Dr Bartone - Weekend Sunrise - My Health Record

KYLIE GILLIES:   Well, there are growing fears over the security of Australia's digital health database - it's called My Health Record - after a similar system in Singapore was hacked in a major cyber-attack. Officials there say 1.5 million records were stolen over the weekend.

BASIL ZEMPILAS:   Singapore's Prime Minister was specifically targeted for his medical history, according to reports, raising the question: how easily could the same thing happen here?

KYLIE GILLIES:   Well, to discuss this, we're joined by the Australian Medical Association's President, Dr Tony Bartone, and digital rights campaigner and lawyer Lizzie O'Shea. Welcome to you both. Lizzie, let's start with you. I mean, uncanny this timing of the attack in Singapore, in the first week of the opt-out here. I mean, it highlights how valuable this information is to hackers, right?

LIZZIE O'SHEA:   Absolutely. I think when you centralise information like this, in a designed process that puts all this information in a single spot, it becomes very attractive to hackers. What we're looking at is creating a system where people will want to access it for all sorts of nefarious reasons, and we're also putting power in the hands of Government to be able to decide how that information is used. It's a design system that hasn't put patients’ interests at its centre, and hasn't put privacy and security as the key priorities in design.

BASIL ZEMPILAS:   Dr Bartone, in the wake of what we've seen in Singapore, how secure is our system here? I think it's a legitimate question people have got a right to be asking.

TONY BARTONE:   Thank you for the question, Basil. Look, the system here has been designed at the highest level of government standards. So every other department - your tax department and all the other departments there - they work to certain protocols, and we've been assured that this is to the highest level of protocol when it comes to security.

Now, the report from Singapore obviously does send some alarm bells. But we need to remember that, at the moment, if there are nefarious people trying to access your data, your health data, and they're specifically targeting you, they can do so that at an institution level, at a university level, at a hospital level. So where you've got nefarious people trying to access, you may never be able to completely secure that.  

But there are a number of measures that need to be - that anyone trying to access your data illegitimately has to jump over so many hoops. You need to have the authority, the right software. You also need to have a lot of other data to access the various records. Obviously, nothing is foolproof, but the important things are there - no Tom, Dick or Harry can access your data here at the moment.

KYLIE GILLIES:   Yeah. Having said that, if they can get the Prime Minister of Singapore, you would have to think they can get to anyone. Dr Bartone, if hackers do get in, what information will they have access to? Will we find out about Basil's ingrown toenail?

BASIL ZEMPILAS:   How did you know?

KYLIE GILLIES:   Like, it is going to be all there for us to see?

TONY BARTONE:   First of all, it will be up to Basil to ensure what is there or isn't there. He can decide what is contained in that record and what not. That's why it's called My Health Record. Basil can even decide to put extra layers of security around certain parts of the information that's up there. But it will only be a summary. It's never going to be the complete Basil Zempilas file with all the places that he's been. It's going to be what has been put up in a summary format, usually in conjunction with his treating family doctor, and obviously always in the control of Basil to decide what is up there and what isn't.

BASIL ZEMPILAS:   Tony, thank you. So Lizzie, why should I be worried anyway then? If somebody accessed my health records, so what?

LIZZIE O'SHEA:   Well, there's a variety of reasons why I'm concerned. It's not entirely clear what will happen if there are mistakes on your record, how they can be corrected, and this will be indelible: it'll last for 30 years or 30 years after you die in which medical professionals can see this.

Let me put it this way, if you needed a plumber to come and fix your leaking sink, you wouldn't cut them a house key. You'd invite them in and let them in yourself, and you wouldn't cut a house key for every single plumber in the city or every house painter or electrician just in case you might need to use them at some point in the future.  And I think the same is true here: 900,000 medical professionals will have access to these records - 12,000 organisations. Why would you design a system like that? Why wouldn't you give one person the house key - which is yourself - and allow them to come in with your permission? That would be an example of how you could design a system that has both privacy and security in mind, and it would be better for everybody.

But instead, we've got the Government rolling out, in a heavy-handed manner, a system that has not been designed with the interests of patients at heart and I'm really troubled by it. They can say - many people can say that “there's not going to be hacks or that there may be hacks and there's nothing we can do about it”, but that's pretty cold comfort, I think, for lots of people who want to see their doctor.  You want to have a relationship of trust with your doctor, where you're allowed to tell them both about your ingrown toenails or any other embarrassing health condition that you have, and a system like this does not generate the kind of trust that you need to have to be able to have a good relationship with medical professionals.

BASIL ZEMPILAS:   Lizzie O'Shea, Dr Tony Bartone, thank you both for your time this morning.

22 July 2018

CONTACT:    John Flannery                         02 6270 5477 / 0419 494 761

                     Maria Hawthorne                    02 6270 5478 / 0427 209 753