111 comments

[ 99.8 ms ] story [ 3169 ms ] thread
The Australian government is paying doctors to upload patient records to a centralised government controlled database.

The Australia government is incentivising doctors to sell client data to the government.

What part of this is ok in any sense?

how is that compatible with doctor patient confidentiality?
Who protects doctors from attacks, when they get attacked because they value patient confidentiality over conformity to such governmental programs and maybe peer pressure?
In my country, healthcare professionals form a union - so hopefully them?
The federal law says you can't upload data if the patient tells you not to. Max penalty for that seems to be 2 years imprisonment, though I doubt we'll see that. Some states have further restrictions which expand the scope of this -- for instance, in NSW, uploading anything about HIV would be illegal, even with patient consent.

The Australian Medical Association has said that the interaction of the MHR system with their code of ethics implies that doctors must get positive consent from patients.

In practice, your new patient registration forms are getting another checkbox.

It seems overall okay if you accept the premises that A) A centralized health record system can do substantial good by improving effectiveness and transparency of healthcare processes, and enabling medical progress through data re-use. B) Doctors won't lift a finger to do extra work if they have no selfish incentive for doing so.
C) the database never gets hacked, or leaked, or otherwise exfiltrated
Even if there is a risk of this. It might be a risk worth taking.

Edit: I don't know the specifics, but I sometimes wonder what good stats on more health records could do for future treatments.

I wouldn’t intentionally place my health records out of my own control, because I have significant risk to my life if those records become public. Having certain illnesses and medical history is inherently political in 2018 - being trans can result in violence against you, talking to your doctor about STIs - even just prevention - can get you kicked out of your home, having medicated/treated schizophrenia will result in losing job/housing/etc opportunities.

This isn’t going to change even if all those records become public in some way.

But you also have a significant risk to your life if your doctor can't get to them and orders the wrong treatment. The risk of that happening to you is actually significantly higher than dying from a lot of pretty common illnesses.

  But you also have a significant risk to your life if your
  doctor can't get to them and orders the wrong treatment.
Don't you think I'm in a better position to make that decision than a central government bureaucrat, given that I have my medical records and an incentive to protect my own privacy, and he has neither?
It's not good public policy for millions of people to make individual decisions about this. It's expensive for the healthcare system when there are a million different ways for it to access your data; some people bring in papers, some papers are on the other side of the country, some people have a USB stick, oh granny lost hers in a fire here's a photocopy from 10 years ago. It's just much more effective to manage these things at scale.

You have incentive to product your privacy, but you don't have the means. Are you going to bolt a fire-proof safe to your basement floor and keep a backup in a storage unit? Are you going to store them on a disconnected harddrive and create backups every 3-6-12 months? Can we expect every Australian to do this? Can we expect everyone to want to spend hundreds of dollars to make this happen?

So in my country, records are kept by the individual clinics, where I have GDPR rights over them and there isn’t a direct mechanism by which anybody but the clinic can access them. If I move clinic, there’s a process by which those records get moved with my consent.
Yep, works like this in Canada. The problem is that each clinic implements a different record system, so someone needs to undergo effort to translate them when you switch systems.

Also, I worked with OSCAR, one of Canada's biggest EMRs. It is written by a bunch of academics at a local university and is individually deployed on under-the-desk computers at clinics. It is full of security holes, the whole process of managing this system is.

I get why you want rights over the medical records. You can still have those on a centralized system. Google and facebook are centralized and you have rights over them (in some jurisdictions anyways).

