Monday, July 10, 2017

Weekly Australian Health IT Links – 10th July, 2017.

Here are a few I have come across the last week or so.
Note: Each link is followed by a title and a few paragraphs. For the full article click on the link above title of the article. Note also that full access to some links may require site registration or subscription payment.

General Comment

An amazing week with 2 major stories running regarding the leaking of personal data and the possible dangers of aggregating all that health data in a single government system.
Elsewhere all sorts of other stuff adding to the concern regarding the government’s capability to protect our personal data.
-----

Data breaches undermine trust in government's ability to protect our information

Darknet sale of Australians’ Medicare details – revealed by the Guardian – follows census debacle, malware attacks and hacking attempts
The government found itself facing heavy criticism this week over how it handles Australians’ personal information, after a Guardian investigation revealed a darknet trader was illegally selling the details of any Medicare card holder on request by “exploiting a vulnerability” in a government system.
The data had been for sale since at least October 2016, and the seller appears to have sold the Medicare details of at least 75 Australians.
The human services minister, Alan Tudge, admitted he and his department had only become aware of the breach when contacted by Guardian Australia. Nobody from his department – or apparently from the Australian security services – appears to have been actively monitoring this posting on the darknet auction site.
-----

The Medicare machine: patient details of 'any Australian' for sale on darknet

Exclusive: A trader is offering Medicare card details for less than $30 each on a popular auction site for illegal products
A darknet vendor is offering Medicare patient details of any Australian on a popular auction site. Photograph: AAP
A darknet trader is illegally selling the Medicare patient details of any Australian on request by “exploiting a vulnerability” in a government system, raising concerns that a health agency may be seriously compromised.
An investigation by Guardian Australia can reveal that a darknet vendor on a popular auction site for illegal products claims to have access to any Australian’s Medicare card details and can supply them on request.
The seller is using a Australian Department of Human Services logo to advertise their services, which they dub “the Medicare machine”.
-----

Media Release: Statement regarding claim that Medicare card details are for sale

4 July 2017

The Hon Alan Tudge MP

Minister for Human Services
Claims made in the Guardian newspaper that Medicare card numbers are able to be purchased on the dark web, are being taken seriously by the government and are under investigation. 
These claims have also been referred to the Australian Federal Police. 
The Guardian claims that one of its own journalists bought his own Medicare card details from the dark web.
I have received assurance that the information obtained by the journalist was not sufficient to access any personal health record. The only information claimed to be supplied by the site was the Medicare card number. The journalist was asked to provide his own name and date of birth in order to obtain the Medicare card number.
-----

A real Mediscare: Data breach raises new concerns about security of health records

Adam Gartrell
Published: July 4 2017 - 5:59PM
The Turnbull government insists there has been no major cyber security breach of its health IT systems and says "traditional" criminals - rather than sophisticated hackers - are likely to blame for a website apparently selling the Medicare numbers of all Australians. 
Announcing both internal and federal police investigations on Tuesday, Human Services Minister Alan Tudge said it appeared the breach had affected only a small number of people and had not put sensitive personal medical records at risk.
But IT and privacy experts are sounding the alarm, using the revelations to call for an urgent rethink of the government's new centralised $1 billion My Health Record system - which is about to be rolled out to most Australians.
-----

The web belongs to the bad guys and getting it back won't be easy

Peter Hartcher
Published: July 4 2017 - 12:05AM
The internet has been lost to the bad guys. The attempt to recover it has only just begun. It won't be easy. Trumpeted as a cornucopia of liberty and prosperity, it has evolved into a Pandora's box of mischief and malice. Its malevolent exploitation rests on two foundational failures. One, its earliest technical designers in the US military put connectivity over security. And two, its earliest civilian adopters were guilty of a wide-eyed naivete.
The internet is an extension of the original network created by the Pentagon's Advanced Research Projects Agency, ARPA. In 1967 when the ARPANET was being wired up to connect research laboratories across the US, a prescient engineer warned of the danger of connecting computer networks. Willis Ware, a specialist working for the Pentagon-sponsored RAND Corporation, explained it would become impossible to protect anything connected to those networks. Duly warned, ARPA considered adding security features to the architecture of the net, as chronicled in Fred Kaplan's book, Dark Territory: The Secret History of Cyber War. But the net's chief scientist "begged" his superiors not to burden the project with such hindrances, and assured them that it'd take the Russians decades to catch up.
He was right, but catch up they did, together with a rogue's gallery of others, and then it was too late.
-----

Government was warned three years ago about Medicare security

Adam Gartrell
Published: July 5 2017 - 5:21PM
The federal government was warned more than three years ago of security deficiencies surrounding personal Medicare data, with the Department of Human Services told it was not fully complying with spy agency rules.
Questioning the department's ability to keep the data safe from "security threats from external and internal sources", the government auditor made a series of recommendations in April 2014 but it is unclear if they were fully implemented.
The Australian National Audit Office concerns emerged as the Greens announced they would push for a Senate inquiry into revelations that Medicare numbers are available for sale on the "dark net", a shadowy corner of the internet where criminal activity flourishes. It remains unclear how the numbers are being accessed.
-----

Data, distrust, and the disastrous My Health Record

Amy Coopes |  05 July 2017

Plagued by sluggish uptake, clinician reticence and a substantial privacy backlash, the $1.2 billion My Health Record has proven, thus far, something of a lemon.

