MHR – It’s time for a policy reset
Dr Ayman Shenouda
It’s a particularly hectic Monday morning and first up I have a 70-year-old male patient who has just been discharged from hospital.
It will be no surprise that there is no information from the hospital. He’s had some blood tests though and his potassium is very high. This is why he was admitted - that along with some kidney problems.
He’s accompanied by his son who is not aware of any previous conditions and not forthcoming about much at all.
There’s some patchy interpretation offered of what was conveyed to them in hospital – but too cryptic to work through and the confusion was just making this patient more anxious.
But what we do have is all his medication in a bag – a complication mix of current and old meds to sift through – so with that, the usual diagnostic challenge begins.
Looking through I find Spironolactone – a potassium-sparing diuretic – and an obvious issue for a patient admitted with high potassium if he continue on this meds it can be life-threatening. He also had a very severe itch and swollen legs and few other chronic disease including renal failure
This mixed bag of medications alongside some troubling symptoms makes for a very complicated patient.
It took half a day to sort this patient out. More blood tests, phone calls and inquiry in order to reassure that all issues were adequately covered.
It is when you have to deal with this spaghetti of information around a patient that access to their record in real time would have been helpful.
Particularly when combined with the lack of discharge summary and the fact that both patient and son had little to no health literacy.
It is those times when patients are moving between doctors, during emergencies and for post-acute episode follow-up that having this information to hand really counts.
This is where My Health Record (MHR) would support better healthcare decisions and enable GPs to find information quickly.
The crisis of progress – in terms of resistance and technology – is something we’ve come to expect when introducing significant change.
People resist change and with technology, this is intensified commensurate with risk, perceived or otherwise, which is precisely what we’ve just seen with MHR implementation.
Expecting resistance to change and planning for it is something good policy planners do.
But with this one, the MHR, really from its outset, there have been problems really from the early policy development to now in attempting implementation.
There were problems on a number of fronts in working through the opt-in then opt-out rather than compulsion. But these are just your usual pain points in working through complex policy implementation.
There were issues during the design phase and a seeming reluctance to take technical advice at critical points.
With the focus now of course predominantly on the risks: the risks to privacy, cybersecurity and hacking with minimal success in lessening privacy concerns.
From the very first day of the opt-out period, those opposed were stating that it is an ‘uncontrolled’ data dump.[i]
Right up to the penultimate day as the deadline to opt-out loomed yesterday the movement in the Senate called for a delay for a further 12 months.
This last-hour intervention was made while Australians were rushing to opt-out causing system overload with both website and phone line were being reported as down.
I’m pleased to see Minister Hunt has decided to extend the opt-out period to 31 January 2019 which should enable some time to work through the many issues and hopefully reassure the public.
Where to next?
Our entire lives, it seems, are already in a databank of sorts and this lack of control is precisely why consumers needed that reassurance around privacy in this rollout.
A centralised database with widespread access is of course problematic. It required precision in design and diligence around patient privacy concerns and effective responsive communication to implement.
This needed a framework of trust and any attempt to implement without it was always going to lead to this point.
From the lack of informed consent, privacy and security challenges and limited protections around these - some have suggested the MHR is the health sector’s NBN and there are certain similarities here.
The risks are high and the right to privacy in the digital age relies on good laws and the lack of privacy and security provisions made it not ready in my view. These are complex technical and privacy concerns and this is where the problem lies.
These risks are poorly understood and the fact that we’ve only just reached some consensus around some new protections through recent RACGP-led negotiations this makes for a good time for a policy reset.
The extension to the end of January provides some time to work through the Senate Standing Committee on Community Affairs Report (which doesn’t recommend the abandonment of the system).
The benefits of the MHR or any redesign can only be realised through regular use so that it becomes a routine part of healthcare and only then will its full benefits be realised.
Broader take up can only eventuate once trust has been restored and there’s still quite a journey ahead before we get even close to this level given the policy implementation failures to date.
[i] Zhou N. Media Article: My Health Record: privacy, cybersecurity and the hacking risk. 16 Jul 2018. Available at: https://amp.theguardian.com/australia-news/2018/jul/16/my-health-record-privacy-cybersecurity-and-the-hacking-risk
A digital health future: The risks and opportunities
Dr Ayman Shenouda
An uncertain future
Technology will never replace doctors. That part is clear (or to me at least).
But there’s still a lot of uncertainty ahead and we’re all being told to prepare for significant changes. We’re now seeing daily discussions around the Fourth Industrial Revolution and that it will see unprecedented workforce change.
Despite threats of robot doctors, online lawyers and automated architects, it will be those distinctly human capabilities that will prevail. It is our heart that distinguishes here and no amount of automation can replace it.
