\u201cThis is the same pattern. They should have invested. They\u2019ve had two years and these are the exact same areas that have caused them the issue.\u201d<\/p>\n
The company did not respond to him, he said.<\/p>\n
Manage My Health has said it is required to hold on to patients\u2019 data \u2013 even if their GP switches provider \u2013 unless patients deregister themselves.<\/p>\n
However, Chopra believes Manage My Health could have another reason for holding on to patient records.<\/p>\n
Its own website proudly notes its database of \u201c1.8 million Kiwis\u201d and its ability to get its customers\u2019 message to them \u201cwhen they\u2019re thinking about their health\u201d.<\/p>\n
\u201cIf this company did not have any commercial gains to make out of this data, then they would not be paying the extra storage costs for this data,\u201d Chopra said.<\/p>\n
Terms and conditions gave company an \u2018out\u2019<\/p>\n
A Wellington IT worker caught up in the Manage My Health data breach \u2013 whom RNZ has agreed not to name \u2013 also questioned the lack of regulatory checks and balances.<\/p>\n
\u201cHealth services that have this information and these functions should be subject to the same scrutiny and compliance requirements and auditing as financial institutions.<\/p>\n
\u201cIf your banking app is down, it\u2019s a huge deal and it gets lots of scrutiny.\u201d<\/p>\n
However, Manage My Health\u2019s users could not say they were not warned, she said.<\/p>\n
\u201cThe irony is that I actually read their terms and conditions, and they haven\u2019t breached them because their entire terms of usage is they can\u2019t guarantee their system is any good or that they\u2019ll fix it, even if it\u2019s foreseeable and they know about it.<\/p>\n
\u201cIt\u2019s essentially, \u2018We can\u2019t guarantee our product doesn\u2019t suck, but here, give it a go\u2019.\u201d<\/p>\n
Digital specialist Callum McMenamin (who also alerted Manage My Health to its security vulnerabilities six months ago) said the 300-page Health Information Security Framework contained many good things \u2013 but entirely relied on \u201chand-wavy\u201d self-regulation.<\/p>\n
\u201cIt\u2019s all just a high-trust system where the Government sets the standards but then closes its eyes and doesn\u2019t check if the standards are actually being met.\u201d<\/p>\n
Industry has opposed regulation – commentator<\/p>\n
According to political analyst Bryce Edwards from The Democracy Project, the lack of regulatory oversight was \u201cnot an accident\u201d.<\/p>\n
The Digital Health Association \u2013 the industry body for health software vendors \u2013 had lobbied against what it called \u201coverly burdensome privacy laws and regulation\u201d, he said.<\/p>\n
\u201cThey have time and time again asked government to keep the rules on privacy quite weak and relaxed so the companies that deal with data are not subject to too much of what they call \u2018red tape\u2019 or essentially costs on them.\u201d<\/p>\n
Successive governments had ignored warnings from three Privacy Commissioners over the last 15 years of the need for stronger penalties, like in Australia, where errant companies faced multimillion-dollar fines, Edwards said.<\/p>\n
The Digital Health Association pushed for the repeal of the Therapeutic Product Act, which would\u2019ve regulated software as a medical device with surveillance and penalties for non-compliance, he continued.<\/p>\n
\u201cIf you don\u2019t have these rules, if you don\u2019t have penalties for companies not looking after data, it means they can often be quite lax. They don\u2019t have good systems because they don\u2019t have those incentives.\u201d<\/p>\n
Industry group advocates for \u2018better\u2019 legislation<\/p>\n
Digital Health Association chief executive Stella Ward said the organisation did not oppose the Therapeutic Products Act (TPA).<\/p>\n
\u201cAcross all our submissions and briefings, we repeatedly advocated for better regulation \u2013 not less.<\/p>\n
\u201cOur concern was that the bill, as drafted, lacked clarity and risked creating broad, impractical definitions that would not achieve best\u2011practice oversight.\u201d<\/p>\n
The association supported \u201cthe intent\u201d of the bill: ensuring modern, fit-for-purpose regulation that keeps New Zealanders safe, she said.<\/p>\n
Current privacy penalties were low by international standards \u2013 but international experience showed \u201cstronger penalties alone do not prevent incidents\u201d and continuous investment was required.<\/p>\n
\u201cWhat matters most is having a clear, consistent regulatory framework that supports safe, efficient delivery of digital health services while protecting patients\u2019 rights.\u201d<\/p>\n
Health NZ mulls independent cyber-security auditing in future<\/p>\n
Health NZ said it was Manage My Health\u2019s responsibility to ensure the data it was contracted to manage was \u201csafe\u201d.<\/p>\n
The Health Information Security Framework (HISF) \u2013 published by Health NZ \u2013 was intended to \u201cguide\u201d the health sector in the secure use and management of health and information technology.<\/p>\n
\u201cHealth NZ expects health sector providers to have safeguards in place to protect health information, including assessing the security of their IT service providers, aligned to the recommendations of the HISF.\u201d<\/p>\n
However, a spokesperson indicated oversight could be introduced in future.<\/p>\n
\u201cAs Health NZ progresses implementation of measures to increase the accessibility and security of health information, we are considering what further assurance of third-party providers against regulations and standards is required.<\/p>\n
\u201cThis may include independent testing of third-party services such as patient portals.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"\u201cThis is the same pattern. They should have invested. They\u2019ve had two years and these are the exact…\n","protected":false},"author":2,"featured_media":233783,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[1443,1510,1601,134,31037,10055,78836,9554,4977,111,43,139,69,6624,2437,6211,1455],"class_list":{"0":"post-233782","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-new-zealand","8":"tag-about","9":"tag-cybersecurity","10":"tag-expert","11":"tag-health","12":"tag-hill","13":"tag-ignored","14":"tag-lax","15":"tag-manage","16":"tag-my","17":"tag-new-zealand","18":"tag-news","19":"tag-newzealand","20":"tag-nz","21":"tag-ruth","22":"tag-security","23":"tag-system","24":"tag-warning"},"_links":{"self":[{"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/posts\/233782","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/comments?post=233782"}],"version-history":[{"count":0,"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/posts\/233782\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/media\/233783"}],"wp:attachment":[{"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/media?parent=233782"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/categories?post=233782"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.newsbeep.com\/nz\/wp-json\/wp\/v2\/tags?post=233782"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}