Tuesday, July 11, 2017

Just When You Thought News On Government System Leaks Might Stop We Get This! What A Mess.

Since Tuesday was have seen a lot of column inches spent on the leak of Medicare Numbers and their purchase from the ‘dark web’
Here is the first exclusive article.

The Medicare machine: patient details of 'any Australian' for sale on darknet

Exclusive: A trader is offering Medicare card details for less than $30 each on a popular auction site for illegal products
A darknet vendor is offering Medicare patient details of any Australian on a popular auction site. Photograph: AAP
A darknet trader is illegally selling the Medicare patient details of any Australian on request by “exploiting a vulnerability” in a government system, raising concerns that a health agency may be seriously compromised.
An investigation by Guardian Australia can reveal that a darknet vendor on a popular auction site for illegal products claims to have access to any Australian’s Medicare card details and can supply them on request.
The seller is using a Australian Department of Human Services logo to advertise their services, which they dub “the Medicare machine”.
Medicare card details are not publicly available. They are valuable to organised crime groups, because they allow them to produce fake physical Medicare cards with legitimate information that can then be used for identification fraud.
These identification cards have been used by drug syndicates to buy goods and lease or buy property or cars. The card details could also be used to defraud the government of Medicare rebates. In 2015 a police strike force targeted a group that was using Medicare card details to direct rebate payments into fraudulent bank accounts.
Organised crime groups regularly use darknet auction services, which are more difficult for law enforcement agencies to track because they are not indexed or searchable like other parts of the internet.
The darknet vendor has sold at least 75 Australians’ Medicare card details – describing them as “marks” – since October 2016. The listing page suggests they may have also been selling a large number before October 2016 but were forced to change their method for accessing the data.
The price for purchasing an Australian’s Medicare card details is 0.0089 bitcoin, which is equivalent to US$22.
Guardian Australia has verified that the seller is making legitimate Medicare details of Australians available by requesting the data of a Guardian staff member.
Lots more here:
The best summary of what has happened for the rest of last week is here (from the original reporter):

Data breaches undermine trust in government's ability to protect our information

Darknet sale of Australians’ Medicare details – revealed by the Guardian – follows census debacle, malware attacks and hacking attempts
The government found itself facing heavy criticism this week over how it handles Australians’ personal information, after a Guardian investigation revealed a darknet trader was illegally selling the details of any Medicare card holder on request by “exploiting a vulnerability” in a government system.
The data had been for sale since at least October 2016, and the seller appears to have sold the Medicare details of at least 75 Australians.
The human services minister, Alan Tudge, admitted he and his department had only become aware of the breach when contacted by Guardian Australia. Nobody from his department – or apparently from the Australian security services – appears to have been actively monitoring this posting on the darknet auction site.
This is just the latest data security and privacy scandal to rock the Australian government. While it has tried to reassure the public, there has been a flurry of concern about Medicare, health data and the use and storage of Australians’ personal information more broadly.
It comes off the back of a string incidents including the census debacle, malware attacks and other high-profile hacking attempts that have served to undermine confidence in the government’s handling of information.
“What’s happening is the community is wrapping these attacks together and seeing them as a threat, and it adds to a perception that their data is not safe,” said Australia’s privacy commissioner, Timothy Pilgrim. “All the players need to work out a way to build up that trust.”
But why do these breaches keep happening? And is the government doing everything it can to stop them, and reassure the public when they do happen?
After being alerted by the Guardian to the Medicare breach, the minister took swift action, referring it to the Australian federal police for investigation. Pilgrim welcomed this as an appropriate response.
Tudge also did several interviews, seeking to reassure Australians that their actual medical records stored online as part of the My Health Record system had not been compromised.
These were useful and important clarifications. But they missed the main risk of this breach, and the opportunity to curb similar incidents.
The most critical risk to Australians from the misuse of Medicare card data is one of identity fraud. A fake Medicare card with legitimate details can get a criminal a quarter of the way to an entire fake ID. This could then be used by organised crime groups in any number of ways, for example by leasing property or equipment. It could also be used to fraudulently obtain services from Medicare itself.
Lots more here:
The best commentary I have seen so far comes from the Conversation:

After the Medicare breach, we should be cautious about moving our health records online

July 5, 2017 5.18pm AEST

Author Robert Merkel

Lecturer in Software Engineering, Monash University
The Australian government is digitising the country’s health system, but a serious Medicare security breach suggests we may not be ready.
The Australian Federal Police are investigating after the Guardian discovered that the Medicare card details of Australians were available for purchase on the “dark web”.
The dark web – a collection of websites that are only accessible through anonymising systems such as Tor – allows vendors to remain largely hidden from law enforcement. There is a long-standing trade in illicit goods and services, including hacked personal data, on eBay-like dark web marketplaces.
As journalist Paul Farrell pointed out, criminal groups can use Medicare numbers to create fake Medicare cards with the details of real people. In combination with other personal information, these cards or simply the Medicare numbers themselves, could be used to commit a wide variety of fraud.
The Medicare system has security issues, but the number of fallible people and systems who will have access to our medical records in the future is also concerning.