At the same time, we will need to be ready for it. Because, if, as predicted, technology sees radically different healthcare systems emerge we need to be ready to embrace this change. Leadership will be required in shaping and refining quality standards to ensure continued best care for our patients.
Change is already here
There are already some significant advances taking place providing a glimpse of what is to come. Much of what we are seeing now is user-driven as technology uptake in the community increases such as through iPhone health monitoring apps.
There is certain strength in technology in empowering patients to take responsibility for their own health. Many aim to support self-management outcomes through patient empowerment, but it is clear that a lack of evidence-base undermines quality and safety in some.
There is discussion around how certain free medical apps are placing patients at risk through false or misleading claims. From instant blood pressure apps giving falsely normal values to apps that claim to measure blood pressure, oxygenation, and more – all without any peripherals.
Health apps present significant challenges to regulatory authorities. And I’m sure it’s not easy for developers to navigate the regulatory pathways either.
In Australia, we have TGA guidelines for what software constitutes a medical device. But how much monitoring is being undertaken to identify non-compliance, particularly around claims on these apps, is unclear.
The next phase of change
It’s clear a soulless search engine or app device is a long way from replacing a GP.
But what about the next phase of change? Deep learning breakthroughs of machine learning and artificial intelligence and precision medicine are likely to influence the way we provide care.
Big data analytics involve descriptive analytics, predictive analytics, and prescriptive analytics. It is the latter, in prescriptive analytics, which leverages descriptive reports and predictive data to identify actions that would produce maximum value to help us develop and adhere to optimal clinical pathways.
Clinical decision support (CDS) on the other hand is set to enhance health and healthcare teams. It will provide both healthcare teams and individuals with knowledge and person-specific information, intelligently filtered or presented at appropriate times, to enhance health and healthcare. CDS encompasses a variety of tools to enhance decision-making in the clinical workflow.
If the future of medicine is based on data and analytics in guiding decision making, then most critical to success will be that the GP remains in control of the clinical decision-making.
To safeguard patients, address questions of liability, and foster trust we need transparency in terms of how clinical decision support tools derive their results. Developers and vendors of clinical decision support tools must be transparent about their methodologies, capabilities, data sources, and limitations.
CDS in developing treatment plans will require leadership from the profession in terms of how we can integrate these systems successfully into our practices. In testing the efficacy of these emerging technology in improving the care and treatment of patients there will be a need for strong consistent discipline specific input.
For Australian general practice, there is a role for our College in joining multidisciplinary technology assessment committees. Currently, the RACGP Expert Committee – eHealth and Practice Systems lead much of this work.
The RACGP Technology Survey released earlier this month will help to gain more insight into the current trends in technology adoption in general practice. It will be interesting to see these results (which closed 3 December) particularly the views of technology use to improve collection of patient data and for clinical decision making.
Benefits in service improvements
Emergent technologies which present new opportunities for healthcare service provision provide great promise. These are technologies that interface with patients in maintaining health, receiving care, and managing a condition.
These new types of technologies – wearables, ingestibles, and embeddables – will be transformative.
Management in the home for the elderly and frail will benefit significantly from new technical innovations. Just by adding in a number of sensors to the body to monitor we will support older Australian’s independence as well as take some pressures off the service system while keeping them safe.
Reliance on these systems would need to be balanced or potentially worsen social isolation and loneliness which are already significant health risks for the elderly. The value of human contact and continued doctor-patient and nurse-patient relationships are vital here.
The next phase of wearable technologies will see patients constantly monitored remotely through wearable skins sensors or smartphone apps with data uploaded directly to their health record. These technologies aim to support the management of chronic diseases, such as diabetes and heart disease.
The advent of the digital health coach (Next IT) to remind patients to take medications, schedule doctor appointments represent a new type of technology to support medication adherence.
The UK is leading the wearable technology space with pilots underway which will see patients’ issues with state of the art wearable technology.
These initiatives are designed to take pressure off the system but also to monitor conditions more effectively for a diverse patient cohort. Some pilots will enable independence for the aged through home monitoring systems with others supporting mental health patients stay in touch with support networks.
It is predicted that, as part of a widespread digital revolution of healthcare in Britain, within 5 years patients across the country will go online to speak to their GP via video link, order prescriptions or see their entire health record.
For implementation in Australia, a final note on the digital divide is warranted. Equity remains an issue despite the promises of high patient engagement through new technologies.
So much of the discussion around technology as an access enabler really misses this point. What about those millions of Australian households living without an internet connection?
Telehealth implementation has been patchy in rural Australia due to the lack of fast and reliable internet, despite the (slow) rollout of NBN. Assuming we all get access by the time these technologies are fully realised, not all Australians can afford access to the internet or the digital resources required to drive new innovations.