Your province pretty much gets and retains your records because it's paying the bills.
I'm not saying I like the Australian take on this but I do think a central database for medical records has the potential to prevent medical treatment mistakes by a couple percent. That's thousands of people saved. At that point, I think it's something we really should discuss as a society because it would have a profound effect on the economy and public health. I don't think the idea is fundamentally flawed, I think that just like the justice system incentivzes people with a monopoly on violence to protect you we can legislate in a way that public health servants would be incentivized to look after your interests.
Sure, and I’m participating in that discussion right now - for me, it has a high risk of seriously negatively affecting me. There’s other bits of law that I oppose for similar reasons - there’s an opportunity to do a bit better/be a bit more efficient, but at the obvious cost of seriously harming people. I think that many people don’t recognise the downsides to centralised databases vs more efficient records transfer systems etc.
Sure, if your point is that centralized government databases are inherently bad because the government could use them, I can't argue against that because you simply will not risk whatever they could do however low that risk is (if it's even quantifiable).
Unless I’m unconscious, I can give my doctor permission to access my medical history from where it’s kept under my control, and give them a quick run-down in the meantime if necessary.

I feel that I should have a right to choose between the risk of death when both myself and my emergency contact are unable to provide medical information to a doctor, and the risk of my medical history becoming publicly available - or even just available to the Government. Forcing the latter risk on me is, imho, unethical.

And it would be much simpler if all you had to do was give them that authorization and they could retrieve your medical records in an instant, in the correct format for them to work quickly.

If they have to order your medical journal from a completely separate jurisdiction, in a completely different format, and then import it that would take longer. If you require specialist care which is not available in your area this is an issue that comes up again and again.

Not saying a centralized system would fix all the problems, or be perfect, but if it improves 1% of cases that's potentially thousands of people saved every year. That's a huge return for a very minor improvement.

All at the low, low risk of creating e.g. a centralised Government database of trans people, or people with HIV, or whatever the next big scare is.
Yes, not saying it's perfect or couldn't be used for evil, just like the FBI isn't perfect and can be used for evil. We have to weigh the options and legislate in a way that mitigates the ways it can be used for bad things.

Again, just a few percent in efficiency could mean thousands upon thousands of lives saved. I'm sure a lot of HIV positive people who were mistreated would've loved that.

FWIW, this isn't a "could be" used for evil, it's a "will be" - there's no particular reason why Government databases of people with certain characteristics have been used to oppress and murder people in the past, but won't in the future. I'm young enough, and there's enough public opposition to people with my medical history, that there's a very high chance that my country decides that I no longer deserve protection of my human rights at some point in the next century at the very least - so I'd like to make it a little bit harder for them to figure it out.
I agree. In the US, the equivalence of a packed Boeing 747 of people die every day because of medical mistakes. It's the third leading cause of death. If you could reduce that number by 1% through this policy, that would mean thousands of people saved every year.

In my opinion, the risk-reward analysis is clearly in favor of a centralized system.

That’s actually a Grady point. Thanks for raising it.
... or privatised and all the data used commercially
I'm all for donating health record information for the greater good to universities and researches to analyse and progress science and knowledge etc.

However, this government has no idea what is doing, the framework is poor, oversight is poor, without a doubt the implementation will be poor and its pulling a "swift on" on the public.

Lets not forget, this is a government that couldn't handle an IT system thad a few million people filling out a census form online.

It's really not that much money as an incentive. Doctors won't do it unless they believe it's a good thing.

Source: I'm an Australian doctor.

What are you doing, and what is your professional organisation (the AMA) doing, to counter long wait times for doctors visits?
I dunno man. I'm not a member of the AMA and I've always run pretty well on time unless I get bowled a bouncer.

I used to get frustrated with doctors running late, until I became one. It's the patients that come before you that largely determine how late the doctor is. If someone might be having an MI but only came in to discuss "reflux" the doctor is going to run behind.

What would you do about it?

Though, I'm not sure why you're asking me this since it has nothing to do with this thread.

So much entitlement in this post

Never the less, I’ll bite because this is a topic of interest to me. What kind of wait times are you talking about?

Emergency room? Public non-emergent and elective surgery? Private practice specialists? Bulk billing or private billing general practice?