Security weaknesses

It is not yet clear how the Medicare details were obtained. In a press conference on Tuesday, Minister for Human Services Alan Tudge said he had been advised “that there has not been a cyber security breach of our systems as such, but rather it is more likely to have been a traditional criminal activity”.
He would not explain what “traditional criminal activity” might include, but emphasised that the Medicare details available were insufficient to gain access to personal health records.
In my view, the Department of Human Services’s (DHS) Health Professional Online Services (HPOS), which provides health professionals with access to Medicare details, has weaknesses in its security.
HPOS is an online system for healthcare and disability service providers, such as medical practices, to interact with the department, including by electronically submitting Medicare claims. It can also be used to find a patient’s Medicare card number based on their name and date of birth.
Any staff member at a healthcare provider with a HPOS login as well as somebody’s name and date of birth can look up the Medicare number of anyone in Australia. This matches the details requested from Farrell by the dark web vendor.
Importantly, the mechanism for protecting HPOS from unauthorised logins does not follow modern security practices. Logins to HPOS are managed through another online system called Provider Digital Access (PRODA). This was recently rolled out as an alternative to Human Services Public Key Infrastructure certificates (PKI) that also give access to online services.
PRODA uses “two-factor authentication” to, in theory, ensure that simply stealing a username and password is insufficient to gain illicit access.
Many people are now familiar with two-factor authentication codes sent via SMS when using online banking, or authentication apps on smartphones that generate a secret code used to log in. PRODA offers both options. However, it also supports sending the code via email.
Even SMS-based two-factor authentication has security problems sufficient for the US National Institute of Standards and Technology to no longer recommend it for new systems. However, it is much better than email-based two-factor authentication. Sending a “secret token” via email is almost completely useless as a security measure.
Any compromise of a computer used for HPOS access, which gives a criminal access to the PRODA username and password, would likely give access to the email account to which the PRODA authentication codes are sent. Subsequent accesses to HPOS by the criminal would merely require them to use the stolen username and password, and to monitor the compromised email account.
In response to a request for comment, a DHS spokesperson said HPOS was designed “with security at the forefront”.
“Health providers must undergo a stringent registration process to gain access to HPOS,” she said in an email. “Access is granted to individuals (not to whole medical practices) when they have proven their credentials.
"The department treats the security of personal data extremely seriously and conducts thorough investigations into any claims of misuse.”
More here:
And it seems what is being looked up is valuable!
  • Updated Jul 7 2017 at 11:00 PM

Medical data more valuable than credit card details on the dark web

Medicare details sold by cyber criminals
Australia's browbeaten insurers say medical records are now even more prized by cyber criminals than financial data following recent dark web scandals.
Breaches of privacy, such as the illicit sale of Medicare card details for less than $30 online that was exposed this week, and the ransomware attack that froze computer's across the UK's National Health Service, are becoming worryingly common.
Insurers say they are not feeling adequately prepared to cope with the fallout as health records become a hot commodity on a hidden part of the internet known as the dark web.
Search engines cannot search and do not index this unlisted section of the internet, meaning illegal items, including personal data and drugs, can be traded with relative ease.
Lots more here:
There are a zillion other articles on all this that have appeared in the last week!
I have to say that from my perspective all this was rather inevitable – and it is interesting that it is now reported that the Government has been worried about this issue for a number of years.
See here to read more:

Government was warned three years ago about Medicare security

Adam Gartrell
Published: July 5 2017 - 5:21PM
With the commentary published on Sunday and all this I reckon you would be a mug not to opt-out of the myHR and come up with some other way to have an accessible medical record (USB Key or a card in the wallet say).
Your choice.
David.

1 comment:

Anonymous said...

You say David - Your choice.

But is it? I feel more and more of late it is not MY choice but rather this is being forced on me. I already have the means to access my health information via my GP, I do not need a MyHR, I would much sooner have in an emergency access to my GP records than some uncontrolled and unmanaged blob of stuff.

I do not know what can be done, every time the risk flag goes read they simply change the risk weighting and reset the counter.