The My Health Record system is an Australian
government program designed to extract parts of your medical and health
information and put them in a new system the government controls. It
originally designed for you to voluntarily opt-in (which few did) but
in 2016 the government announced its intention to make it opt-out,
whether you want it or not.
The My Health Record is supposed to be a patient centric, patient controlled repository of health information. Any system of this nature requires maintenance and support. One essential support mechanism is the Call Centre.
This capability is the Achilles' heel of the system and is the main reason why the architecture that underpins the whole system is wrong. The meaning of this statement is significant. What it means is that the system itself cannot be modified to rectify the risks and dangers of the system in its present from.
This page justifies this claim.
What is the Call Centre?
What is the Design of the Call Centre?
Privacy Aspects of the My Health Record Call Centre
What could possibly go wrong?
Can the Risks associated with the Call Centre be managed and mitigated?
Links to other pages
The Government's high level document
that describes the system functionality, the
Concept of Operations, has this on Call Centres:
6.3.5 The PCEHR System operator will provide a Call Centre to allow individuals to obtain general information about the PCEHR System, register/withdraw from the PCEHR System and manage their access controls. The Call Centre will also provide support to healthcare organisations.
The Call Centre is available to both individuals and providers and will be able to support:
- General enquires about the PCEHR System.
- Assistance around the registration process.
- Assistance in managing basic access controls
- Assistance in resolving issues around the PCEHR System.
- Resolution of complaints.
- Feedback around the PCEHR System
- Further functions may be added in time
Concept of Operations: Relating to the introduction of a Personally
Controlled Electronic Health Record (PCEHR) System
Edition: September 2011 Release
Date: 12 Sept 2011
Prepared by: National E-Health Transition Authority www.nehta.gov.au
NEHTA Version Number: 0.14.18
This document was, but is now not, available on the NEHTA or Department of Health websites.
A copy is available here.
The High Level architecture of the system, the document that
describes how the system will work says this on the Call Centre:
The Call Centre is used to handle PCEHR related administrative queries from individuals and providers. The PCEHR Call Centre is a separate entity from any Call Centres which may be associated with conformant portals. The Call Centre is deemed to be outside of the scope of this document and as such the related informational entities are not covered further here
There is no information on the design of the Call Centre. We are not told which records a Call Centre operator can see, what they can see on a record, or what they can change.
In other words, the government has hidden from the public the extent to which the privacy of an individual's health data is at risk from all centre operators.
In addition to the above information it is stated that the PCEHR Call Centre will be run by Medicare.
High-Level System Architecture
Version 1.35 — 11 November 2011
This is available from the NEHTA website but requires registration.
A copy is available here.
In 2010/11 the government commissioned a Privacy Impact Assessment [PIA] from Minter Ellison, a firm of lawyers.
Their report included these statements:
5.1.13 Privacy Risks - Access to personal information by Call Centre
(a) It has not yet been determined the extent to which staff of the System Operator's Call
Centre will be able to 'view' data held in a consumer's PCEHR.
5.1.14 Recommendation - Access to personal information by Call Centre staff
5.11 That regulations under the PCEHR Bill set controls over the System Operator's Call
Centre including requirements for staff security screening the monitoring of calls and how
much of a consumer's data can be 'viewed' in what circumstances.
Personally Controlled Electronic Health Record PCEHR Privacy Impact Assessment Report.pdf
Paragraph 5.1.14 recommends that the Minister for Health create regulations that define controls over what Call Centre operators can and cannot do.
Regulations are part of the legislative process that allow a
minister to "fine tune" a parliamentary act, without having to present
a bill to parliament. This is a normal parliamentary process.
The Department of Health's response to paragraph 5.11 of the Privacy
Impact Assessment, above, was this:
The Department agrees that a clear and robust framework is required for the operation of the PCEHR system Call Centre. The Department considers that this would be achieved in a flexible and responsive way through the use of regulations or rules. This is provided for in the legislation (s109(2) and (3)).
Departmental response to Personally Controlled Electronic Health Record PCEHR Privacy Impact Assessment Report 2011.pdf
The normal process is that the Minister makes rules and regulations and publishes them.
The relevant documents are available here:
The government accepted the recommendation regarding Call Centres,
however nowhere in the rules is there any mention of them.
This means that the government has not created a "clear and robust framework is required for the operation of the PCEHR system Call Centre" which it agreed, in 2011, was necessary for the PCEHR, as it was then.
Our view of the situation regarding the Call Centre is:
Without any clear understanding of the exact capabilities of the Call Centre other than that outlined above and lacking the government's promised "clear and robust framework" we can only fall back on our, not insubstantial, knowledge of government Call Centre operations and capabilities.
Given that the government wants to ensure that over twenty million Australians have a My Health Record, it only takes a one in a million chance of things going wrong for twenty people a year to have a serious data breach.
Health data is the most sensitive and valuable of an individual's personal data. Health and associated personal data could be used as the basis for identity theft, blackmail and many other criminal purposes.
This means it it is highly attractive to criminals and hackers.
The government's criminal and civil penalties approach is largely useless against people who have a ready made defence - accidental or mistaken access, or against overseas organisations.
Furthermore, laws may reduce criminal activity, they very rarely, if
ever completely prevent it. Laws work by punishing the guilty;
crime and other more serious offences still occur.
The only totally effective way to eliminate the risk of My Health Record data breaches via the Call Centre. is not to have a Call Centre.
The consequences of this are that without the support required by patients and service providers, the central My Health Record database would become unusable.
This should have been obvious to those architecting and designing
the system years ago. A different model, one not requiring a central
database and without direct patient access, should have been
implemented. It would have been far cheaper, far more effective
and nowhere near the privacy risk of the My Health Record.