Saturday, May 13, 2017

Global Cybersecurity Alert - There Might Be Some Lessons Here.

Published a few minutes ago - the attack has gone global.

Ransomware attack shuts down NHS hospitals as malware spreads globally; 'evidence' of U.S. attack, says HHS



7 comments:

Anonymous said...

Just where does the responsibility reside? If we are connected to GovHR to constantly upload data, are we now part of the national infrastructure? If so then everyone is subject to DSD security policies etc. Does this now mean the Government is responsible for protecting all end points that are part of the National infrastructure? I recall many many years ago this came up in the NASH early work.

That to one side the bit-coin world is making this far to potentially lucrative for criminals. We have enough trouble with traditional IT I hope they are not thinking of using things like blocjchain.

Anonymous said...

8:39 am, not sure the answer to your question, though it is valid. I can appreciate I have responsibility for ensuring my software is up to date, however what is the Goverments new responsibility? I cannot control other people's systems, and who knows what could be hidden in those documents, as an intermediary and custodian of the data lake is it the Government accountable for ensure the information I receive from the MyHR is clean of malware, ransomware etc? If somehow each document is inspected is that a privacy breech? Certainly would erode trust.

Bernard Robertson-Dunn said...

"what is the Government's new responsibility?"

Under the constitution the Head of the Department of Health is responsible for the department's IT systems, including security.

That's why other agencies (such as Defence) PM&C, Finance or any central agency can't tell the Department what to do with its IT systems.

IANAL, but if the Department could be shown to be negligent, the government could take action against its Head and he could also be sued by a corporation or private individual for harm.

That harm could probably include propagating ransomeware, bad health data and a multitude of other things such as unavailability of the system at critical times such as epidemics.

Similarly, if a healthcare provider stuffs up they can be sued, charged with crimes, etc. If that healthcare provider has relied on data from MyHR then could they sue the Government? Well, the government says that healthcare providers shouldn't rely on data in MyHR (which rather diminishes the value of the system to something less than zero - i.e. the healthcare provider has to go and check and confirm the data) so maybe that's a getout clause.

AFAIK, all this legal liability stuff hasn't been sorted and/or tested. I would have thought that going opt-out would require a change to the fundamental nature of responsibilities.

When a patient opts-in and provides consent, then it could be argued they have accepted the risk - assuming they have been told everything about the risk, which in the case of MyHR is doubtful.

Going opt-out is a whole new game. The government probably now accepts the risk and the legislation explicitly removes the need for consent to gather health and personal identifying data.

The current legislation says that the Minister can make MyHR opt-out if he is happy with the trials.

IMHO, it will be a courageous decision (in the Yes, Minister sense) if they do go opt-out without dealing with all this responsibility/legal stuff. Which means more legislation.

And getting it through the Senate.

Opt-out could be a lot harder than they thought.

Anonymous said...

The biggest risk we have IMHO is the depletion of experts in Informatics and computer science at the ADHA started under NEHTA and replaced by marketing people, ex-paper boys, ex-consultants no one wants, contractors from consultancy there for the hourly rate and not safe to place with smarter organisations.

This is a serious space, it needs very smart people, both business and in various sciences, I have been very dissapointedbint he calibre of people at ADHA, don't get me wrong there are some talented people, but they are so lost amongst the cowboys they could not make an impact if they tried.

Anonymous said...

3:01 pm, why is that a big risk? We are co-designing, the states and vendors can provide the technical designs and Accenture, EY and other large international firm can provide technical resources, what we need is better contract, project and media management to support the Government policy implementation teams. We have Standards, people just need to adopt them consistently.

Anonymous said...

8:53pm I hope you are joking, if you are not, you certainly have not been listening. Co-design and all the other technical things are not the problem. The problem is what is the reason for the whole existence of the thing. Nobody has ever explained what it is for and how it is supposed to add value to anyone.

Anonymous said...

The problem 10:11 PM is that some refuse to accept the the MyHR is here to stay and is the perfect solution to enable full interoperability in our health sector. The problem is postit notes, note pads and faxes. Consumers what and need more and more clinical information so they can make more informed decisions about how they are treated and by who, ensure that information is available to all healthcare providers. Yes there are some front end usability and cosmetic short comings. Tim is clear and correct it his belief and if you would only listen to him you would see he is correct and the correct one to move this to full adoption and open up this valueable data to all with an interest. What we cannot do is the mistake made by the UK and get cold feet because of a few minor issues.