Medical providers are urged to take precautions in the lead-up to the deadline for the digital electronic health record system My Health Record, a leading health insurance lawyer has warned. Barry.Nilsson. partner Robert Samut said under current data protection laws in Australia, the onus on a medical provider is to take all "appropriate measures" to protect a patient's health data.

“A cyber criminal is able to sell personal health information for far more on the black market or the dark web than a credit card,” said Mr Samut. “With medical information, cyber criminals are able to gain access to prescription medication, receive medical care, access financial data and steal a person’s identity.”

The warning comes as the deadline to opt out of the controversial My Health Record was extended to 31 January 2019 by the Federal Health Minister Greg Hunt.

According to figures released by the Office of the Australian Information Commissioner during April to June 2018, the largest source of reported data breaches was in the private health sector (20%). The second largest source was the finance sector (15%) followed by the legal, accounting and management services sector (8%), the private education sector (8%), and the business and professional associations sector (6%). Mr Samut said the data showed that it isn’t a matter of “if the data would be hacked, but when”.

“Storing records digitally with online access greatly increases the accessibility for criminals and hackers,” he said. “You cannot cyber proof your systems or your network.

“All you can do is put yourself in the best position to avoid a cyber attack or data breach and if one occurs put yourself in the best position to respond to it.”

Mr Samut said one of the dangers of the My Health Record access tracking system was that it did not track which individuals were accessing records, only institutions. Personal medical records and Medicare details are valuable because they can be used to perpetrate identity fraud. They can also be used to redirect medication to alternate addresses.

Currently, around 6m Australians are registered for a My Health Record but the figure is expected to increase significantly after the deadline because people either accept it or can’t be bothered to opt out.

Mr Samut said it was critical that any organisation have a co-ordinated incident response plan in place to respond to cyber security breaches.

“Having a plan in place is a non-negotiable,” he said. “You must have one. A proper plan will dramatically limit damage, improve recovery time and help safeguard patient’s data. “Another upfront issue is knowing what data you have and where it is stored. It’s very difficult to develop a meaningful or effective plan without knowing the answer to both these questions.”

Under the My Health Record system, health information can be viewed online, from anywhere, at any time – even if one moves or travels interstate. Healthcare providers – whether a GP or a hospital – involved in the care of a patient can access important health information, such as:

• allergies
• medicines prescribed
• medical conditions diagnosed
• pathology test results like blood tests.

The system also allows the person who has a My Health Record to write notes such as about advance care plans or custodian details; set access controls to restrict who can and can’t see the record; review health information, among other actions.

The biggest issues facing My Health Record are ongoing privacy and security difficulties. The threat surrounding online medical records is real as was seen in Singapore. In July, the Singapore Ministry of Health revealed that 1.5m SingHealth patients' records had been accessed and copied in a massive cyber attack. SingHealth is Singapore's largest group of public sector healthcare institutions.