In the second of our two-part series, Edward Pollitt explores how analysing data could produce very different health outcomes for patients.
“Nothing is bulletproof,” concedes the Chief Information Security Officer of Australia’s largest private health insurer, Medibank.
It’s a line that has become all too common when discussing the digitisation of medical records and cyber security.
Look no further than the government’s rollout of the My Health Record, which has already seen almost a million Australians opt out amid security concerns.
How can society utilise the life-saving benefits of healthcare data if there is inherent distrust in the systems they are stored on?
To complete the digitisation of the healthcare industry, patient and customer trust must first be established.
“I think it’s quite challenging [to build trust],” explains Medibank CISO Stuart Harrison. “It’s somewhat opaque and clouded by fear and uncertainty.”
“From a security standpoint, I think being open and transparent with people with regards to how you’re designing your systems and key controls gives them a level of assurance that in your system, their data is safe and secure.”
With 3.7 million Australian customers, there is plenty of data for Harrison and his team at Medibank to secure. According to the Office of the Australian Information Commissioner, health data was involved in 33% of all reported breaches in Australia from February to April this year.
“We have what we call a data-centric security strategy,” he tells Information Age. “At its core, it really comes down to protecting information using controls that are layered around the information and the criticality of the information itself.”
In 2017 alone, Medibank supported over 1.3 million hospital admissions and 500,000 surgical procedures, equating to $5.2 billion in benefits paid and many, many bytes of data collected.
Harrison explains that the best way to manage this abundance of data is through “fit for purpose” controls.
“In the world of data, it grows exponentially, so there’s a huge amount of it,” he says.
“If we tried to protect everything to the same degree it simply wouldn’t be feasible, nor do I believe it is required.
“It comes down to very clearly understanding what it is we’re trying to protect and why it is we are protecting that information.
“We put a lot of time and energy into understanding what is most important for our members and the organisation as a whole and understanding where that data lives, how it’s created, the journey through its lifecycle and then ultimately how it’s destroyed.”
Medibank CISO, Stuart Harrison. Source: Supplied
Rethinking patient data
Perhaps to establish consumer trust in digital health records, we have to rethink current approaches.
That’s the aim of technologist and long-time healthcare professional Dr Tal Rapke.
Dr Rapke has spent the best part of two decades in the healthcare industry.
First trained as a medical doctor at the Alfred Hospital in Melbourne, Dr Rapke has plied his trade everywhere from rural Kenya to top pharmaceutical boardrooms.
But he’s now on a journey that could permanently change the way data is managed in the healthcare space.
Launched in 2016, ScalaMed is an Australian start-up earning global recognition.
After being introduced to blockchain a few years ago, Dr Rapke spent a year conducting “deep research” on the technology and its uses.
With an understanding of the technology and a medical career under his belt, he soon came across a real-world blockchain application capable of saving lives.
ScalaMed gives patients instant and secure access to their medical prescriptions through its blockchain service, bringing data from hospitals, GPs and pharmacies into one decentralised location.
“When a doctor prescribes a prescription, rather than it being sent off to a pharmacy or off to the cloud or being given to the patient written on a piece of paper, it actually gets wrapped up and stamped on a blockchain to ensure that we can validate it down the track and that there’s only one copy of it,” he tells Information Age.
“We give ownership of that particular prescription to the patient.
“It appears on an app on the patient's phone. They can then engage with the prescription the same way they would any piece of digital data where they can find out what they were prescribed and how it’s taken effectively.
“We automate warnings and reminders.”
ScalaMed is more than a paperless prescription service. It’s a complete upheaval of the way digital health records are stored and shared.
And for the first time, it’s putting patients and their data at the centre of their healthcare journey.
“The only person in common at the clinic, at the pharmacy, at the specialist, at the hospital or anywhere for that matter – is the patient,” he says.
“The future of the role of healthcare is to really bring patients into the forefront of their own healthcare journey.
“Bring patients into control of their data and let patients make decisions about who and how they give access of their data to.”
My Health Record
Although prescription management is the name of the game for Rapke and his team, ScalaMed is entering the Australian market at a time where the topic of healthcare data is now an election issue.
The vision of ScalaMed is to put data back into the hands of the patient – somewhat contrasting the government’s centralised My Health Record.
First introduced as the Personally Controlled Electronic Health Record (PCEHR) by the Labor government in 2011, it was branded as the eHealth initiative that could boost patient safety and save the country millions.
