I don’t criticise MMH for being hacked. It is hard to be hack proof. There may be legitimate criticism for them not encrypting uploaded documents and/or not having multi-factor authentication.
What I find incredible is that it took them 10 days to e-mail users to tell them if they had been affected or not. And even worse, they got it wrong, and had to do a second lot of e-mails saying you haven’t been affected after all. I’m one of those who got both e-mails. And annoying because I’m overseas, MMH won’t even allow me to log in and see any details.
A well governed and managed health software company should have hacking as one of their major risks in their risk matrix, and they should have a detailed contingency plan setting out what to do if it happens. As far as I can tell, MMH were not prepared in any way, and had to be prompted by the Ministry of Health to call in external advisors to help them manage it.
The MMH software is pretty good. I can book GP appointments with it. I can see all my test results and vaccinations. I can see all the reports from specialists. I’m glad my GP uses them.
But software is only part of it. They need to also be well governed and managed for situations like what just happened. And the evidence to date is they have not been.
While personally I’m not worried if some hacker has the results of my shoulder and ankle ultrasounds and x-rays, there will be many people very concerned about their health records. Bryce Edwards made the point:
A well governed and managed health software company should have hacking as one of their major risks in their risk matrix, and they should have a detailed contingency plan setting out what to do if it happens. As far as I can tell, MMH were not prepared in any way, and had to be prompted by the Ministry of Health to call in external advisors to help them manage it.
The MMH software is pretty good. I can book GP appointments with it. I can see all my test results and vaccinations. I can see all the reports from specialists. I’m glad my GP uses them.
But software is only part of it. They need to also be well governed and managed for situations like what just happened. And the evidence to date is they have not been.
While personally I’m not worried if some hacker has the results of my shoulder and ankle ultrasounds and x-rays, there will be many people very concerned about their health records. Bryce Edwards made the point:
The potential harms are immense. Think about what’s in these files. Psychiatric diagnoses. Sexual health information. Details of domestic violence. Records of abortions. The intimate confessions people make to their doctors believing, as they should, that such information is sacrosanct.
People could be blackmailed over sensitive diagnoses or traumatic histories. Identities could be stolen. As one furious patient told RNZ, she is “one part terrified, one part really angry, like ragingly angry” that details of her past sexual assault – secrets she hasn’t even told some family members – might be made public. This isn’t just a bureaucratic failure. Real people will suffer real consequences.
So this is a very big deal for some.
David Farrar runs Curia Market Research, a specialist opinion polling and research agency, and the popular Kiwiblog where this article was sourced. He previously worked in the Parliament for eight years, serving two National Party Prime Ministers and three Opposition Leaders
No comments:
Post a Comment
Thank you for joining the discussion. Breaking Views welcomes respectful contributions that enrich the debate. Please ensure your comments are not defamatory, derogatory or disruptive. We appreciate your cooperation.