There’s been quite a lot of coverage of the My Health Record system since the opt-out period began almost a week ago on Monday 16 July 2018. I’ve been somewhat involved in providing commentary, and there’s only so much you can do with the limited space and structure of a radio interview or OpEd. Here I have a little more room to move, so I want to see if I can provide some nuance that has been missing from my other commentary.
An example of the (entirely fair) questions I’ve been getting:
@jpwarren you seem to know things – is GovTech twitter against a centralised health record in general OR just this one and how it is being implemented?
— John Westgarth (@JWestgarth) July 18, 2018
While we don’t have infinite time and space to answer, I’ll give it a go.
With a centralised system, all the eggs are in one basket. It’s a lot easier to carry one basket than, say, fifteen, but if you drop that basket, you lose all the eggs at once.
With information systems, centralisation brings economies of scale. Decentralised systems are orders of magnitude more difficult to design and run, so keeping things all in once place is much easier to do. If it’s easier to do, then mistakes are less likely, it’s faster and cheaper, all sorts of good stuff.
Only having to interface to a single system to share data between healthcare providers is easier than having to deal with lots of different systems, and it means you can fix a problem once in one place. Apple can patch security flaws in iOS for its phones much easier than the bazillion Android variants that are out there.
The downside is that if that one system has a problem then all the information is at risk. What happens if the central system is offline? Systems do have issues, even highly reliable ones, so what do you do if it’s broken?
If you come to rely on a single system too much, and it’s suddenly not there, that lack of a system causes new problems. If you don’t accept cash in your small business and the point-of-sale system from your bank is down, how do customers pay you?
Single Point Of Success
I think it’s unfortunate that the “will save your life in an emergency” example is being used so heavily by those promoting My Health Record, because of what I call the Single Point of Success problem. If this system is so valuable and vital, what happens if the system isn’t working during an emergency? What if I don’t have my basket when I really need to catch some eggs falling towards me right now?
The truth is probably that doctors will… use other systems, like the ones they have now. People’s lives do get saved in emergencies today, without using My Health Record. I could catch eggs with my hands, or a bucket, or call for help and have a bunch of friends help me catch eggs until my basket is working again.
But that makes the value of my basket less dramatic. It’s mere progress, not a revolution. If I can do without it, then maybe I don’t really need it after all? Maybe a bucket is good enough? Maybe I only have a couple of eggs to carry and have large enough hands?
But if the value is less dramatic, that makes MHR a harder sell, so you can see why people would go looking for a story that will stick in people’s minds.
Which is a pity. If MHR makes life clearly better for a non-trivial number of people, that’s actually great! Credit cards are handy and people use them quite a lot at cafes even though the merchant networks sometimes break down and cash is still an option. It didn’t happen overnight, but it did happen.
I don’t see why MHR has to revolutionise healthcare for every single person in Australia by next Tuesday in order to be worthwhile doing.
Unless the cost got so high that only a nationwide revolution in healthcare would justify the expense. The sunk cost fallacy is a huge problem in Australia.
If all the information is in one place, you only have one target to attack to get at a lot of people’s data. That creates some financial motivations for bad actors, just as people steal from banks because that’s where the money is.
This is a real, credible, and substantial risk. Perfect defence against it is impossible, and information security is really hard. A data breach is likely. Rather than concentrating on claims that it won’t happen, instead you should focus on what happens when it does.
Which is what banks do.
Sure, banks try to make it harder to rob them with security doors and time delay locks and whatnot so that criminals have incentives to make money in other ways, but banks also have insurance and train tellers not to get into action movie fights with the dudes with balaclavas and guns. Real life is not like the movies. Pretending the risk doesn’t exist means you’re likely to have a bad time when you discover the universe doesn’t really care what you believe it should do.
So far, the focus from MHR proponents has been on either denying that a breach will happen or downplaying the impact to something trivial. This is unwise, as should be clear with the news of the Singapore health data breach on Friday. It indicates a lack of maturity in thinking about information security, which concerns those of us who deal with this stuff in our day jobs.