You can have most stuff in Australian healthcare good, cheap or fast. Pick two.
Are you opting out? I keep remembering that AHPRA applied for warrantless access to metadata, and thinking that perhaps I might be better without a record in case the wideranging provisions for access by other agencies get deployed too liberally.
This is an interesting question and I'm still pondering on the implications.

I am generally in favour of people signing up for this (or not opting out as the case is now) because it very well may save their life one day. Emergency departments especially will benefit in being able to look up details on the patient. It's amazing how little most people know about their own health history.

I suppose it may also help me if I end up in ED unconscious and have some health condition they would need to know about. That situation is unlikely, and even if it did happen they could call my wife, who is also a doctor, and she'd also know what's important in my history.

So for me, there's very little benefit I see. Couple that with my distrust of the Australian Government's ability to outsource their critical infrastructure to American companies (facepalm) and have it actually work (facepalm), I'm leaning towards opting out.

For patients in general, I think the benefit to them will outweigh the risk of their personal data being stolen.

If only our government wasn't so inept with IT (we have plenty of good developers here. Why not make our own teams to build things?) I would be able to recommend this health initiative to everyone.

Edit: autocorrect fail

My Health Tecird is not going to help you in the ER in any way shape or form. At best it will be useless at worst it will be wrong.

It is not a complete record, and you will only be shown a summary of medical history not a clinically useful record. In addition the patient may have sought opinions from multiple doctors, any of whom may not use MHR.

The risk to most people who don’t actually need complex diagnoses will be endless calls from lawyers and insurance sales along with a web experience modified to keep them worried about that visit to the doctor about a possible STI last Valentine’s day.

> My Health Tecird is not going to help you in the ER in any way shape or form.

So you've been a doctor working in ED?

> will only be shown a summary of medical history not a clinically useful record

I'm going to guess you're not a doctor, since then you'd know how much more useful a medical summary is than no information at all.

Hell, if I have NOTHING BUT the patient's medication list, I can usually make a pretty good guess about their medical history. If the health record contained only patients' medications it would prevent an enormous amount of morbidity and mortality, as well as saving time for doctors, nurses and pharmacists all around the country.

Sure, it might not be complete, but it's far more likely to be complete than patients' memory of what meds they take for which disease, in which doses and with which frequency.

> If only our government wasn't so inept with IT (we have plenty of good developers here. Why not make our own teams to build things?) I would be able to recommend this health initiative to everyone.

It's not the government IT I'm worried about so much, it's all the local doctors that get access to medical records and have inept IT security. Previously if there was a breach at a practice it was only the data of the patients of that practice, now if there is a breach at a practice they can potentially access the medical records anyone in the country.

The attack surface is huge and largely unguarded and now there is a massive reward for breaching it.

> I suppose it may also help me if I end up in ED unconscious and have some health condition they would need to know about.

This can be solved with a card in your wallet, which they have to go into to find which health records to lookup anyway.

You have a really good point about local practice security. I agree.

I disagree about the card in wallet thing. Patients won't keep it updated. Also, most patients won't have it on them. And for many patients it would have to be a book, rather than a card. See my other comment talking about medications.

PEXA have pointed this out in great expensive detail with conveyancers. Every week there's a $300k theft of house sale settlements, always because some hacker has gained control of the settlement party's account.

I doubt medical practices are as bad as backyard shops like conveyancers but you are spot on, the incentives are definitely there

You can make the A) argument about any centralised database system. There is a down side and as always the challenge is finding the balance: the problems being solved Vs problems being added.
AFAIK the same thing has happened in Belgium. There are several databases, allegedly controller by hospital networks, which you can access using government ID. There's supposedly an opt-in clause, but I've certainly never opted in and all my x-rays are on the interwebz. Must be nice to be a 21st century government, where you can access any data on anyone in your country.
That is the case indeed. However the ehealth-ehub system (which I assume you are talking about) is not automatically in-sync with the data the hospitals have about you. When it is necessary to receive the data, the system will poll the hospital for the required data.

