Monday, April 28, 2014

It Seems The Front End To The PCEHR Portal Is Not As Secure As It Might Be.

This appeared earlier today.

Australians' private government details at mercy of hackers, say IT security experts

Date April 28, 2014 - 7:20AM

Ben Grubb and Noel Towell

Some of the information accessible via my.gov.au when linking it to Medicare.
The private records of millions of Australians – including their doctor visits, prescription drugs, childcare and welfare payments – are at the mercy of cyber criminals because of flimsy IT security around a critical federal government website, IT security experts warn.
And they say the risk will increase from the middle of the year, when the government will make it compulsory for Australians to use the my.gov.au website to lodge their electronic tax returns, potentially also exposing their financial and banking records to hackers.
I expect two-factor authentication for information that is much less valuable. 
Troy Hunt, security expert
The myGov site is used by 2.5 million Australians to access their Centrelink, Medicare, Child Support, Department of Veteran Affairs, e-health, and NDIS government accounts. If users link their different accounts, information accessible includes their name, date of birth, phone numbers, email address, Medicare number, child immunisation records, dates of doctor visits and drugs prescribed, welfare and childcare reimbursement payments.
E-health records, including prescription drugs, are also accessible using my.gov.au.
But Sydney software architect and IT security consultant Troy Hunt said the controls used to protect the site were "insufficient" and "irresponsible" and considerably weaker than many other large websites such as Google, Twitter and note-taking app Evernote.
He called on the government to introduce "two-factor authentication" to better protect the sensitive information. The process is commonly used by banks and other sites, requiring users to put in a token, or code, sent to their mobile phone before they are allowed access to their account.
There are a lot more details found here:
It is a bit of a worry that screens from all these systems are shown indicating they have possibly been accessed inappropriately.
It is also a bit of a worry that the Department is resisting FOI requests from legitimate journalists.
This sort of report points out, yet again, the risk of large centralised systems being attractive to potential information intruders.
Not a great bit of news for public confidence!
David.

No comments: