Sunday, July 09, 2017

A Security Expert Points Out Some Holes In The myHR Defences. Should We Be Concerned?

This appeared a few days ago.

Health records ‘vulnerable to hacking’, expert warns

Sue Dunlevy, National Health Reporter, News Corp Australia Network
July 3, 2017 10:00pm
EXCLUSIVE
THE health records of every single Australian, including the Prime Minister, will be vulnerable to a hacking attack from next year, an IT expert has warned.
The private health information of every Australian will be put into a centralised data base when the government automatically creates a digital My Health Record for everyone in 2018 unless they opt out.
The record will reveal whether people have had an abortion, a sexually transmitted disease, a mental illness and other potentially sensitive health information.
Paul Power, who heads Power Associates, a company that has been doing IT consultant work for medical practices for 17 years, says the system is extremely vulnerable to hacking because it centralises information and has so many access points in hospitals and doctors’ surgeries.
“A centralised eHealth database accessible over the internet to over 100,000 legitimate access points, each of which has access to the entire database, is fundamentally indefensible,” Mr Power says about the My Health Record.
Concerns about the vulnerability of health records comes just weeks after Britain’s National Health Service was bought to its knees by the Wannacry ransomware virus.
Mr Power is urging the government to follow Germany and put My Health record on a memory chip in a patient’s Medicare card.
Under this system only one person at a time could be hacked and every time a health practitioner uses the card it would bring the record up to date and keep a copy.
Mr Power fears our centralised system could allow hostile governments to access sensitive health information on key businessmen, military chiefs or politicians in an effort to compromise them.
And he’s written to Health Minister Greg Hunt multiple times to warn him of the danger.
The Department of Health last year released 30 years’ worth of Medicare data to researchers in such a sloppy way it was possible to decode and identify the names of doctors and possibly patients.
It took computing researchers at Melbourne University just three days to reveal the six digit number that identified the doctors linked to the records.
Lots more worrying stuff here:
There was also TV coverage:

Health records as risk of being stolen and released online

Published: 03 July 2017

They’re the most private, personal and intimate details of your life. And for many of us, our Doctor’s records may contain things we would never want our employers, friends, or peers to know about us.

Yet, your entire medical history will soon be at risk of being made pubic for the entire world to see, at the mercy of cyber hackers who may feel like causing mischief, according to warnings from an information technology expert.
From next year, The private health information of every Australian will be held on a centralised database when the Federal Government launches ‘My Health Records’, unless you consciously choose to ‘opt out’.
This sensitive information can be extremely damaging, ranging from sexual health information, mental illnesses, any details of abortions, and other private medical data we do not want people knowing.
More here:
I have to say it is hard to disagree with Mr Power. Securing a system which has so many users from all over the country, which is providing such a large database of personal information, is hardly something you can be confident is going to be achievable 100% of the time!
It seems to me, with the planned ‘replatforming’ of the myHR – if it is not scrapped, then a much more distributed model is required. There are many ways to skin this cat – if you must – that would be much more secure and much more privacy protective.
What would be your ideal approach to meeting the known use-cases for the myHR?
David.

18 comments:

Anonymous said...

One of the reasons it was never going to be opt-out in the first place. It was a known risk from day one that there would be too many possibilities for hacking if it was open slather. And the way that the change has been made, from one option to the other, by seemingly just flicking a legislative switch, is madness.

Even if people do decide to opt out, their initially created record will remain, undeleted, and no doubt accessible by canny cyber-criminals, for a very long time. Those readers of David's blog with very long memories of the myHR will recall it was even hacked before it had much data in it, so I'm sure it would attract a larger audience with millions of people's records.

Someone please give Mr Power a megaphone!

Anonymous said...

Well Timmy has given assurances to the AMA it's safe as houses, Tim would be privy to details we are not, also there is a cyber security unit at ADHA, in the event of something going wrong the risk has already been transferred. You can make a government omelette without breaking a few privacy and security eggs.

It is clear from the ADHA that people are fodder and secondary to providing citizens information to anyone with an open wallet

Anonymous said...

also there is a cyber security unit at ADHA, in the event of something going wrong the risk has already been transferred.