Then we have "NexuzHealth" in Belgium, which is an app you can install that shows you which data the hospital has about you. It's a network of 20+ hospitals but you can only view your data if you are actually a patient at these hospitals, and the goal was to provide the _patients_ with the same information doctors can see about you. Something you would normally not know about.

Source: I work in one of these hospitals (software engineer) but not directly related to the app nor the ehealth system, so this is my (limited) understanding of how it works from being around the people actually implementing this.

(comment deleted)
Anyone know who is the contractor running this fiasco?
Accenture, AFAIK.
No wonder it doesn't work properly.
Accenture - with Oracle and Orion Health - according to this: https://www.itnews.com.au/news/my-health-record-replatformin...

Hilariously, they've already let on they're not going to renew the Accenture deal - which no doubt will _highly_ motivate them to provide exemplary support and security over the next two years:

"The Australian Digital Health Agency has begun talks to replatform the My Health Record system ahead of the 2020 expiry of its multi-million deal with national infrastructure provider Accenture."

Wow. What do they expect the take-up rate to be with that kind of vote of no confidence from the people who commissioned it in the first place?
Serious question, has Accenture ever built a successful large scale system? Round these parts we call them "Accidenture". They are always involved in high profile project failures, though that are big enough that these might just unfairly publicized outliers
Are there any of them that actually are any good? You read these stories, and deal with a few different ones personally, and the whole sector quickly starts to look like a barely competent disorganized mess.
Most of them are very good but the assumption that there is a mythical 100% good system or company would assume that requirements are reasonable, unchanging and that the time and money to build it well are all present undermines everything. Even a simple application will quickly unwind when the whims of the customer change 10 times quicker than it takes to build something (same in most other industries).
Dunno, but I shuddered to find "...the creation of a new government agency - Service NSW - supported by the Salesforce Service Cloud. ..." https://www.salesforce.com/au/customer-success-stories/servi...

I trust government with my private data, not Salesforce or any other corporation.

Governments don't store private data, corporations do!

The only difference between government-fronted storage and direct-to-the-corporation like Salesforce is that corporations are mostly driven by profit and have slightly stronger reasons for protecting data to avoid losing your trust and money. Government motivation is mixed and changes over time.

> ... stronger reasons for protecting data to avoid losing your trust and money

Well, I'm not a customer to Salesforce, so they have no incentive to keep my trust and they get no money from me, but they can make money on my data, and likely would, why not?

ASide note: they are using the google recaptca on the opt out site shows they have no idea about privacy for a government agency.

So now google know everyone opting out I assume?

theoretically they can, because they're running javascript on the page. but in practice I doubt it, just like I doubt that scripts from googleapis.com aren't backdooring your websites.
Google knows everything, lol :) I'm actually afraid how much it knows, your searches, for once, tell it stuff you don't share with your wife. All your account's emails, drive files. Is your company uses Google? Is your kid's school uses Google? Have Android with location services on? Btw, in Android, you don't have option to restrict location data to an app while using the app, as you can in iOS.

I'm about to create extensive guide on un-Googling yourself and your family. Mainly use Apple ecosystem, they make money selling you phones and macbooks, not your data.

First thing is don't give Google any info to identify who is behind that browser, if you go to google.com directly. Use VPN to shuffle IPs, use only Private browsing windows (kills cookies), don't stay logged in to Google, don't use Chrome.

Second, is to block tracking network requests from most of the websites to Google, like (googletagmanager.com, googletagservices.com, google-analytics.com, cloudflare.com) by using adblocker (uBlock Origin).

As part of my work, I've had to read a fair amount of the legislation and reports coming out in this sector and also the "Consumer Data Rights" legislation (similar to the UK's open banking scheme.

What I found was a massive difference in policy coming out from the same government but in two seperate streams of work.

A) Consumer Data Right (legislation being built into Australia Privacy Act) focusing on banking, energy and then telecommunications: The user has complete control of their data. If a consumer asks a business to delete, they must do so (except for information that is legally required).

