Why I'm opting out of My Health Record - and why you should too.

My Health Record is a great idea on paper, but the security implications are enormous.
Written by Cameron Germein

As a pseudo Internet security professional, I have quite a bit of experience at ensuring the security of Internet-facing applications, and being quite familiar with the ISO 27001 security model, I understand how to model risk and apply treatments in a verifiable and managed process. In short, I know enough to do my job, and I also know enough to know that the idea of My Health Record sounds wonderful on paper, but it's a ticking timebomb waiting to happen. 

The problem isn't My Health Record itself - I am perfectly comfortable with the idea that the central database itself will be very heavily fortified. Banks have been giving access to online banking services for years, and it's fairly rare that a bank's underlying infrastructure is compromised to the point that hackers can make off with the bank's money. This level of security is expensive, but it's certainly possible. 

No, my problem lies with the healthcare providers who are accessing your records. These organisations have nothing like the degree of IT sophistication that the MHR team themselves do, and now that they're such a juicy target, you can bet hackers will be actively targeting them. 

There are extensive policies and legislative mechanisms that your local doctor's surgery will supposedly have to comply with to help ensure their security, but the reality is that these organisations aren't even going to get close. It's not just a matter of getting the IT guys around to tighten up a few nuts and bolts, it requires an organisational-wide shift to embracing information security across every single aspect of the entire business. Everyone has to get on board, top to bottom, and it's simply not the sort of thing your local GP is cut out for, let alone has the time for. 

So there *will* be breaches, and once that information is out there, it's out there. How happy would you be knowing that all your potential employer has to do is type your name into Google to find out your sensitive health history? Would you want them to know that, as an example, you were once treated for a mental illness? If your health record is a manila folder in a doctor's office, it's a lot harder to hack than the receptionist's PC. This is why I'm opting out of MHR, and it's why you should too.




Assembler is a web design agency based in Perth, Western Australia. This blog is intended to be an informal, behind the scenes look into the web design and development industry. If you like our content, please follow us on LinkedIn or Facebook!

Let's Work