surprise to experts who have repeatedly warned of the risks to patient privacy.

“Our view is that the government has failed in its duty of care to all those who have been registered for a My Health Record,” Bernard Robertson-Dunn, chair of the Australian Privacy Foundation’s health committee, tells The Daily Swig.

“As anyone with even the most basic knowledge of security and privacy knows, any weakness can be devastating. Privacy and security have to be done fully and properly – near enough is not good enough.”



Meanwhile, healthcare providers are not all achieving minimum levels of cybersecurity, says the ANAO, with the Australian Digital Health Agency (ADHA) failing to monitor compliance effectively.

It has also failed to check whether third-party software providers to healthcare agencies are complying with the government’s cybersecurity framework.

‘An open book to attackers’

The report expresses concern that health records could be accessed, modified, or wiped without authorization if a healthcare organization or its service provider becomes compromised.

Only a third of these organizations, it said, were properly secure, with an audited policy that was actually being complied with.

“In my view, by far the greatest risk to the security of records is not through the core MyHR system, but by compromising one of the myriad healthcare provider systems that is connected to it, or compromising one of the hundreds of thousands of individuals working at healthcare providers with access to My Health Record,” Robert Merkel, a lecturer on cybersecurity and systems at Monash University in Melbourne tells The Daily Swig.


Check out the latest healthcare data breaches and security news


“As such, it is likely that there are a very large number of general practices out there whose IT systems are vulnerable to even moderately sophisticated attackers, let alone ones with the resources of a nation-state – which was explicitly identified as a security risk in the report.”

And once in, he says, attackers would be able to access personal data with impunity.

“After obtaining such access, My Health Record data would be a virtually open book to the attackers: the remaining barriers to obtaining a specific individuals My Health Record are easy to overcome,” he says. 

“As such, it is my view that the current security architecture of the system remains unsatisfactory.”

The review recommends that the ADHA should review its shared cyber risks and mitigation controls, along with its emergency access procedures, and complete its outstanding privacy assessments. The ADHA has said it will comply.


RELATED Australian senate extends My Health Record opt-out period