Let’s be adults about it and talk about how we’ll handle the inevitable data breaches that are going to happen, and discuss how we minimise the harm.
The baskets-and-eggs analogy is helpful when you’re thinking about damage risk, but not so good when you’re talking privacy risk. Eggs aren’t copyable the way information is. Not yet, anyway.
Unlike money, if MHR has a data breach the information isn’t gone. It’s still there, but now more people have access to it than we want.
And this is a core contradiction of the MHR system. It’s designed to share information. That is literally what it is for. But we don’t want to share information too much. And what constitutes too much varies from person to person, and over time, and context, and circumstances.
Some people could see quite a lot of benefit from a system with all their health data in it. But other people could be placed at substantial risk. A well designed system needs to be flexible enough to cater for both these situations, and all the nuances in-between. Right now it seems to have been designed more as a one-size-fits-all system. Designing for average is a poor plan, because the average person has one ovary and one testicle.
A system I don’t like but don’t have to use is much less of a problem than one that doesn’t work well for me that I am forced to use. The best case scenario is that no one is actively harmed, but the worst case is quite bad for a lot of people who are already vulnerable.
It’s a health system. First, do no harm is supposed to be at the core of health decisions.
I also believe that any mandatory system should be, at worst, benign, and I don’t believe My Health Record is such a system.
Now, this is an assessment that every individual needs to make themselves. Others have a different risk appetite than I do, and are traversing a different threat landscape. I don’t have an abusive ex trying to find where I live and murder me and my children. I don’t have a health condition that would likely mean I’d lose my job if my boss found out. I’m not an easy target for blackmail. Others are not in my fortunate position, and I don’t get to dictate to them how they protect themselves from harm.
But this could change.
The choice to opt out or stay in is asymmetric. They are not equal choices.
If you opt out, you can change you mind later and opt in, and you don’t really lose very much relative to those who stayed in from the beginning. You lose the utility of the system while you’re not in it, but you’ve decided that was net beneficial (or you wouldn’t have opted out), so you’re happy with that choice.
But if you don’t opt out and then change your mind, you are in a worse position than those who opted out straight away.
Because your records are kept in the system until you die, plus 30 years (or 130 years if your date of death is unknown). You can’t delete the information in the system. You’re stuck with a “cancelled” record instead of having no record at all like those who opted out from the start.
That cancelled record still exists, it’s just hidden. And not from everyone, it seems. There’s no clarity about if, for example, the police could take a look at the information in your cancelled record using their s 70 My Health Records Act powers. Or, if access to the system is opened up later on, insurance companies who want to take a peek.
I have better options delaying joining the system than if I don’t, which contributes to the value I place on my choice.
Benefits of My Health Record
As discussed quite well in this article in The Medical Republic, the benefits of these big data collection systems are frequently nebulous and fluffy. There’s a lack of hard data, which is odd considering how often people bang on about “evidence-based decision making”.
My Health Record isn’t a new system. It was kicked off in 2010 and launched in July 2012 when it was called the Personally Controlled Electronic Health Record (PCEHR). It changed its name in 2016 to My Health Record under the Turnbull government as part of its attempt to breathe new life into the struggling project. Around that time, the trials of the opt-out system also began.
After six years since launching, including two years of opt-out trials, we should have some hard evidence of benefits to various groups of people. There should be metrics that demonstrate what is working well, and what isn’t. If the benefits really are as substantial as we’ve been told, then it should be pretty easy to provide hard evidence to support the rhetoric.
So where is it?
In the past week, we’ve been told lots of stories about future benefits. The My Health Record website suggests, for example, that
“A signification proportion of medication errors that lead to harmful medication safety incidents and Adverse Drug Events (ADE) may be preventable through increased accessibility to patient information” [emphasis mine]
May be. Not is.
I don’t understand why you would deliberately make things harder for yourself by hiding all the massive benefits you have loads of evidence to support. It implies that the benefits actually aren’t very big, or that you don’t have much in way of compelling hard evidence to support the benefits you’ve been telling everyone totally exist.
My friend Dr Trent Yarwood provides a good summary of coverage of this issue worth reading.