Friday, 9 August 2013

I just opted out my health details from the Cloud.

On Monday July 29th 2013 all your health details held by your GP went live in the Ministry of Health's new Cloud storage system.  You have a National Health Identity Number under which your details are stored.

This system will store the basics of your information:
  • name
  • date of birth
  • address
  • contact details
The above details will be available for anyone authorised who accesses your details on the cloud.  This is what the receptionist at your GP can see.

What else will be stored on the cloud:
  • your allergies
  • medications you take regularly
  • medications you've taken for specific illnesses
  • your clinical history broken down into categories
The people who can access this are the practice manager of your GP medical centre, or any other centre or hospital facility, any doctor or nurse.

So this begs the question, just how safe are your details?  Who can and can't look at them?  When can they look at them?  What happens if someone accesses your health details without proper purpose?

The first security issue I have in regards to the Cloud is hacking.  The Midlands DHB has been telling their medical centres that your data on the cloud is as safe as your banking details.  Hmmmm.  Have they not heard about Nigerian princes?  Have they not heard about people skimming peoples' credit cards through Eftpos machines, ATM or even a gadget that can scan your credit card details as your credit card lies idle in your wallet by walking beside you in a shopping mall?

My second security issue is in regards to the people who should ethically access your clinical record for reasons directly related to your care they are responsible for, not for "joy riding" purposes such as the following.

We are all aware of the case at Auckland Hospital of the man who was admitted with an eel somewhere it really shouldn't have been and the resulting disciplining of staff who accessed his clinical records and how it went viral in public.

And the Jesse Ryder incident in the Canterbury DHB was topical.  People from throughout the organisation, from Christchurch to the West Coast were checking out his clinical record.  Seven people were consequently disciplined for their unauthorised accessing of Ryder's clinical record.

Of course New Zealand organisations don't have a great track record of privacy in the last few years, thinking of.... ACC (numerous occasions), MSD (aka WINZ), IRD, the defence forces and the Ministry of Education (through Novopay) have all had some sort of privacy lapse in various guises in the last two or three years.

Which leads us to the whole who else could access our personal health data and how could they use it.  We all saw Paula Bennett access the details of two WINZ clients and use their details when they criticised her cutting the benefit that got Paula to where she is today.  We all saw how Hekia Parata replied to teachers, who expressed their concern as private citizens and parents over the class sizes issue in 2012, by CCing the replies to their principals and BOTs.  And we saw how Bronwyn Pullar was treated when she exposed the privacy breaches at ACC and that a year after she alerted ACC to their breaches they have continued to happen.  And there was that case of the police man who was married to a woman engaged in a custody battle with her ex-husband who accessed the police database to find out some dirt.

So what is to stop a government minister using their powers to access an individual's health record to use it against them?  Or an insurance company somehow gaining unauthorised access?  Or possibly even your employer?  Perhaps a psycho ex?  Maybe even your employer?  All they have to do is know someone who can access the data as part of their job who isn't very ethical.  And if you are a government minister, I guess you have the SIS and GCSB to do their dirty work.

So did you know this was happening?  Did your medical centre inform you that your records were heading to the Cloud?

Probably not.  I did a google search and nothing came up in the news media.  Medical centre staff from two different clinics have told me that they have concerns for privacy.  The training they received from Midlands DHB clearly said that they should not promote the knowledge that the data is now to be stored in the Cloud and not to leave opt out forms in open view of clients.  My doctor didn't even know that patient data was to be stored in the Cloud and had to check with the practice manager when I told her I wanted to opt out.  They only had four forms given to them by the DHB, and I was the third person to request to opt out in the first two weeks.

Clearly the DHBs have not met the standard on informing patients about their data now being stored in the Cloud.  The DHBs have also not met the standard on informing patients about their rights to opt out of the Cloud to protect their privacy.

The DHBs have failed the standard.  They can only hope that the cartoon below doesn't apply to them in the coming months and years.

No comments:

Post a Comment