For equitable access, we would need to see policies that can provide unmetered online access for the disadvantaged. A commitment to extend the Health Care Card to address the digital divide should be in the planning if we are to strive for equitable access outcomes.
Leading the discussion
Healthcare’s technology revolution is likely to see significant change. Doctors have been described as late adopters of technology in the past. It will be important to be ready and even more important to be part of the discussion. That is, the one that is occurring now!
Finding new ways to connect patients to our practice is positive and possible right now. Future broader technology enabled supports to integrate services and strengthen monitoring of patients can see a positive new change which can only enrich patient care. We’re on the cusp of enormous change and our combined leadership is required in balancing risk with opportunity. Let’s all take up the challenge.
 PwC. 20th CEO Survey. The talent challenge: Harnessing the power of human skills in the machine age. PwC. 2017. Available at: https://www.pwc.com/gx/en/ceo-survey/2017/deep-dives/ceo-survey-global-talent.pdf
 Misra, S. IMedicalApps Feature. Another top free medical app that puts patients at risk with claims to measure blood pressure, oxygenation, and more. 26 October 2016. Available at: https://www.imedicalapps.com/2016/10/icare-health-monitor-health-app-patient-risk/
 Bresnick J. HealthIT Analytics Feature. The Difference Between Clinical Decision Support, Big Data Analytics. 31 August 2017. Available at: https://healthitanalytics.com/news/the-difference-between-clinical-decision-support-big-data-analytics
 Bresnick J. HealthIT Analytics Feature. Transparency is key for clinical decision support, machine learning tools. 6 September 2017. https://healthitanalytics.com/news/transparency-is-key-for-clinical-decision-support-machine-learning-vendors
 RACGP. Webpage. RACGP Technology Survey 2017. Available at: https://www.racgp.org.au/your-practice/ehealth/additional-resources/racgp-technology-survey/
 Skokowski P. Wearable Tech Feature. Wear your health on your sleeve: The next phase of wearable technology. 25 September 2015. Available at: http://www.wearabletechnology-news.com/news/2015/sep/25/wear-your-health-your-sleeve-next-phase-wearable-technology/
 Knapton S. The Telegraph. NHS remote monitoring will allow dementia patients to stay at home. 22 January 2016. Available at: http://www.telegraph.co.uk/news/health/elder/12113536/NHS-remote-monitoring-will-allow-dementia-patients-to-stay-at-home.html
 Rigby M. Digital Health London. Spotlight: Innovation and Integration – The Future of General Practice. Available at: https://digitalhealth.london/spotlight-innovation-integration-future-general-practice/
29 September 2017
Dr Ayman Shenouda
Cybersecurity in healthcare
The recent darknet Medicare breach came only a few months after the UK malware attack on the NHS locking its systems. You would expect the focus of authorities on potential threats to be high given the fallout from that. But we’re told the Government only became aware of the darknet issue from the media. And, that it had been there a while too: the data had been for sale on the darknet auction site for nearly nine months. So, while 75 Australians’ had their Medicare details sold, it appears neither the Department nor our security services were actively monitoring this posting.
We clearly need to get better at this. The Government had already demonstrated through the botched handling of the 2016 Census how unready it really was when it comes to predicting even the most predictable of attacks. The ABS website was crashed by a series of DDoS attacks which shut the census website down for nearly two days. Unfortunately, successive security and data breaches from government agencies like these only serve to undermine public trust.
Risks and benefits
Digitalisation of healthcare is a positive innovation but it comes with certain risks. It is a simple fact that the value of healthcare data makes our system more vulnerable to privacy breaches. You could say that publishing data of any kind potentially holds great risk to privacy. But certainly, the benefits in terms of service planning and health research outweigh those risks. It all comes down to how risks are managed so not to stifle policy or undermine public trust.
If we want to achieve a more integrated healthcare system then the only way forward is through enabling policies. The integration solution lies in policies such as those being pursued through the My Health Record.
We know the risk on our healthcare system and organisations through data theft attacks are becoming more common. As in health, prevention is always better than a cure and on this issue, the approach is the same. The focus here not only needs to be on how governments’ handle our personal information but how providers can be better supported to ensure organisational readiness.
My Health Record
There are a number of policy implications in terms of increased health information technology-based reforms. As the complexity of health services increase, the number of entities involved will increase and with that comes more risk around potential privacy breaches. We’re on the cusp of implementing long-awaited reform through the rollout of opt-out participation of the My Health Record system. It’s important to ask if this latest breach has shifted patients’ perceptions or altered their digital trust in moving forward on this policy.