No amount of rebranding away from the unfortunately-acronymed PCEHR ('pecker') to My Health Record, or push to a coercive opt-out model can overcome the simple fact that it isn't very popular. After five years just five million Australians — one in five of us — have signed up for a record, and only 10,000 doctors, hospitals and other health providers are on board.
The putative benefits of an electronic health record have been expounded at length by the government, and are purported to include: less fragmentation of health data across a heavily siloed system; improved availability and quality of information; fewer adverse events and duplicated tests or treatments and improved coordination and quality of care overall.
-----

Breaches serve as a reminder of your rights to privacy

Alison and Jillian Barrett
Published: July 6 2017 - 9:59PM
The "Mediscare" event this week, where it is alleged Australians' Medicare details can be purchased online, has no doubt made many of us question to whom we provide our personal information.
It seems our children may not be immune, with fears that students' personal and educational information is being shared to private companies who contract to schools.
In an age where we entrust so many different people, businesses and government departments with our personal information, what right do we have to demand these organisations keep our personal information confidential?
The Australian Privacy Principles govern how most Australian government agencies, businesses (including not-for-profit) with an annual turnover of more than $3 million, private health service providers (eg. doctors, any holistic or alternate therapy businesses, gyms, childcare centres) and some small businesses must collect, retain and use personal information.
-----
July 6 2017 - 11:05AM

How to safely search the deep web

·         David Nield
The deep web and its inner recess, the dark web — those less well-trodden parts of the internet beyond the reach of Google and Bing — are not for the faint-hearted or untrained. With the right tools, however, there's little to fear and plenty to discover. Here's how you can start exploring the deep web without having to worry about your digital well-being.
There are a few ways to approach this, but we're going to focus on one of the most straightforward and secure for simplicity's sake. We're going to be using Tails OS, a bootable operating system that includes everything you need to get down to those hidden parts of the web.

What is the dark net?

You can buy drugs, weapons and even assassins on it, so do we need the deep web?
-----

Health records as risk of being stolen and released online

Published: 03 July 2017

They’re the most private, personal and intimate details of your life. And for many of us, our Doctor’s records may contain things we would never want our employers, friends, or peers to know about us.

Yet, your entire medical history will soon be at risk of being made pubic for the entire world to see, at the mercy of cyber hackers who may feel like causing mischief, according to warnings from an information technology expert.
From next year, The private health information of every Australian will be held on a centralised database when the Federal Government launches ‘My Health Records’, unless you consciously choose to ‘opt out’.
-----

Health records ‘vulnerable to hacking’, expert warns

Sue Dunlevy, National Health Reporter, News Corp Australia Network
July 3, 2017 10:00pm
EXCLUSIVE
THE health records of every single Australian, including the Prime Minister, will be vulnerable to a hacking attack from next year, an IT expert has warned.
The private health information of every Australian will be put into a centralised data base when the government automatically creates a digital My Health Record for everyone in 2018 unless they opt out.
The record will reveal whether people have had an abortion, a sexually transmitted disease, a mental illness and other potentially sensitive health information.
Paul Power, who heads Power Associates, a company that has been doing IT consultant work for medical practices for 17 years, says the system is extremely vulnerable to hacking because it centralises information and has so many access points in hospitals and doctors’ surgeries.
-----

Time for real-time prescription monitoring

It’s a sobering fact: more people die from drug overdose than road traffic crashes.
Perhaps even more concerning is that most of these overdose deaths in Australia are not caused by illicit drugs, but by the fatal mixture of two or more pharmaceuticals – often medications I and my colleagues prescribe to help people improve the quality of their lives.
Take-home message one: The combination of opioids (like oxycontin) and medications such as benzodiazepines (e.g. valium) can be fatal – even more so if mixed with alcohol.

Dealing with drug dependence

Abuse of prescription drugs is a big problem and doctors and pharmacists are often unaware that some of their patients collect prescriptions from several prescribers and pharmacies. This can go unnoticed because our computer systems are not yet linked and the reporting systems have flaws.
-----

My Health Record: GPs get the stick, pathology gets the carrot

Antony Scholefield | 5 July, 2017 |  
For GPs, the financial impetus to use the My Health Record is still a stick — the threat of losing established practice incentive payments should they fail to upload Shared Health Summaries.
For private pathology companies, on the other hand, the financial incentive is up to $250,000 worth of carrot.
GPs who use My Health Record may soon notice something new: pathology and imaging results on the My Health Record from two private providers.
For a system that has been promising a healthcare revolution since its inception five years ago, the appearance of these results is overdue.
-----

