News that the health records of 1.5 million Singaporeans, including those of Prime Minister Lee Hsien Loong, had been hacked couldn’t have come at a worse time for the Australian Government which is battling hard to sell a digital health record scheme to the public.
The Singapore hacking last week was given extensive coverage in Australia, where the public has until October 15, 2018 to opt out of a national health record system called My Health Record.
The My Health Record issue has ignited a fervent public debate about trust and data privacy and how that should be balanced with the advantages that digitized health records can deliver regarding both cost and care.
Around 20,000 people opted out of My Health Record on the first day of the launch, even though the scheme has the backing of the Government and opposition, and all the major professional medical associations in Australia.
A new entity, the Australian Digital Health Agency, has been created to administer the records scheme and around six million Australians have already registered for a record over the last five years.
Patients previously participated on an "opt-in" basis, but the Government has now made it "opt out." It means that unless people specifically indicate otherwise their records will be aggregated, kept and stored for 30 years after their deaths.
In addition to potentially saving the health system as much as AUD 7 billion, advocates say My Health will also save lives.
If, for example, persons traveling away from home need urgent medical care from medical professionals who have never treated them before, they will be able to access their health records and, it is claimed, make a better assessment and diagnosis in situations that could be life-threatening.
Privacy advocates, however, are unconvinced and are urging people to “opt out,” pointing to examples such as the Singapore hacking as proof that the security of any records system can be compromised.
There are also concerns about third parties accessing the records, even though people can change the privacy settings to determine who has access.
Law enforcement agencies, for example, are able to access a person’s records without a warrant if the information is considered “reasonably necessary,” and the Digital Health Agency can also make details available to the Australian Taxation Office.
Critics of My Health Record point to the failure of a similar US scheme the Nationwide Health Information Network, and claim the Australian model has a similar policy framework to a UK scheme called care.data which was canceled in 2016 after it was found that drug and insurance companies had purchased data.
The “opt out” movement has been boosted by coverage of the Singapore hack, and also by comments from cybersecurity firm Centrify that the health records are a "honeypot" of data which will attract "bad guys" of cybercrime.
The debate is sure to intensify in the countdown to the October 15, 2018 deadline, bringing into sharp focus the dilemma between the advantages and dangers of centralized health records.