Monday, April 07, 2014

DoH and NEHTA Are Working To Fix PCEHR Security Issues.

No names and no pack drill but 3 facts regarding the PCEHR are now clear.

1. There is a serious security issue with the PCEHR.

2. NEHTA, Accenture and DoH are aware and are working to see how they can fix it.

3. As of now the problem is not solved.

A press release from someone is expected in due course!

David.

19 comments:

Anonymous said...

Why would we expect a press release? How is this in the public interest? And by the way the system has been operating for two years now without an incident

Dr David More MB PhD FACHI said...

'How is this in the public interest?'

Its called transparency of Government operations and functions. A concept that clearly eludes you! I assume you work for the secretive Government we have at present?

How would we know how long it has operated without incident? It has operated for almost 2 years without being caught!

David.

Dr David More MB PhD FACHI said...

And now it has!

David.

Grahame Grieve said...

"There is a serious security issue with the PCEHR"

I think this is unreasonable. A potential flaw has been found. Under a set of obscure conditions, it could be used to gain access to information and/or privileges that the user viewing a PCEHR document has.

It is being taken seriously, that's for sure. But it's very far from being a serious issue.

Anonymous said...

"How is this in the public interest?"

geez, maybe due to fact this system is being integrated into the delivery of healthcare to patients in Australia.

Maybe it would be a good idea a SAFETY alert went out to stakeholders when a new risk that may impact them occurs.

"And by the way the system has been operating for two years now without an incident"

Great risk management strategy there. Gold star for you!

Anonymous said...

"And by the way the system has been operating for two years now without an incident"

You're kidding right!

The "existence" of the PCEHR can hardly be construed with "operating" as it would require "substantial" utilisation to be seriously considered as anywhere near "operating"... Consuming taxpayers funds for NO Value creation doesn’t count as “Operating” either!

And by the way, the PCEHR will firstly need to contain something of Value before it attracts serious scrutiny, probing and the compromise of its conventional security defences.

The current user "registration" records and duplicate DOHA MBS and PBS data is hardly the giant honeypot most people make it out to be.

Yes David, transparency is the greatest defence mechanism that Open Source software demonstrates every second of every day...

Anonymous said...

It's been working for nearly two years now with not a single health outcome having been claimed.

The phrase "white elephant" springs to mind.

Dr David More MB PhD FACHI said...

"There is a serious security issue with the PCEHR"

I think this is unreasonable. A potential flaw has been found. Under a set of obscure conditions, it could be used to gain access to information and/or privileges that the user viewing a PCEHR document has.

It is being taken seriously, that's for sure. But it's very far from being a serious issue."

Thanks for that. It's being taken seriously but the punters need not worry!

Either a system with 1.5 million enrolees is compromised or not. Seems it is.

The key issue here is when there will be an announcement that the issues are understood and addressed for public confidence to be restored.

David.

Grahame Grieve said...

"Either a system with 1.5 million enrolees is compromised or not"

No, it's not that simple at all, it's not a binary choice. Even for a single application, let alone a system of systems. There are many many systems, multiple version, mostly closed source, that can view documents from the pcEHR. Any of these may be affected, but we don't know what the effect would be.

You ask when there'll be announcement. I presume that you don't think that such an announcement should happen before the issues are actually known and addressed. Perhaps you just think that the timeline for that should be known in advance?

Come on, David, really...

Dr David More MB PhD FACHI said...

"You ask when there'll be announcement. I presume that you don't think that such an announcement should happen before the issues are actually known and addressed. Perhaps you just think that the timeline for that should be known in advance?

Come on, David, really..."

Yup really, given there is an issue that has become public I think there should be an announcement that the problem is recognised and is being addressed and in the mean time the access to the system has been restricted to ensure the exploits are not able to be abused.

Makes perfect sense to me that this is what happens.

David.

Anonymous said...

As all major browsers have security flaws, and newer flaws are found often, I see the browser security issues as a much bigger issue.

http://www.zdnet.com/crash-bang-boom-down-go-all-the-major-browsers-at-pwn2own-7000027343/

Grahame Grieve said...

"in the mean time the access to the system has been restricted to ensure the exploits are not able to be abused"

So that you'll put aside real clinical benefits to ensure that theoretical risks cannot manifest?

I know you'll say that there are no real clinical benefits, but still, security is not a binary, mathematical thing. It's about weighing risks.

Dr David More MB PhD FACHI said...

"I know you'll say that there are no real clinical benefits, but still, security is not a binary, mathematical thing. It's about weighing risks."

I get that so let's just see how it plays out and hope that the risks turn out to be minimal to zero in reality. I would still like more transparency however.

David.

Anonymous said...

Yes without Grahame and this column we would all be left in the dark. At least someone lets us know what is happening. The system operator treats us with contempt by not informing us, causing speculation and mistrust. The poor start to the pcehr left us all worrying about bad design and inadequate system management. It would be better to be simply open and honest.

Anonymous said...

"And by the way the system has been operating for two years now without an incident"

This is manifestly untrue. Many incidents around data quality have been reported by members of the press (remember the pulse IT reporter) and the public.

There is absolute secrecy around any formal incident reports that are sent to the PCEHR clinical governance committee operating from the Commission for Quality and Safety. We are not told how many reports there are per month, how serious they are, and what was down to make them safe.

I guess these are "operational" or "on the water" matters and we just don't need to know.

Pattern here?

Bernard Robertson-Dunn said...

Can I suggest that from an IT perspective, it's a technical, system security issue. It's also a serious matter which if left unresolved could result in bad things arising. These things happen and get fixed.

From an information management perspective, it's a trust issue, to be added to all the other trust issues still outstanding.

Nobody's information has been compromised (as far as we know) so the matter will disappear into the noise.

Those who are against the system will still be against it. Those who promote it will continue to do so. Those who don't care will continue to not care. Will it change anyone's mind about the system? I doubt it.

Anonymous said...

http://www.nehta.gov.au/media-centre/news/633-update-on-clinical-document-architecture-and-e-health-records

Anonymous said...

OpenSSL zero day vulnerability is big issue for all those systems using open source.

http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability-revealed-7000028166/

Anonymous said...

OpenSSL Security Advisory [07 Apr 2014]
========================================

TLS heartbeat read overrun (CVE-2014-0160)
==========================================

A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley and Bodo Moeller for
preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.

https://www.openssl.org/news/secadv_20140407.txt

The speed of identification, communication and rectification of this issue demonstrates the strength of transparency exemplified by the Open Source Community every day!