Sadly ANON, you probably hit the nail on the head, so long as someone lower down can be held responsible and if required sacrificed, then there is no issue. Onwards and downwards we go.

Anonymous said...

We should give them a chance, they have not even started prevention through power point presentations yet.

It will I guess come down to silos doing threat and 'tis assessments but no system of systems assessments and certainly no one will do end to end consent assessments.

Bernard Robertson-Dunn said...

"their initially created record will remain, undeleted," According to what the government said re the opt-out trials, if someone opted-out a record was not created. This will probably be the same if it goes nation wide.

The risk to privacy is not cyber security but good old fashioned criminal activity. The government is very keen to draw a distinction. The biggest risks are trusted users and people looking over someone's shoulder at a screen or at an unattended screen.

Anonymous said...

If somebody opted out a record a record was not created? That is not was Paul madden stated - https://www.itnews.com.au/news/opt-out-e-health-records-wont-be-deleted-463755

Seems it is just somehow not available to clinical folk, however continues to build a picture of your health presumably for non- clinical uses.

Anonymous said...

https://www.theguardian.com/commentisfree/2017/jul/09/giving-google-private-nhs-data-is-simply-illegal

I will leave it to the readers to connect the dots and model what future may come to be. However, it is an uncomfortable legacy we live with here in the U.K.

Bernard Robertson-Dunn said...

re: "If somebody opted out a record a record was not created? That is not was Paul madden stated"

Paul isn't very good at making things clear. Opt-out can have two meanings.

1. If you already have a MyHR and decide you don't want one any more, you can deactivate it. It will not be deleted.

2. If you decide to opt-out of the automatic registration process you won't be given one. As the article says:

"Individuals can opt out of the system before a record is created for them to avoid having any data in the My Health Record system."

“You do not actually have a record until we get past a period where you have had an option to opt out,” Madden said.

“If you flag that you wish to opt out, we just will not create one for you.”

Anonymous said...

.. but, but, .. what if I already have a MyHR under the current 'opt-in' system. Will be given a choice not to have one when the new 'opt-out' system begins?

And the corollary of that is if I choose to 'opt-out' BEFORE the new system begins can I (or will my) MyHR be completely deleted or have I missed my opportunity to have nothing to do with the system because I already have a MyHR under the 'opt-in' rules?

Anonymous said...

If you flag that you wish to opt out, we just will not create one for you.

How is that testable? Is it possible to go in and lookup without registering to see if I am registered?

As for the Department heads and advisors, well the had better start getting clearer, if they cannot then perhaps they should not be there, or if things are not yet designed for clarity then change the date to 2020 by that time everyone will have signed up anyway but their own forecast trends.

Bernard Robertson-Dunn said...

Once you have a MyHR you never not have one or, as the song says, you can check out any time but you can never leave.

There is an argument that says the best course of action is to register for one, turn all data feeds off and do not upload anything.

That way you also avoid being put on a "These people are reactionaries and have refused to do the right thing and let the government have lots of old health data about them, even if it is useless and misleading. They must have something to hide." list.

Bernard Robertson-Dunn said...

re : the new 'opt-out' system begins.

There is no new system. It is the old opt-in system with minimal changes. The big problem for ADHA is the patient's nominated healthcare provider. In an opt-out system most people won't have one and so can't have a Shared Health Summary - the legislation does not permit it. They've got rid of consent to gather information, but not uploading SHSs - unless they bend the rules.

Currently I estimate that about 95& of patients registered for a MyHR do not have a current (i.e. less than three months old) SHS. Imagine what that number is going to be after opt-out? My estimate is about 99%.

Anonymous said...

Gee, I hope the napkin they planned this on was free. I am sure we all know how easy it is to resign an in flight platform full of little software and information dependencies

Bernard Robertson-Dunn said...

In the dark and distant past when mainframes ruled the enterprise IT world, along came mid-range computers. These were cheaper, easier to program and run. So "innovative" IT departments started to migrate systems off the mainframe onto mid-range platforms and build new systems also to run in the mid-range environment.

Unfortunately, not all systems could be taken off the mainframe ver easily, mainly OLTP (On-Line Transaction Processing for the newbies) systems which were designed to guarantee transactions for things like financial data bases etc.

