This blog is totally independent, unpaid and has only three major objectives.
The first is to inform readers of news and happenings in the e-Health domain, both here in Australia and world-wide.
The second is to provide commentary on e-Health in Australia and to foster improvement where I can.
The third is to encourage discussion of the matters raised in the blog so hopefully readers can get a balanced view of what is really happening and what successes are being achieved.
Tuesday, July 11, 2017
Just When You Thought News On Government System Leaks Might Stop We Get This! What A Mess.
Since Tuesday was have seen a lot of column inches spent on the leak of Medicare Numbers and their purchase from the ‘dark web’
Tuesday 4 July 2017 04.00 AEST Last modified on Tuesday 4 July 2017 06.32 AEST
A darknet trader is illegally selling the Medicare patient details of any Australian on request by “exploiting a vulnerability” in a government system, raising concerns that a health agency may be seriously compromised.
An investigation by Guardian Australia can reveal that a darknet vendor on a popular auction site for illegal products claims to have access to any Australian’s Medicare card details and can supply them on request.
The seller is using a Australian Department of Human Services logo to advertise their services, which they dub “the Medicare machine”.
Medicare card details are not publicly available. They are valuable to organised crime groups, because they allow them to produce fake physical Medicare cards with legitimate information that can then be used for identification fraud.
These identification cards have been used by drug syndicates to buy goods and lease or buy property or cars. The card details could also be used to defraud the government of Medicare rebates. In 2015 a police strike force targeted a group that was using Medicare card details to direct rebate payments into fraudulent bank accounts.
Organised crime groups regularly use darknet auction services, which are more difficult for law enforcement agencies to track because they are not indexed or searchable like other parts of the internet.
The darknet vendor has sold at least 75 Australians’ Medicare card details – describing them as “marks” – since October 2016. The listing page suggests they may have also been selling a large number before October 2016 but were forced to change their method for accessing the data.
The price for purchasing an Australian’s Medicare card details is 0.0089 bitcoin, which is equivalent to US$22.
Guardian Australia has verified that the seller is making legitimate Medicare details of Australians available by requesting the data of a Guardian staff member.
Saturday 8 July 2017 08.45 AEST Last modified on Saturday 8 July 2017 08.48 AEST
The government found itself facing heavy criticism this week over how it handles Australians’ personal information, after a Guardian investigation revealed a darknet trader was illegally selling the details of any Medicare card holder on request by “exploiting a vulnerability” in a government system.
The data had been for sale since at least October 2016, and the seller appears to have sold the Medicare details of at least 75 Australians.
The human services minister, Alan Tudge, admitted he and his department had only become aware of the breach when contacted by Guardian Australia. Nobody from his department – or apparently from the Australian security services – appears to have been actively monitoring this posting on the darknet auction site.
This is just the latest data security and privacy scandal to rock the Australian government. While it has tried to reassure the public, there has been a flurry of concern about Medicare, health data and the use and storage of Australians’ personal information more broadly.
It comes off the back of a string incidents including the census debacle, malware attacks and other high-profile hacking attempts that have served to undermine confidence in the government’s handling of information.
“What’s happening is the community is wrapping these attacks together and seeing them as a threat, and it adds to a perception that their data is not safe,” said Australia’s privacy commissioner, Timothy Pilgrim. “All the players need to work out a way to build up that trust.”
But why do these breaches keep happening? And is the government doing everything it can to stop them, and reassure the public when they do happen?
Tudge also did several interviews, seeking to reassure Australians that their actual medical records stored online as part of the My Health Record system had not been compromised.
These were useful and important clarifications. But they missed the main risk of this breach, and the opportunity to curb similar incidents.
The most critical risk to Australians from the misuse of Medicare card data is one of identity fraud. A fake Medicare card with legitimate details can get a criminal a quarter of the way to an entire fake ID. This could then be used by organised crime groups in any number of ways, for example by leasing property or equipment. It could also be used to fraudulently obtain services from Medicare itself.
Lots more here:
The best commentary I have seen so far comes from the Conversation:
Lecturer in Software Engineering, Monash University
The Australian government is digitising the country’s health system, but a serious Medicare security breach suggests we may not be ready.
The Australian Federal Police are investigating after the Guardian discovered that the Medicare card details of Australians were available for purchase on the “dark web”.
The dark web – a collection of websites that are only accessible through anonymising systems such as Tor – allows vendors to remain largely hidden from law enforcement. There is a long-standing trade in illicit goods and services, including hacked personal data, on eBay-like dark web marketplaces.
As journalist Paul Farrell pointed out, criminal groups can use Medicare numbers to create fake Medicare cards with the details of real people. In combination with other personal information, these cards or simply the Medicare numbers themselves, could be used to commit a wide variety of fraud.
The Medicare system has security issues, but the number of fallible people and systems who will have access to our medical records in the future is also concerning.
It is not yet clear how the Medicare details were obtained. In a press conference on Tuesday, Minister for Human Services Alan Tudge said he had been advised “that there has not been a cyber security breach of our systems as such, but rather it is more likely to have been a traditional criminal activity”.
He would not explain what “traditional criminal activity” might include, but emphasised that the Medicare details available were insufficient to gain access to personal health records.
In my view, the Department of Human Services’s (DHS) Health Professional Online Services (HPOS), which provides health professionals with access to Medicare details, has weaknesses in its security.
HPOS is an online system for healthcare and disability service providers, such as medical practices, to interact with the department, including by electronically submitting Medicare claims. It can also be used to find a patient’s Medicare card number based on their name and date of birth.
Any staff member at a healthcare provider with a HPOS login as well as somebody’s name and date of birth can look up the Medicare number of anyone in Australia. This matches the details requested from Farrell by the dark web vendor.
Importantly, the mechanism for protecting HPOS from unauthorised logins does not follow modern security practices. Logins to HPOS are managed through another online system called Provider Digital Access (PRODA). This was recently rolled out as an alternative to Human Services Public Key Infrastructure certificates (PKI) that also give access to online services.
PRODA uses “two-factor authentication” to, in theory, ensure that simply stealing a username and password is insufficient to gain illicit access.
Many people are now familiar with two-factor authentication codes sent via SMS when using online banking, or authentication apps on smartphones that generate a secret code used to log in. PRODA offers both options. However, it also supports sending the code via email.
Even SMS-based two-factor authentication has security problems sufficient for the US National Institute of Standards and Technology to no longer recommend it for new systems. However, it is much better than email-based two-factor authentication. Sending a “secret token” via email is almost completely useless as a security measure.
Any compromise of a computer used for HPOS access, which gives a criminal access to the PRODA username and password, would likely give access to the email account to which the PRODA authentication codes are sent. Subsequent accesses to HPOS by the criminal would merely require them to use the stolen username and password, and to monitor the compromised email account.
In response to a request for comment, a DHS spokesperson said HPOS was designed “with security at the forefront”.
“Health providers must undergo a stringent registration process to gain access to HPOS,” she said in an email. “Access is granted to individuals (not to whole medical practices) when they have proven their credentials.
"The department treats the security of personal data extremely seriously and conducts thorough investigations into any claims of misuse.”
With the commentary published on Sunday and all this I reckon you would be a mug not to opt-out of the myHR and come up with some other way to have an accessible medical record (USB Key or a card in the wallet say).