Tuesday, July 04, 2017

It Seems It Is On For One And All With DHS Security – They Seem To Have Sprung A Leak.

This appeared a few minutes ago:

Hackers are offering to sell the Medicare details of Australians on the dark web, government confirms

HACKERS are selling the Medicare card numbers of Australians on the ‘dark web’, which experts say could be used to steal your private health records.

Claire Bickers, Sue Dunlevy and Tom Minear

News Corp Australia Network

July 4, 201710:54am

HACKERS are selling the Medicare card numbers of Australians on the ‘dark web’, which could be used to steal private health records.

The Federal Government has confirmed it’s urgently investigating the security breach and has referred the matter to the Australian Federal Police.

A journalist from The Guardian revealed he was able to purchase his own Medicare card details from a vendor on the dark web for just $30, from a device called ‘the Medicare machine’.

A great deal more is found here:

http://www.news.com.au/technology/online/security/hackers-are-offering-to-sell-the-medicare-details-of-australians-on-the-dark-web-government-confirms/news-story/c475b1cbc963648c191a1eaceba4b12b

We can all just watch along with interest!! They were warned!

David.

7 comments:

Bernard Robertson-Dunn said...

Not exactly hard to track down. A search using Tor and the term
"Medicare Machine" throws up the name of the auction site.

You need to register to access the site, which I haven't done. My interests are research and educational only. I'm not stupid, just careful.

How DHS responds will be interesting to see. Even if they fix the hole in the system, the data is out there.

I believe there was also a discussion about this on Radio National Breakfast this morning. Later, Minister Tudge said not to worry. They can't access your health record with this information.

Oh?

There's a good chance you can access someone else's health record via
the healthcare system. It's not built for high levels of security or
privacy.

Scenario:
Get someone's Medicare details from the auction site.

Go to one of the darknet sites that will custom make a Medicare Card for
you (yes they do exist).

With the fake Medicare card in your hot little hand, rock up to a
healthcare provider you've never been to before (eg pharmacist,
hospital, medical centre) tell them you have a MyHR and ask them if you
can review it.

If they don't have one just wait until the opt-out program happens, then
they probably will have one.

You might even be able to con a medical centre into creating one for you
and also register for MyGov although I'm not sure about MyGov.

Oh, and there are darknet sites that will make drivers licences for you
if you need to go the extra distance.

Somebody please explain if and where I've got this wrong. I'd hate to spread unfounded rumours.

Anonymous said...

Holly bits and bytes Kelsey, quick to the cyber cave Tim, we need to consult the Engadget and get some twits and blogs out there.

Anonymous said...

Anon @12:43 - my laugh for the day, thank you!
meanwhile, back in the 'real?' world, the other nanny-staters have a great idea to put nano-chips in our cash to stop granny putting her money under the bed. Can't have you hiding your dosh from ScoMo and the taxman now, someone has to pay for the MyHR.

Bernard Robertson-Dunn said...

There's only one word that matters now: Trust. Or in the case of ADHA and the government, a lack of trust.

The government has always wanted to make access to health data easier. Well they got what they wanted.

Lets face it, the only real alternative to the government holding a copy of your health data - even only a summary - is to leave it with someone you know and trust - your GP. Means of sharing this data can be implemented, but not the way NEHTA built the PCEHR. Notice I didn't use the terms architected or designed. IMHO a proper architecture would have considered centralised vs distributed and realsed that distributed was the only viable option.

Yes, there will always be a risk, but keeping health data with the GP is far smaller than a huge honeypot of a government data base.

Grahame Grieve said...

Bernard, you're confused about trust here. I trust my GP to give me good advice about my health, and refer me appropriately. I don't trust them to be cyber-security experts that can secure my data. Nor do I wish to pay them to acquire such expertise.

Anonymous said...

I think Grahame and Bernard the issue lies somewhere between the two extremes and I agree with you both. For my 2 dollars less tax and levies

I am assuming we can agree that we have a general agreement that the federal government should facilitate standards-based approaches to health data collection and exchange and finance and help disseminate findings from a wide range of experiments to find the most successful interoperable health record models.

I have to a degree a level of trust that reformed the government (ADHA) could be most effective by avoiding two possible pitfalls:
1. Sponsoring a superficial, one-size-fits-all public electronic health record, and
2. Allowing many agencies to offer independent pubic health records with little coordination or strategic vision.

The real test for public electronic health records would be whether they made it easier for ordinary people to engage more actively in maintaining their own health and health care with better communication, improved safety, enriched knowledge and confidence, and trusted safeguards of their privacy.

The federal government and our State and territory governments should take a lead role as personal health records evolve in order to help promote this technology becoming a trusted, widely used tool, which it is fast becoming.

Through the My Health Record past and present I feel the Governments of Australia are doing us all a disservice with the Federal Government now a major competitor that is self regulating and accountable to no one as recent event seem to demonstrate.

Bernard Robertson-Dunn said...

Grahame, I was talking about trusting the government to look after the health data of all Australians, not about trusting GPs to be cyber-security experts.

IMHO, trust, security and privacy should be primary objectives and built in to the architecture of any health record system.

Because two of primary objectives of the MyHR are to reduce data fragmentation and make access to data easier, trust, security and privacy have been compromised. The default of MyHR is that anyone with access to the system can see anyone's MyHR and they can see everything in it. To me, that's totally untrustworthy, insecure and is a threat to patient privacy.

A health record system should be designed to ensure high levels of data security and privacy and only relaxed deliberately and as required. Only then will trust follow.

Furthermore, the effectiveness and efficiency of GPs and any other user should be enhanced, certainly not reduced. MyHR requires GPs to act as data entry clerks, to "consider" data already in a MyHR and make sure that any SHS they upload is consistent with data already there. They also need to wade through the unstructured data in a MYRH and try and make sense of it as well as worry about its accuracy and completeness.

GPs also have the added worry about making sure that their staff do not breach patient privacy.

Dr Steve Hambleton tweeted today: "we have the building blocks to be the best in the world" - after ten years and they've only delivered building blocks?????.

I don't think he understands that health records are not about building blocks (or technology) but are about improved healthcare and that those improvements will only come by taking the load off GPs, not by overburdening them.