B) MyHealthRecords: The government has complete control of your data. You cannot delete your account or your data.

I'll add sources if I can, but its in the legislation.

> ... focusing on banking... - yeah. Commonwealth Bank Privacy Policy:

5. Who do we share your information with?

- Service providers — for example, mortgage insurers, loyalty program partners and our product distributors

- Businesses who do some of our work for us — including direct marketing, statement production, debt recovery and IT - support

- Organisations involved in our funding arrangements — like loan purchasers, investors, advisers, researchers, trustees - and rating agencies

- Auditors, insurers and re-insurers

- Current or previous employers — for example, to confirm your employment

- Credit reporting bodies and credit providers

https://www.commbank.com.au/security-privacy/general-securit...

What's even more disturbing, is that Visa/MasterCard are possibly get itemised data from store transactions, like Milk BrandA, bread BrandB, Medicine Name, BrandC.
I'm trying to compare it to the UK system, with the NHS "spine" and the huge failed NPfIT: http://digitalhealthage.com/digital-health-lessons-npfit/ . But I don't really know enough detail.
I wasn't directly involved with NPfIT, but was working for a small healthcare IT company in the UK at the time, and did have some opportunities to talk to some of the lazy incompetents involved.

I can tell you at least that Accenture were heavily involved in NPfIT too. They were forced out with the work uncompleted, although they somehow managed to dodge most of the fine.

There are some obvious lessons to take away about trying to avoid projects which have massive scopes and vague, changing requirements.

Also that contracting out to a consortium doesn't mitigate risk or project size, because the hardest parts of most IT projects are 1) deciding what to build and 2) dividing up the work into the correct pieces.

For me, though the main lesson is that contracting IT systems is really risky if you don't have in-house engineers to vet it. Companies with no competence in delivering software will sell you the wrong things at the wrong prices, and they will do it really convincingly.

For those who work in government, those companies will also have a terrible track record, but your institutional amnesia will prevent you from noticing, so you will hire them anyway. (Probably someone in your department previously attempted to get a company wiki to organise this sort of information, but ended up getting Sharepoint instead, and now no-one looks at it.)

Although I will try to find this information myself in the meantime, I'm looking forward to you sourcing this.
The Australian government gets away with a lot more authoritarian BS than other comparable governments, and there seems to be less of an emphasis on individual rights. I wouldn't trust them with medical records.
Having a centralised system with health records is bad? I've had that since I was born in my country and I think it's useful and handy. Something happens to you, they know what could've been, if you're on meds, what things and meds you're allergic to, etc.

I guess the outrage makes sense when looked from an American point of view where you distrust the government by principle?

Its not the idea that Australians mistrust - its the implementation. No great technical project in the last couple decades has been successful.

Under the current government we have the broken NBN, the fractured MyGov that has been repeatedly hacked, the falling over census website, other broken health care systems.

We can't trust that they can build it safely.

You should mistrust the idea as well. Scope creep is a thing.
Agree. AU Gov is failing in same way any big corporation fails. There is that strange notion that Managers know better than Engineers and can make technical Decisions.

Good engineers, who love coding, can design a big system, are unlikely to rule over the Design. It'll be bad engineers, now Managers, with good political skills, that got promoted because its their only way to survive, being otherwise useless.

It is totally upside-down, hence the mess.

If any AU Gov hot shot is here, I'll fix your mess, I'm good at it, did it few times before, drop a line at ausland@protonmail.com, I'll try to vet you :))

It will be AWS, no nonsense like kubernetes, possibly a dash of OpenBSD for public layer, least privilege IAM, Cloudformation everywhere. Solid. :) Open Sourcing it is an option too.