We know that a Medicare card number alone is not enough to access a patient’s My Health Record. The official website reassures us that My Health Record is a secure online summary of a patient’s health information. That it is up to you what goes into it, and who is allowed to access it. While that last statement may be true, how well can this containment really be controlled?
Meanwhile, it seems take up in the pre-implementation phase of the opt-out My Health Record seems quite promising. The official stats show that almost 21 percent of Australians have already registered. The web page boasts that over 5 million people already have a My Health Record, with an average of 1 new record being created every 38 seconds. As with any good policy news, you can even follow progress with a helpful link provided: Keep up-to-date with the latest statistics on the My Health Record here.
Digital trust and implications for My Health Record
The Senate Finance and Public Administration References Committee Inquiry in August following the dark web breach has brought some new perspectives to the issue of digital trust. The 13 submissions provide some valuable insights, some of these I’ve summarised below.
The first cab off the rank, the Centre for Internet Safety, certainly didn’t hold back on the implementation of My Health Record. Stating that the shift to an opt-out system ‘has done little to quell public anxiety surrounding the placement of sensitive health details into the online world’. Critical also of the Government’s communication strategy which it says has not managed to convince on matters of security. This, combined with the constant reporting of breaches is all contributing to diminished trust, safety and confidence.
Their submission also states that the promotion of privacy issues and the importance of the protection of personal information is critical to the ongoing functioning of the online environment. To secure buy-in, it is important to create ‘benefit profiles’ alongside these new technology projects to truly test measures of ‘consumer trust, safety and confidence in the intended service delivery’. In terms of My Health Records, they warn uptake will be very slow unless the Department can adequately address the trust, safety and confidence benefits and competently communicate these to the public.
The Australian Information Commissioner’s input provided some useful guidance stating that ‘the use of personal information should be necessary, proportionate and reasonable to achieve the policy goals’. The Privacy Impact Assessment (PIA) is a policy tool designed to assist agencies to consider these matters measuring possible impacts on the privacy of individuals. The Commissioner stated that, in the case of the Medicare breach, a PIA would have highlighted privacy impacts associated with assessing Medicare care numbers through an online portal environment. Importantly, it would have identified any further proactive measures required to mitigate those impacts.
Both the RACGP and the AMA do not believe this latest breach will have any implications for the My Health Record roll-out. The University of Western Australia, while outlining the value of Medicare identification information to a criminal – identity fraud, prescriptions to obtain painkillers and possibly S8 medications as well as to divert Medicare rebate payments from a legitimate account to a false one - also state motivations to access to My Health Records or medical records of any kind as being less likely.
Importantly, the RACGP highlighted that even with preventative measures in place, real risks persist for any organisation in terms of internal or external data breaches in an interconnected world. There are College resources to support GPs to minimise risks including the RACGP Computer information security standards (CISS). It states that those practices implementing the cybersecurity and privacy guidance provided here are less vulnerable to a data breach.
Both the Department of Health and the System Operator of the My Health Record System, the Australian Digital Health Agency, state that is important to note that illegally obtained Medicare card numbers are not sufficient on their own to provide access to clinical records or an individual’s My Health Record.
The System Operator appropriately provides a detailed response to the impact on the rollout from the Medicare information breach. Reassuringly, it states that security and operation of the system protect against the unauthorised disclosure of health information from the My Health Records for individuals with access to Medicare numbers. Additional information is required to authenticate consumers and healthcare providers. But, despite these reassurances, it is clear in other submissions including those from the University of Melbourne, Deakin University and the University of Newcastle that concerns remain with the My Health Record system and its pending rollout. Future Wise give an excellent technical response to the issue as well as policy solutions in moving forward.
The policy lessons
It is important to see the risks in terms of potential implications to the rollout of the opt-out My Health Record system tested through this consultation. It will be interesting to see what recommendations are made in the Senate Finance and Public Administration References Committee Inquiry in its report due in October. Overall, I think more work needs to be done here with much more focus required on strategies to protect patient data in rebuilding trust.
From these consultations, mechanisms for overseeing and monitoring access seem lacking, so are the required assurances around data storage and controls and the system-wide capacity to provide the security controls to mitigate risks remain unconvincing. The collective wisdom provided in these submissions will help guide policy to safeguard from further threats in the future. As stated earlier, the success of important reforms including My Health Record comes down to how risks are managed so not to stifle policy or undermine public trust.
 Yaraghi N. Hackers, phishers, and disappearing thumb drives: Lessons learned from major health care data breaches. Centre for Technology Innovation at Brookings. May 2016. Available from: http://wikiurls.com/?https://www.brookings.edu/research/hackers-phishers-and-disappearing-thumb-drives-lessons-learned-from-major-health-care-data-breaches/