Sunday, July 16, 2017

AusHealthIT Poll Number 379 – Results – 16th July, 2017.

Here are the results of the poll.

Has The Medicare Number Leak Increased Concern Regarding The Security Of Personal Data Held In The myHR?

Yes 76% (120)

Maybe 20% (31)

No 3% (5)

I Have No Idea 1% (2)

Total votes: 158

The numbers speak for themselves. The vast majority are now rather less comfortable with myHR security.

A really great turnout of votes!

Again, many, many thanks to all those that voted!

David.

5 comments:

Anonymous said...

Many rightfully have expressed concern that miscreants could potentially use the GovHR for identity theft and fraud.
Numerous qualified individuals and organisations have on public record opines that enabling accessibility to personal identifying information in the form of the Federal Government Health Record System from personal computers over the Internet will only worsen an ongoing problem that will make Australians vulnerable to fraud and identity theft. The ADHA is very careful to not direct focus on the use of untrustworthy end point computers and mobile devices, which when compromised, will potentially enable attackers exert full control over the My Health Record system owned and operated by the Federal Government to look at or change its contents with the same privileges as the owner or authorised users. Whether this is action of the ADHA is deliberate or not raises concerns either way as the push for more access by end point devices of all shapes and sizes.

The ADHA does however also continue the narrative that the records would be controlled by individuals and not the government. I and many others, however, feel this emphasis on the records being fully personally controlled is misleading, especially when it comes to individuals who do not understand security risks.

I wonder if the Australian Government’s plan to implement through forced subscription to the Federal Government Health Record System over the Internet, possibly through a standard Internet connection and browser software, will expose these records to theft and compromise if in some future case the Government senior public servants could be subject to liability or even held account in a court. I have issues with the ADHA statements about the security, confidentiality, integrity and availability of the records “misleading”, especially in light of the fact that any client end-user computer used to access the Federal Government health information store might already be compromised by malicious software.
The four main categories of threats that I am concerned about are:
The back-end central infrastructure including server databases and data processing systems
Intermediate data storage and processing systems
Data transport and communications
End point devices and software used by users. Users refer to the individuals whose personal information is included in the electronic health record, health professionals who will access and update the information, and IT or administrative staff who will access the record as required.
I would like to point out that the computer used to connect to the system can range from a smartphone, a home PC, laptop, an enterprise PC on a public or private network to a publicly used PC located in Internet kiosks and business lounges; these devices are often targeted by criminals for identity theft and fraud. Techniques like ‘phishing’ and malware used by these criminals have been documented and firmly established.

From the ADHA (which is a continuation of the DoHA line), they like equating access to health records to access to bank account details, this discounts the fundamental difference between the Australian banks’ business model and that of the ADHA. While banks cannot ensure the confidentiality of online transactions, they can protect the integrity of the transaction by detecting fraudulent transactions. With online health records, both the confidentiality and the integrity must be maintained; detecting unauthorised access and changes will be difficult. IMHO, I feel that most end users do not possess adequate knowledge, resources or skills to manage the risks. Healthcare workers are not security experts, nor should we be expecting them to become so, especially in light of the recent reports on the hours many work.

Anonymous said...


One claim repeated many times is that some of the information contained in the federal Government Records system, including full name, date of birth, current address and Medicare number can be used by criminals for illicit financial gain. Another concern in the submission is the possibility of the System providing information to criminals that could be used to fraudulently get hold of pharmaceutical drugs under prescription. The latter perhaps heighten now the screws are being tightened in other areas.
Creating a huge, centralised, government-run database of electronic health records is an activity which will no doubt draw online criminals and fraudsters like flies to a honeypot. There is absolutely no doubt that the security of the Government’s health records project will be defeated at various points, due simply to the fact that thousands of Australians will be accessing the database from insecure computers. When the endpoint cannot be secured, neither can the centralised data.
However, To balance the conversation it can be debated that these concerns are also highly generalised ones. Banks, other government agencies and a wealth of other organisations hold data on Australians in centralised databases. Do we block Australians from using Internet banking because of poor security of some endpoint devices such as PCs and mobile phones? No. Does the ATO stop businesses from accessing their information online because of the same reason? No.
In this sense, those with a more evangelical viewpoint of the Federal Governments health records system seems to be a position ( through their diligence) is that if anyone wants to argue against the MYHR expansion project, must illustrate that the initiative is somehow less secure than the databases held by these other organisations. There seems no reason to believe that the Federal Governments health record database can’t be reasonably secured, at least to the standard of Internet banking systems, through a combination security system featuring multi-factor authentication. Alleging that it can’t is nothing less than scaremongering.

How the Government deals with compensation as with the banks business model is an interesting question.

My guess is they will progress behind closed doors in ignorance and with utter contempt for the wellbeing of Australian citizens headed by those with great experience in that.

Anonymous said...

David,

Who is paying for these egregious comments from these peak bodies? What has been exchanged for these endorsements of government activity?

I don't remember an example from another industry - perhaps your readers could?

How do these statements fit with so many of their members' public view of the current MyHealth Record? Have the members of these peak bodies been bamboozled and hoodwinked...or has the Department of Health played them....

Anonymous said...

It mimics union or mafia protection racket tactics, signup and pay up or the patient gets it. To support these claims the roll out specific examples and ignore the majority, all at the cost of progress. You need to look at the Secure Messaging media release, you would think Australia has no form of secure electronic exchange of messages. I wonder if the ADHA get funded based on reaching a monthly target of the use of the word fax. Still I am please to see that CDA has prevailed so that conforms to messages can make it into the document store

Anonymous said...

July 16, 2017 5:33 PM. This Project is simply a chip in a larger set of bets and trade offs. The Peak Bodies and Colledges are in most quite careful with the language used. They cannot outright denounce the silly thing as that would do harm in other and to them larger issues and negotiations. As supportive as they may sound they have not wed themselves and are sufficiently at arms length so not to be tarnished in the event something goes wrong.

That said, Tim is simply grabbing random quotes, throwing away any context when these are used. The ADHA is also very keen to smoother any alternative views. I do not they are running out of fresh faces and stories, so after only 7 months, that in itself speaks volumes