I've been bothering my doctors to actually check my E-health record for years. Sure, one specialist and a GP can communicate fine, but add on a couple of different specialists and it turns into a nightmare to get everyone the information that they need. Even in its current form, without mandatory use by doctors its been useful to me. I'm looking forward to having a proper record of my healthcare as opposed to the fragmented buy in there is now.

But that's mostly convenience for me. My wife worked as a doctor in emergency for a while. The only way to get a new patient history including all the information you've said is to call their doctor or ask them. Many patients can't give a full medical history and very few can do so in detail when it's complex. Many doctors aren't at work 24/7 when you want to call them. An E-health record is better.

As well as opting out, if you're concerned about privacy it might be good to contact your doctors directly to let them know that you don't give consent for your data to be uploaded in the first place.
Anything IBM can do (with the census) - Accenture can do better, huh?

Waiting for the claims it's government sponsored Chinese hackers attacking the opt out website...

There are problems with paper-based systems but they don't affect everyone to the same extent: * I visit another doctor when on holiday - they don't have my records * Certain treatments need the approval of my home doctor, it talkes longer than it should * Harder to collate statistics that are supposed to show the state of the nation's health

But there are problems with an electronic system: * A single point of attack * No way to assure people it is ultimately secure, because it can never be * Fluffy exemptions to the protection offer - especially if they are more far-reaching than existing exemptions used for accessing your paper records * Creeping requirements mean that a few years later, the government might change what they can use it for.

At the end of the day, neither system can be measured in terms of risk or reward in any meaningful way - many advantages are theoretical and risks are downplayed - so you pretty much have to accept the centralisation of the worlds systems or move to a Banana republic!

* A single point of attack

Totally the same with your data in that one primary doctor's office or whatever

* No way to assure people it is ultimately secure, because it can never be

Totally same with your paper records, someone could walk in and steal your data, imagine that.

* Creeping requirements mean that a few years later, the government might change what they can use it for.

Just like paper records, you can't say what they will use them for in the future.

I believe you’ve misunderstood the concept of single point of attack.

This means single point of attsck for everyone with an ehealth record.

With paper records, or in-house digital records, a hacker / thief, or malicious government, or what have you, has to compromise many systems.

The same applies to your paper record comment.

> I believe you’ve misunderstood the concept of single point of attack.

Single point in who's perspective though, OP worded it more like (s)he cares about his/her data not everyone else's (e.g. "I visit another doctor when on holiday - they don't have my records"). But yes, you are right about it being in general a higher risk endeavour. The question now is though, when other commenters here describe how their life and career could get in danger when someone steals their data, which do you think is going to be much harder to breach, your local doctor's office or a central database that's guarded by armed guards and experts?

> which do you think is going to be much harder to breach, your local doctor's office or a central database that's guarded by armed guards and experts?

Who’s going to break in to a doctors office, then scan and upload your medical records? I don’t think thieves in Australia would even bother with doctors offices because no drugs or cash.

Rather, it seems certain that this database will be breached and the data sold on the black market, and / or some future government using it outside its intended scope.

Electronic records have a single point of attack for the entire country's data versus a breach at your local hospital. Makes beaches much worse while also greatly incentivizing the breach.
What about greatly incentivizing protecting that data compared to individual actors who won't bother? What about increased redundancy? What about improved medical care?

I don't think this is all this black and white as you paint it to be.

This is true "on paper", but in practice our whole industry is built on the fact that electronic records behave qualitively differently from paper records because they're so much easier to handle.

You can't steal everyone's paper records all at once in the way you can with electronic records, for example.

> You can't steal everyone's paper records all at once in the way you can with electronic records, for example.

You're assuming you can steal the entire database at once which most certainly will also be noticed and stopped swiftly.

Maybe.

But how about those already stolen? Photocopying paper records are slow. If you can get the original copy back quickly, you can be quite confident they are not copied. Not so for e-records.

> But how about those already stolen?

Digital records can most likely be duplicated much more easily.

History is full of massive data breaches which were only noticed when the dump turned up being sold. Few places have decent exfiltration detection on their IDS.