Health Minister at the time, Nicola Roxon, compared it to the advent of “the stethoscope, the X-ray and the vaccine.”
A change of government in 2013 brought a change of name as trials for the My Health Record continued.
But things really kicked off in July this year, when the 90-day (now extended) ‘opt-out’ period officially ticked over.
Who would have access to this data? How could the government guarantee a secure system? Could this data be used in criminal proceedings?
The public has had more questions than Heath Minister Greg Hunt and his team have had answers to, resulting in a series of on-the-go amendments to the legislation.
So, if ScalaMed is trying to bring prescription data online and the government is using My Health Record to digitise patient’s medical records, these two systems are kind of similar… right?
“I think that they are very different,” says Rapke. “I think the government is trying to create a repository.”
“So, a centralised repository of all your data and all your events that have happened over time, but not necessarily a utility.
“ScalaMed is simply a way to take a prescription and for a patient to be able take ownership of their own prescription.
“Some people would think of it as just digitising paper, but rather than having that information residing in a centralised repository which might be open to hacking, relying on the security of others, we have created more of a distributed way, a decentralised way.”
Dr Tal Rapke. Source: ScalaMed
Putting healthcare on the blockchain
Despite its disjointed delivery and policy backflips, Australia’s My Health Record shows us one thing – we have truly entered the age of digital health records.
With security an obvious concern here, the supposedly ‘tamperproof’ blockchain – aka “the single source of truth” – has put its hand up as the platform the industry needs.
The 2016 Deloitte report Blockchain: Opportunities for Healthcare states “blockchain does offer a promising new distributed framework to amplify and support integration of healthcare information across a range of uses and stakeholders.”
The rise and rise of blockchain in healthcare seems like the next logical step in this industry’s steady digitisation.
Then US President George Bush said in 2004 that “by computerising health records, we can avoid dangerous medical mistakes, reduce costs and improve care.”
And although computers were first introduced to hospitals in the 1960s to perform basic administrative tasks, electronic medical records didn’t move into the mainstream until the 2000s, with Australia not pursuing an eHealth strategy until 2006.
Rapke describes the “waves” of technology implementation that have followed.
“You look at the first wave of healthcare going digital, which was all around server-based storage – a digital propriety system that was all about the clinics,” he explains.
“Then you move to cloud-based, which was maybe a little bit more agile in their ability to store data and potentially safer for a GP’s surgery where there isn’t a security expert.
“We’re now seeing what I believe is a more decentralised approach, with the patient at the centre.”
He believes that the new types, and mass amounts, of data being generated through innovations like electrocardiograms, blood saturation monitors and even the Apple Watch are creating such a patient-centric landscape.
“This is really rich data. I don’t think people are going to willingly give this out to other people; I think they’re going to demand that ownership sits with them and control sits with them.”
Add to this the modern prevalence of chronic diseases, forcing more and more patients to manage their illnesses based off the data they generate.
And that’s where blockchain comes in.
A decentralised model is the most effective way to give patients complete control over the data they generate, Rapke believes.
“The best way to decentralise things, at the moment, is with blockchain,” Rapke says.
He compares the role of blockchain today with the early days of the internet – clouded and uncertain.
And although questions linger regarding the social impacts of blockchain over the next few decades, Rapke explains that from a healthcare perspective, the technology has the potential to generate fundamental changes.
“Blockchain has the potential to take these ideas of trust and control and really, really rethink what those things mean,” he says.
“Patients can start having full control and don’t need to trust intermediaries.”
Utilising the potential
Healthcare has always been an industry that looks to innovate.
From the discovery of penicillin in 1928, to the first organ transplant in 1954, health professionals have continuously sought ways to improve best practice.
Today it is data that is the lynchpin of healthcare innovation.
Doctors are beginning to connect with complex machine learning algorithms that allow them to save time on monotonous tasks and better utilise their skillset to benefit patients.
But with this comes an inherent cyber security risk.
Fears of hackers gaining access to WiFi-enabled pace makers now flood the internet, while the WannaCry ransomware attacks brought the entire UK National Health Service to its knees only last year.
Data is with no doubt the largest opportunity presenting itself to the industry, but hand in hand with this is security, which is possibly the greatest obstacle.
Services will continue to improve as technology advances, at the same time as breaches become more and more severe.
Is risking the personal information of millions worth the lives that will be saved from innovation in this space?
It may simply be a case of harm minimisation.
You can read part one of this special two part feature here: If symptoms persist, visit a robot
