[LINK] Your Medicare records online

Craig Sanders cas at taz.net.au
Wed Mar 3 14:34:24 AEDT 2010 

On Wed, Mar 03, 2010 at 08:46:18AM +1100, Kim Holburn wrote:
> This is rather scary.

yep, it is.

> > Extra security
> > Dr Mukesh Haikerwal, the former head of the Australian Medical  
> > Association and the current head of the clinical unit at the  
> > National E-Health Transition Authority, says the new system will  
> > provide extra security for patients.
> >
> > "The way in which the system will be rolled out is far more secure  
> > with these new arrangements than they are with a paper record," he  
> > said.

bullshit.

to illegally access current paper records, someone has to actually break
in (i.e. burglary) to the office where they are kept and read, steal, or
copy them. this sets an extremely high barrier to entry for snoopers,
not many healthcare workers are willing to jeopardise their career by
engaging in overt criminal offences like that.

with electronic records, they will be accessible over a network.
probably the internet (if not initially, then inevitably - all networks
eventually become part of, or connected to, the internet). this enables
casual snooping and it "decriminalises" the activity in the mind of the
user because it's just clicking on some buttons on a screen.

worse, it enables mass, automated snooping.


> > "With a paper record today you can potentially wander into a medical  
> > record department, anybody can wander in and have a look at  
> > somebody's notes without anybody knowing what's going on.

right. and hospitals and clinics and surgeries simply won't notice
that someone has "wandered in" and is reading patient records. or that
doctor X is reading the records of people who aren't their patients.



> > "In order to get access to medical information the person has to be  
> > an authorised healthcare provider."

well, that's extremely comforting.

how many thousands of "authorised healthcare providers" are there in 
australia?  

and how many of them would be willing to take cash from insurance
companies, employers, (ex-)spouses/partners, relatives, friends, private
detectives, police, spooks, tabloid journalists, or anyone else in
exchange for snooping?

i don't mind if my own doctors read my records (although i can imagine
situations where i wouldn't want all of my doctors to have access to ALL
of my records). but i sure as hell don't want ANY doctor or "authorised
healthcare provider" in the country having access to all of my records.
even if that means i might die in an ambulance because they weren't
allowed access to my records (IMO that is an acceptable extremely low
risk compared to the extremely high risk of privacy invasion)

and i especially don't want someone accessing my records because they
managed to guess, hack, steal, or social-engineer some health-worker's
login and password. or because some dickhead doctor wrote their login
details on a postit note, or shared their login with everyone in the
office - the vast majority of computer users are incredibly bad at even
understanding the concept of password security, let alone thinking it's
important enough to take precautions over. training and education DO
NOT HELP with this, most users are just not interested and think it's
just pedantic paranoia for obsessive nerds if the issue is brought up
(because they certainly won't think about it on their own initiative).


what is the exact definition of an "authorised healthcare provider" -
i.e. who gets to be one?

what sort of security checks or vetting are performed when someone
applies to be an "authorised healthcare provider"? for example, can
nutcase anti-abortionist doctors or nurses access someone's pregnancy
records.

what kind of audit trail is kept of each access? and can citizens
request (or preferably, DEMAND) a copy of the audit trail for their own
records at any time?

what kind of alerts are there for excessive or suspicious searches?

is there any provision for automatic notification of citizens whenever
their medical records are accessed?

what control do citizens have over exactly which "authorised health
care" providers are allowed to access their health records? and how
fine-grained is that control (if any exists)...i.e. is it just all
or nothing? can a person specify that "doctor X is only allowed to
access records that they generated or test results that they personally
ordered" or "my records are only accesible if I'm physically present to
input my secret key".




at the moment, it seems like the entire focus is on the convenience
of the medical bureacracy with little or no attention being paid to
individual's privacy rights.


craig

-- 
craig sanders <cas at taz.net.au>

More information about the Link mailing list