Or there's the classic "health records left on train" incident: http://news.bbc.co.uk/1/hi/uk/7449927.stm

> ... most certainly will also be noticed and stopped swiftly.

That's not necessarily the case. It very much depends on how it's "stolen", the cluefulness of the attackers, etc.

For example, if the data is pulled out of the live system via (say) some kind of SQL exploit, then intrusion detection gear has a possibility of noticing and reacting in a reasonable time frame.

However, if (again, for example) the data is copied directly from backup tape when the tapes are transported to secondary storage, or are (in)correctly disposed of. That's extremely unlikely to be detected. Ever.

There are just so many attack vectors. :/

Hum... The real danger here is the possibility of silently target some people of interest and remotely change a small part of their health data. People could be even killed remotely from other countries before the trick would be discovered. Old politicians or oppositors could be killed faking a natural death.

Even more, any country could enter in a future war, or send soldiers somewhere in the future. The possibility of the enemy remotely mixing or changing the medication of the soldiers would be devastating. In a single strike, somebody, somewhere could close down all the hospitals in the area and the chaos could last for days or weeks. All that is needed is to take one city with one hospital connected to the same net and asking for the password to one of the prisoners.

Paper records have a better scope. It isn’t economically justifiable to steal paper. Electronic records are easier to steal and cheap to sell, mine or otherwise utilize.
> Electronic records are easier to steal

How are they easier to steal? I would really like to know.

It’s easy to bypass whatever security mechanisms are in place by a hospital, physicians office, insurance company, subrogation contractor, pharmacy, billing contractor, branch office of a sprawling health network. The sheer volume scope of custodians is big, and every one of them is a risk, some more than others.

Even without a breach, custodians are able to monetize “anonymized” data to third parties, who can often reconstruct it.

In olden times, all of our records were in a paper folder. Breaches were more often related to office staff losing said folder. Incidents where a bunch of guys with a truck stole shelves of folders were rare if they ever happened.

IMO, with the exception of inpatient orders, prescriptions and referral automation, most of the impact of EMR has been a net negative to the patient. The fact that all of my providers don't trust the system and ask me the same 5-15 questions every time I see them belies that.

>Totally the same with your data in that one primary doctor's office or whatever

still, it's a huge target compared to thousands of doctor's offices

>Totally same with your paper records, someone could walk in and steal your data, imagine that.

nowhere near as scaleable compared to hacking a site with everyone's records

So what you're saying is that someone is going to steal the entire medical database of everyone and that's somehow going to be more "scalable" than stealing paper records? If that database contained everyone's medical data it will not fit on anything that anyone non-state/non-corporate actor can aquire, and if you have state actor or corporate level of budget one could easily scale stealing paper medical records. I'm not so sure it's going to be easier to compromise super-guarded database compared to a lot of paper records, would like some hard numbers, but those are going to be hard to get.
>If that database contained everyone's medical data it will not fit on anything that anyone non-state/non-corporate actor can aquire

source? that might be the case if you're including all the high resolution imagery, but I'd imagine all the text records can't be that big.

>and if you have state actor or corporate level of budget one could easily scale stealing paper medical records

that would either require an operation lasting weeks/months to hit all the doctors offices (with a small crew), or hitting all tho doctors offices at the same time (huge crew). the former increases risk of detection exponentially, as someone is going to notice eventually, and once people find out, capture of your crew by the police will be inevitable. the latter is also risky because you're going to make a lot of noise assembling said crew, and one of them is going to snitch on you. in contrast, if all the records were centralized in one online database, all you'd have to do is have a small team of experienced hackers hack it from a the safety of a country with no extradition treaty. low risk of one of them snitching on you AND low risk of capture.

>I'm not so sure it's going to be easier to compromise super-guarded database compared to a lot of paper records, would like some hard numbers, but those are going to be hard to get.

