A leading global cybersecurity firm Centrify has warned the My Health Record is not secure and creates a huge ‘honey pot’ of sensitive information that will “attract the bad guys” of cybercrime.
It comes as Singapore’s General and Children’s Hospitals were hacked and Prime Minister Lee Hsien Loong’s health records were stolen along with the records of about 1.5 million other patients.
Every Australian will get an online My Health Record that will reveal medical secrets such as if they have had an abortion, a drug or alcohol addiction, a sexually transmitted disease or mental illness, unless they opt out by October 15.
Former Australian Medical Association president Professor Kerryn Phelps says allowing police access to My Health Record information will undermine trust in the medical profession and the health system.
Kerryn Phelps is upset that police can see Australians’ My Health Record. Picture: AAP
Under section 70 of the My Health Records Act police are allowed to access your record without a warrant for “the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law”.
“If someone has a cocaine problem, will they want to tell their doctor and seek help if they think it has any possibility of being uploaded to a site that can be accessed by police?” Prof Phelps asks.
Section 70 of the My Health Records Act also allows the System Operator (Australian Digital Health Agency) to disclose health information included in a healthcare recipient’s My Health Record for the “protection of the public revenue”.
“What in earth has that got to do with your health record?” Dr Phelps asks.
International public health consultant Bill Bowtell, one of the architects of Australia’s world leading 1980s AIDS campaign supports the principle of a centralised health record but says police should not be allowed to access it and the legislation should be changed to reflect this.
Australians with HIVshould consider opting out of the new system because of the risk of return of stigma and discrimination and risk prosecution for reckless endangerment if police can access records, he says.
Women who have an abortion in states where it is illegal could also face also prosecution and jail terms of up to 10 years if police can get access their medical records without a warrant.
Around 65,000 to 80,000 abortions take place every year in Australia and one in four women is estimated to have terminated a pregnancy at some stage in their life.
Mr Hunt claimed this week that it was “incorrect” to say law enforcement bodies could access the My Health Record and that a court order would be needed.
However, the My Health Record legislation says the Australian Digital Health Agency can release the information to law enforcement bodies as long it “reasonably believes that the use or disclosure is reasonably necessary “.
“The Digital Health Agency is clear and categorical — no documents have been released in more than six years and no documents will be released without a court order,” Mr Hunt told News Corp.
The Australia Digital Health Agency chief Tim Kelsey says the agency has not and will not release any documents without a court/coronial or similar order.
Professor Phelps and Mr Bowtell said the legislation should be amended by Parliament to reflect this position.
During the midst of the Centrelink robodebt crisis last year Human Services Minister Alan Tudge released to a journalist internal departmental briefings about an internet blogger’s personal circumstances, which included detail on her relationship and tax history.
In May this year the acting Privacy and Information Commissioner, Angelene Falk, determined that the Department of Human Services was justified in releasing the personal information of the blogger Andie Fox to the media.
Health Minister Greg Hunt Picture Mick Tsikas AAP
Meanwhile global cybersecurity firm Centrify has warned your most sensitive health secrets will be vulnerable to hackers and may be seen by unauthorised health employees if doctors fail to log off the system.
Cybersecurity specialist Centrify operates in Australia, the US and Europe and delivers security to more than 5000 worldwide organisations, including over half the Fortune 100 companies.
“The challenge for My Health Record is that putting vast amounts of confidential health data into a single online database creates a huge ‘honey pot’ to attract the bad guys, so security needs to be at the heart of the entire system,” Centrify senior director Niall King said.
“Even putting aside the danger of cyber attacks, data breaches can arise from unauthorised employees accessing the system or a doctor leaving the surgery without logging off the system,” he said.