That meant that the IT departments were left running two environments, mainframe and mid-range. Then the realisation set in. You only get to save money if your new solutions totally replace the old ones.

Translating this to Australia's health environment, the only way a new system such as a completely revamped MyHR can save money is if it replaced all existing health record systems.

MyHR would need to be revamped a) because it is only a summary system and does not manage health data very well and b) its technology and application architectures would need to be completely revised to make the system high capacity, high availability and 24/7. Big dollars.

Is this going to happen? IMHO, not in the next twenty years, if ever.

What would save hundreds of millions, improve efficiency and security, and reduce the risks to privacy of MyHR immediately? Close down MyHR.

I'm really looking forward to reading the strategy to see how the ADHA addresses these and other issues people have raised on this blog.

Eric Browne said...

Bernard, you said on July 10, 2017 2:42 PM "There is an argument that says the best course of action is to register for one, turn all data feeds off and do not upload anything".

There is no mechanism to turn off inbound document feeds to the MyHR. You can only disable outbound, i.e. downloads via access controls.
I venture that it would be very difficult to prevent uploads of data, particularly as a result of visiting a public hospital. Not that there is much being uploaded at the moment other than discharge summaries.
I've not heard of public hospitals putting in place arrangements for toggling standing consent for uploading any, let alone all document types that might be generated from patient visits. Perhaps it might be possible in the Northern Territory?

Any such arrangements would have to be put in place by the organisations. The MyHR has a total open door policy for receiving documents as far as I know. The more, the merrier from their perspective.

Anonymous said...

I am struggling to find any honesty, openness or transparency in this whole mess. Is it that people have been dodging and weaving for so long they know longer know right from wrong?

I fear something very terrible is going to occur.

Anonymous said...

4:14 PM ... they are just "hollowmen"... who have just enough knowledge to be dangerous."

Always has been, always will be - which is why an entirely new way of thinking about how to approach and resolve the problems must be adopted. New thinking! What's that?

It does not matter they replaced anyone with half a clue with new inexperienced people, it will be 5 years before these folks start catching on.

Bernard Robertson-Dunn said...

Eric
re:"There is no mechanism to turn off inbound document feeds to the MyHR."

Information about what control you have over inbound documents is in the Privacy Statement, not in the tab "Managing your Health Record" or the FAQs, where you might expect it to be - it's almost as though they are trying to keep it a secret.

According to
https://myhealthrecord.gov.au/internet/mhr/publishing.nsf/Content/privacy-statement

Under "Information collected and used from registered repository operators" it says:

"We collect your personal information held by Medicare and include it in your My Health Record where:

* you registered for a My Health Record and consented to us collecting, using and disclosing your information held by the Chief Executive Medicare; or

* you live in an area where you were automatically registered for a My Health Record and you have not notified us to stop the flow of information held by Chief Executive Medicare in to your My Health Record."

and

"You can decide which of the above Medicare information is to be included in your My Health Record. You can also change your mind about including Medicare information in your My Health Record at any time and stop, or restart, the flow of that information."

and under "Information collected and used from a healthcare provider:"

it says:
"You can advise your healthcare providers not to upload a particular document to your My Health Record. Your healthcare provider must comply with this request."

You should be able to instruct a healthcare provider not to update any documents.

These steps permit mean that certain data could never get to your MyHR.

Information about hiding data is in an FAQ:
https://myhealthrecord.gov.au/internet/mhr/publishing.nsf/Content/find-out-more?OpenDocument&cat=Managing%20your%20My%20Health%20Record

Under "Can I choose to hide documents or information in My Health Record"

"The documents and information stored on My Health Record are completely under your control. You have the ability to hide clinical or Medicare documents and restore hidden documents.

If you hide documents from your record, this information will not be accessible, even in an emergency. It is important therefore to remember that healthcare providers can treat you more effectively if they have access to relevant information about your health status and any treatments you have received.

Any documents that have been uploaded (and aren’t hidden), including the Shared Health Summary, will stay for 30 years after the My Health Record owner has died, or 130 years after the document was uploaded."

Notice that it says "The documents and information stored on My Health Record are completely under your control." This is untrue as is explained elsewhere on that site. Shared and Personal Health Summaries are not able to be hidden, neither do you control what a GP puts in your SHS.