Wednesday, July 12, 2017

A Press Release From eHealth Privacy Australia - More Grist To The Mill

I was sent this today:



Medicare data breach and My Health Records: Inquiry is not enough.

(For immediate release)

While the government's announced inquiry into a problem with Medicare data access is to be applauded, fundamental questions remain.

“A centralised eHealth database accessible over the Internet to over 100,000 legitimate access points, (#1) each of which has access to the entire database, is fundamentally indefensible,” said eHealth data consultant and eHealth Privacy Australia principal, Paul Power, as quoted in the media. (#2)

Unless a public inquiry urgently investigates the fundamental vulnerability of the proposed database of the My Health Records system and recommends appropriate changes, we will be no further forward with either safety or security.

It is insufficient to recommend changes that will merely lead to an improvement in security. There is a need to understand what is technically possible and how that will allow illegitimate users to access the database.  Changes then need to be made which make such access virtually impossible.

While the Guardian exposé of the vulnerability of the Medicare card database demonstrates what has actually happened, the technical risks of such an intrusion have always been evident to information technology experts.

The technical ease of unwanted access to the proposed My Health Records system is similarly evident. A change to the implementation method, rather than an “improvement” in security, is necessary to protect the private health information of every Australian citizen from the Prime Minister to the newborn child.

The eHealth Record system currently being deployed in Germany has addressed these issues, by avoiding a centralised health data repository, with the master health data of each citizen being held on an encrypted memory chip in the equivalent of Australia's Medicare card. (#3)

An investigation of the fundamental security issues, rather than “recommendations for improvement” is required for our private health data to be secure.

eHealth Privacy Australia calls for a Senate Inquiry or Australian National Audit Office investigation. Anything less will leave the government open to the accusation that they have "doubled the locks on the front door, but left the back door wide open."

eHealth Privacy Australia calls for widening the terms of reference of the "Independent review of health providers' accessibility to Medicare card numbers", announced 10 July 2017, to make the findings public and allow input to the review by organisations representing Australian citizens' privacy interests and others.

eHealth Privacy Australia


0408 387 978

(#1) There are more than 100,000 registered medical practitioners, but over 670,000 are registered to access Medicare numbers, including pharmacists, allied health practitioners and 14 other class groups.

(#2) 1. Sue Dunlevy, The Daily Telegraph, 3 July 2017, et al.
2. Daryl Manzies, Territory FM, 4 Jul 17,
3. Chris Maher, 7 News, 6pm, 4 Jul 17 
4. Adam Gartrell, Sydney Morning Herald, 4 Jul 17, 
5. Karen Barlow, Huffington Post, 5 Jul 17,
6. Fiona Wiley, ABC, Statewide Drive, 5 Jul 17

----- End Release.
Seems reasonable to allow others the read and react.

No comments: