Sunday, March 11, 2012

This Submission Really Bells The Cat On the PCEHR Security Design. It Is Very Risky Indeed.

Some reporting on the AusCERT view on the PCEHR appeared late last week.
We had this:

PCEHR may be hacked, warns IT security group

8 March, 2012 Gemma Collins
Patients could have their private medical records hacked by online criminals once the PCEHR goes live in July, a leading IT security group has said.
Providing the PCEHR over the internet, presumably via a standard internet connection, means the records could be open to fraudsters, compromising the confidentiality of the records, according to AusCERT in its submission to the Senate enquiry on the PCEHR Bill.
The University of Queensland based IT security group accuses the Department of Health of being “misleading” and “misrepresenting” the level of risks of the shared record system by saying the system will be secure.
And says it is “astonishing” that the critical matter relating to the security of the system was “summarily dismissed and left to a later stage” in the DOHA’s recent Privacy Impact Report.
More here:
And also this:

PCEHR open to hacking, says AusCert

  • by: Karen Dearne
  • From: Australian IT
  • March 09, 2012 5:00AM
INDEPENDENT computer emergency response team, AusCERT, has issued a blunt warning that the personally controlled e-health record system will be wide open to hacking.
"The current proposal by the Australian government to provide PCEHR over the internet will allow for the exposure of these records to theft and compromise," AusCERT told the Senate inquiry into the PCEHR Bills in submissions released yesterday.
"Online criminals have for many years been attacking PCs at work and home to gain access to the systems and data they desire.
"There is no reason to think criminals won’t actively target these computers specifically for the benefits they may provide once the PCEHR system goes live (on July 1)."
AusCERT saidsaid fraudsters will be only too keen to harvest "valuable" personal details including full names, dates of birth, current address and Medicare numbers.
As well, it warns the PCEHR may "deliver information to criminals which could be used to fraudulently obtain prescription drugs".
"Apparently criminals have realised that the purity of pharmaceutical quality drugs is worth pursuing rather than trying to ‘cook’ these drugs themselves," it said.
"This trend needs to be considered carefully (against) the possibility the PECHR could be a catalyst for wholesale access to these drugs.
"This could have adverse implications for individuals, doctors and pharmacists whose e-health records are manipulated in order to facilitate criminal endeavours, where the audit trail will lead back to legitimate users who had access to these records, but who were in no way responsible for their fraudulent manipulation."
.....
It notes that the federal Health department "is promoting the benefits of PCEHR over the internet on the basis that it will be secure".
"These statements cannot be assured and are misleading," it said. "If any end-user computer is already compromised by malicious software, the confidentiality of the PCEHR may be easily compromised.
"There is also the potential to compromise the integrity of the record, depending on the user’s modification privileges."
AusCERT said the department "appears to be focused on the security of the back-end systems" rather than the endpoint systems and software people will use to connect to the system.
..... 
 "It is AusCERT’s assessment that the vast majority of end users do not have sufficient knowledge or skills to manage the risks," it said.
"This is evident by the Australian Communications and Media Authority's 2010 finding that some 25,000-30,000 computers are compromised in Australia every day; annually that equates to about 4 million PCs.
"Considering that recovering from a compromise is a non-trivial exercise, it is likely that these compromises persist for days or weeks, and some machines may remain compromised.
"Imagine if each of these computers had at least one user who had used it to access their PCEHR. That represents potentially millions of records compromised by online criminals."
Overall, AusCERT finds there is a "broad and extensive" range of threats facing the PCEHR.
Lots more here:
You can find the full submission here (Submission Number 51 - 3 parts):
What is really interesting is that all this ties in quite nicely with some work I reported last year:
Here is a link to the actual paper which is now on-line.
Here is the abstract.

Why Australia’s E-Health System Will Be A Vulnerable National Asset

Patricia A H Williams
secau - Security Research Centre, School of Computer and Security Science,
Edith Cowan University, Perth, Western Australia
trish.williams@ecu.edu.au
Abstract
Connecting Australian health services and the e-health initiative is a major talking point currently. Many issues are presented as key to its success including solving issues with confidentiality and privacy. However the largest problem may not be these issues in sharing information but the fact that the point of origin and storage of such records is still relatively insecure. Australia aims to have a Personally Controlled Electronic Health Record in 2012 and this is underpinned by a national network for e-health. It is this very foundation that becomes the critical infrastructure, with general practice the cornerstone for its success. Yet, research into the security of medical information has shown that many general practices are unable to create an environment with effective information security. This paper puts together the connections of e-health and the complex environment in which it is positioned. A discussion of how this critical infrastructure is assembled is presented, and the key vulnerabilities are identified. Further, it addresses how security may be approached to cater for this diverse and complex environment. From a national security and critical infrastructure perspective, as medical records are part of society’s critical infrastructure, the most effective system attacks are those on the points of highest vulnerability. In our current health system infrastructure those points are the data collection and records retention areas of individual medical providers. Progress towards changing this situation is key to its success.
-----
There is also a more comprehensive presentation here:
So, what we have here is experts from both sides of the country saying the claims about ’iron-clad’ security on the part of the PCEHR are - to put is nicely - rubbish.
Any personal information you place in the PCEHR you should assume is vulnerable and unless you are happy with the world knowing all your intimate health information you should not sign up for and use this system.
The thing that amuses me is how DoHA and NEHTA say it is all OK - you don’t need two factor security and so on while the banks are - despite the cost - rolling such technology out as fast as they can. Do the banks know something about security risk that has slipped past NEHTA and DoHA?
There is some real silliness going on here. Until we have properly secured practices from an IT perspective and proper electronic credentialing of citizens the risks of ongoing breeches and the associated publicity is just too high.
David.
p.s. I note Grahame Grieve has done a blog on the same topic - pointing out that AusCERT is unsure just how the problem can be fixed. A link is here:
http://www.healthintersections.com.au/?p=828
Can I suggest the only way the individual can address the risk is to ensure information they wish to keep private never finds its way your PCEHR. (STI information, terminations, mental and other stigmatizing  illnesses etc.). It really is as simple as that.
D.

2 comments:

Anonymous said...

They are the eHealth equivalent of the financial "Masters of the Universe with a culture of risk".

Just like the financial industry they are risking other peoples money and taking risks with other peoples privacy and the health of the medical software industry. They are I am sure demanding huge salaries (1.3M for CEO I gather) while they risks with everyone elses destiny. They have the PR right, but everything else is a huge bubble.

Sam Heard said...

Good collection of information, thanks David. As an individual I think there are some possible simplifications. Why not offer log in using Facebook or Google? Sounds a little weird at first but these are the organisations in the world that stand to lose most by being hacked. I can then do two level security if I chose (and I already do).

Second, it could be possible to opt to only post information that does not identify individuals. This would require screening of documents and PDFs. This does add a level of security to a large repository as the demographics and health information both have to be accessed. Further security may be added by having multiple repositories with random utilisation, so there is no guarantee that hacking a particular repository gets you any individuals record.

Finally, any attempt to solve large problems will have drawbacks. The banks lose a lot of money from fraud, but the net gain in convenience and lower costs is sufficient to make everyone keep going with on line banking.

The PCEHR may, in the longer term, provide such a balance - some loss of confidentiality but a large gain in convenience and lower costs. It will take sometime to reach that point, just as on line banking did. It will progress very slowly until a tipping point is reached, or an alternative approach succeeds. Your and others' call for transparency and realistic risk assessment in the meantime is crucial.