13 December 2019

MHR NOA audit, building rockets and the need for more security

Insights MHR

The National Office of Audit’s (NOA) review of the My Health Record  spent more than $600,000 measuring the effectiveness of the “implementation” of the MHR by the Australian Digital Health Agency (ADHA), not the actual effectiveness of the electronic record. It’s like giving NASA a tick of approval for how they built a rocket to get to the moon, but failing to check whether it had any chance of actually getting there.

The MHR is an extremely expensive, complex, fund-sucking, attention-distracting venture, and by not providing any meaningful reporting on how much traction it is actually getting in the healthcare community, and how effective it is so far and is likely to be into the future, we’ve missed an important opportunity.

The NOA assesses the “implementation” as effective, but then goes on to say that the MHR is therefore  on track to save our healthcare system $14.6 billion by 2027. They assume this because this is an estimate provided by the ADHA from a while back on what the MHR project might save the heatlhcare system. The NOA ignores whether the MHR is actually taking hold in the manner it has been promised to.

And this is the message which was picked up and amplified by the consumer press – the MHR passes a government audit and is on track as a project. But is it?

Bettina McMahon, the ADHA COO who is leaving early next year, told Wild Health that the audit was never meant to assess the effectiveness of the project but it was an important check of the project none the less given the size and complexity of the MHR ‘opt out’ roll out.

“Where there’s a big investment, particularly there’s a big technology component, and we know that there’s not always a great track record for governments and big IT programs, the  purpose [of the Audit] was to give some comfort to the government and the community  that was this project was capably run”, said McMahon. Asked to comment on the rocket analogy – OK you can build a rocket, but can it get to the moon – she said that this audit was important in assessing that the ADHA has “a rocket that we know can fly”.

It is certainly true that compared  to other major government infrastructure roll outs – the NBN stands out a fair bit – the NOA assessment is at least a tick on  the ability of the ADHA to run a project. It is a big complex IT and to a degree, social, project.

But this tick of a approval has ended up being misleading to the public. This hasn’t been anything to do with the ADHA itself. The NOA has bypassed the fact that the MHR project has no meaningful measurements of engagement of its major stakeholders – doctors and patients. And that at this stage we have no idea if the centralised shared health record is working in any way like it was promised and intended. McMahon feels that given the size and the complexity of the project that we are too early to be assessing that meaningfully, but that will come. She pointed to the intention of the agency to establish a dashboard for such metrics on the MHR over the coming year.

There  are a lot of factors closing in on the project and the ADHA which should put a lot of pressure on the government to audit the project properly in the coming years.

As an example, one of the most useful parts of the MHR in the last year has been a function called Medicines View. This was a neat piece of programming by the MHR people to extract medicines tables from a couple of reliable sources (such as the chemists dispensing system) and put it in a format at the top of the MHR which was reasonably reliable. Great. Up-to-date meds info is very important.

But eScripts are coming, and fast. Now that we’ve legislated for eScripts only, and based on how effective and fast this technology rolled out in the US, we can expect within a few years that up to 90% of our scripts will be held on our smartphones (or on those of our family or carers if we are older and not able to go digital). That means the smartphone has the most up-to-date and meaningful meds record.

Then consider what technology such as the web-sharing data standard FHIR is doing overseas now and is likely to do for important distributed information that a patient will encounter as they visit a GP, hospital, pharmacist or allied health professional. This technology clearly points a path to where a patient’s phone or other device is going to be the most important personal medical record holder (much like it’s the centre of your banking now). As you visit each of these professionals their databases will talk to your phone. Your phone will only have meaningful and recent data being sent to it.

The MHR is old data architecture now and the government knows it. It reaches out to distributed databases, takes the data and mashes it all in the middle on your MHR without any organisation. That’s dangerous for a whole lot of reasons, not the least of which is we are holding everyone’s health data in one place and it will be hacked one day.

The ADHA has taken that security issue seriously. It is spending more than any other government department on security. But it’s money that it wouldn’t need to spend if our personal health record is going to be held on our phones by our phone provider – where security is far superior.

To this point McMahon told Wild Health that beyond the importance of a proficiency check on such a big government IT project, the NOA has made some important recommendations about downstream security in our health system, specifically, that while the ADHA has done a great job of security on the MHR itself, that it should be taking a broader role around security at the far reaches of the system – the office of a GP and inside the pharmacist – where for obvious reasons security around patient records is of a very low standard.

“The NOA has said we need to take a more active role in working with the broader health sector who of course will be using the information [in the MHR].  That’s the whole point of this thing, but they’re operating at a different level and a different standard to to the way the government infrastructure is.”

When asked what form oversight further to the edges of the system might look like, given that groups like GPs and pharmacists are already under enormous pressure from the system and are effectively only small businesses, McMahon said that this is what the agency would need to look at and be careful around.

So watch this space. It does make sense that if you build a highly secure system upstream, then the governance around that system should encompass all parts of the system eventually. The question is, and will remain for some time, are we building a system around an object – the MHR – which doesn’t suit the future very well.

The security around the current MHR costs a small fortune. It has too as its a huge centralised data store of highly sensitive information. Spreading that outwards to all conform to the government’s MHR project feels like it might be the tail wagging the dog. We don’t know if the MHR works yet. And if it doesn’t we need to be very careful about making the nations GPs, pharmacists and allied health professionals conform to a centralised security architecture. The way technology is heading, it doesn’t feel like centralisation around one object in the system is the way to go. Already we see in the US a lot of distributed web sharing technology where the patient’s phone is collecting what information it needs as it goes where and to who it needs. And in this case the security problem is solved without the government having to spend much at all. The problem lies with the patient and their phone security – which in most cases turns out to be pretty good.

It’s a difficult problem for the ADHA. One they wouldn’t have if they the MHR didn’t exist. As things stand the NOA audit was reasonably meaningly in the context of this problem. The government needs to determine very quickly if the MHR really should be the hub of digital health in Australia or not. And they can’t do that if they don’t measure its effectiveness as it marches forward in intimate detail.

That the NOA is recommending the ADHA go wider on security governance, all as a result of the MHR, is a alarm bell of things to come. As the NOA sees it, the MHR is the centre piece around which the digital health ecosystem should be developed. But is it?