I'm sure on an individual level, it's definitely easier to burgle a doctor's office than a super secure government database. but see last paragraph about scaleability.

> as someone is going to notice eventually

That's going to be true with the database theft too.

> All you'd have to do is have a small team of experienced hackers hack it from a the safety of a country with no extradition treaty

I'm not so sure that's won't raise any red flags anywhere (foreign IP and possibly a lot of data being transferred). Imo it should, but we can't really know?

I agree with rest of what you said though.

>That's going to be true with the database theft too.

at that point, all the data is already gone. whereas with burgling doctors offices, they've been noticed within a few dozen break-ins.

>I'm not so sure that's won't raise any red flags anywhere (foreign IP and possibly a lot of data being transferred). Imo it should, but we can't really know?

that depends on how the system is accessed. if it's some webapp on some government intranet running off some random computer (that's also used for other stuff), then it's pretty easy to hide your tracks by compromising one of those machines. even if they have egress alerts (doubt it) it'd be pretty trivial to go for the high value to size ratio files first (text files), and exfiltrate over a long period of time.

You forgot one: * cancer doctor doesn't know about infection, runs chemo treatment, infection spreads and ultimately kills patient.

Happened to a relative of mine.

This is a problem every time the government launches a new service. They always have "an unexpected amount of traffic".

The last time we had a census the "census night" was totally bust since the majority of Australian internet users tried to use the online form and hardly anyone succeeded. They tried to blame it on "hackers".

Leading up to census night there were threats of fines if you didn't submit on time, but due to the shitstorm with their online failures people were still submitting their census data months later.

There are plenty of projects that don't have this issue. It's not "always", just the big ones so it seems like it's all of them if you don't know about the others.
The census fiasco was a truly special kind of incompetence. The best inside analysis was from the folks behind the Risky Business infosec podcast:

https://risky.biz/censusfail/

Summary: The project was outsourced to IBM (that alone probably says it all), who didn't purchase any DDoS protection. A small attack crashed the first firewall, and the backup firewall didn't have rules loaded. That caused IBM's monitoring tools to flag system logs as exfiltration, so they called in the Australian Signals Directorate (ie national security) and turned everything off until intelligence agencies completed an investigation of the false positive.

All the marketing calling it "Census night" and encouraging people to do it on the same evening instead of over the week probably didn't help spreading the load out.
Furthermore, although it's true that IBM didn't purchase DDOS protection, neither did the government pay them to purchase it. IBM is incompetent but in this particular case I can't blame them for attempting to make a meager profit out of the pittance the Australian government chose to spend on their first act of digital governance.
I will be curious to see how this pans out - I have dual Australian and Estonian citizenship, and in the latter case I can tell you it's extremely useful to have centralised medical records, prescriptions etc. For my Australian medical records in MyHealth or whatever it's called, I have a couple of pages uploaded by my then cardiac doctor (after I had a suspected heart attack last November that ended up 'only' being something related to medication), and I've already used these pages with a related consultation here in Estonia. So, for me at least, this system has been quite useful already. I guess time will tell in terms of security and other important factors.
I get that there's benefit to a centralized health database if you're in a country with socialized medicine, but if dealing with private doctors, why not let the market provide this capability? My primary GP uses one version [1], and I get that there would be several competing others until some convergence happens. But at least with these private providers, if one fails or falls out of trust, patients and doctors can move to another - your data isn't permanently locked with an untrustworthy government.

[1] https://healow.com/

You haven’t established that the government is less trustworthy than the private providers?
I meant that as a hypothetical, as in if the government proves itself untrustworthy (or technically incompetent, as is the case of Australia judging by these comments), you can't legally switch to a new system, whereas you could if it were private.
> When citizens rush to opt out of an Australian government service, it says something about their levels of trust. When the system falls over under heavy load, it proves them right.

What a stupid conclusion.

The context is that there's a lack of trust about the system being stable and implemented properly. Hence why it falling over proves them right.