openEHR Task Planning – progress update

Posted on by wolandscat
In openEHR, we’ve neatly sidestepped the issue of ‘workflow’ by using the term  task planning, which I think better corresponds to the scope we think we can manage. If we were to say we were writing a specification for workflow, it’s like someone in the construction industry saying, hey, we’re writing a spec for architecture, it’s going to be great … because workflow is sort of everything, or at least everything that moves.
Along with colleagues at Marand (Slovenia), DIPS (Norway) and Lanit (one of the Moscow mega-EHR implementer companies), I’ve been working fairly constantly on the new specification. The others all bring knowledge of use cases, current challenges and of course many great ideas on how to specify a Task Planning framework, while I bring some of what I have learned with the Activity-Based Design (ABD) team at Intermountain Healthcare, where I also work, as well as about a year’s worth of background literature research.  The guys at DIPS in particular have a lot of knowledge on concrete scenarios because of the close relationship DIPS has with the clinical sector in Norway, and their long-term experience in full EMR implementation, which is proving to be extremely useful.
-----

SA HB 163:2017

Digital Hospitals Handbook

Standards Australia

Abstract 

This Handbook develops a set of principles and recommendations that inform the design and implementation of digital hospitals, both new and refurbished, that enables innovative ways for providing healthcare services and supports positive outcomes for stakeholders now and into the future.

Scope 

This Handbook provides guidance on what a digital hospital is and proposes a set of principles (in Section 3) that provide the basis for the development of a Digital Hospital Program.

Sections 5 to 9 of this Handbook set out the key phases required to deliver a digital hospital—from business case through design, implementation, go-live and finally, to handover—that take place in a Digital Hospital Program. Throughout the program are foundations or themes that should be considered and established at the onset and thereafter require a continuous focus; the breadth and depth of focus on each theme or foundation may vary but should be commensurate with the stage of the program.
-----

Standards Australia launch 'Digital Hospitals Handbook'

To help healthcare providers plan their digital transitions
George Nott (CIO) 06 July, 2017 09:09
Standards Australia has release its Digital Hospitals Handbook to inform the design and implementation of modern healthcare facilities.
The handbook – IT039 – includes a clear definition of 'digital hospital', and guidance relating to systems architecture and design, programme management, business case formulation, leadership, staffing, risk management, governance, change management and continuing operations.
UnitingCare's St Stephen's Hospital in Hervey Bay, which opened in 2014, was used as an exemplar.
“Australian hospitals have been improving their digital maturity for decades. However, early adopters show some projects have cost more, taken longer and been less effective than was otherwise possible,” said Dr Andrew Howard, chair of the handbook’s technical committee and adviser to the Australian Digital Health Agency.
-----

Qld auditor targets IT oversight, shared services

By Justin Hendry on Jul 5, 2017 11:00AM

Also eyes e-health, cyber security.

The Queensland audit office will take a long hard look at the performance of the state’s IT project management and shared services model next year as part of its line-up of upcoming audits.
The state auditor recently put forward its three-year agenda [pdf], zeroing in on central technology policy and e-health for a third of its most immediate audits.
The office will also set its sights on future reviews of the state’s cyber security and open data efforts.
The state’s ICT projects dashboard – a central accountability mechanism for monitoring and managing Queenslands $800 million worth of concurrent ICT projects – will be one of the first to receive the scrutiny of the audit office. 
-----

How to install practice cameras (while staying on the right side of the law)

3 July 2017

SMART PRACTICE

Safeguarding your practice with CCTV makes sense, but what are your legal obligations?
In response to an outbreak of crime near your practice, you decide to install closed-circuit TV cameras (CCTV) inside and outside the premises to provide added security. As well as installing cameras outside the premises and in the reception area to deter theft and vandalism and keep staff and patients safe, you also plan to have cameras in the consulting and treatment rooms.

Background

Before taking these steps you need to be aware that private medical practices must comply with state laws regarding the installation of CCTV and meet obligations under the Commonwealth Privacy Act in relation to the handling of personal information collected through CCTV in private practices. In some states, it may be a criminal offence to film people without their consent, so it is essential to get advice before you install any security cameras.
There are a number of issues you need to consider including:
  • informing patients, staff and others entering the premises, that CCTV is used  
  • whether to store and how to secure recordings
  • dealing with requests for footage
  • amending practice policies – including your practice privacy policy.
-----

The quest for greater data availability and use in Australia

Australia, USA June 28 2017
In brief
The Australian Federal Government recently released the Productivity Commission's (Commission) much anticipated final report on Data Availability and Use (Report), which analysed the benefits and costs of increasing the availability and use of data in Australia across the private and public sectors. The Commission's recommendations seek to transform Australia's current risk-averse regulatory frameworks and protections for data collection and use to realise the value of data in today's digitised society. The Report recommends comprehensive reform of Australia's data infrastructure (including legal, policy, and cultural components) with the goal of building public confidence and trust in data use, and foster community perceptions of data as an asset rather than a threat. It explains that a shared understanding of the costs, risks, and benefits associated with data is the key to driving commercial value and potential innovations. It also seeks to uplift Australia against comparable jurisdictions in terms of open data policies and skills, and to capitalise on the rapid growth of data generation and usability.
-----

Public data access will lead to breaches down the line

If the recent Medicare card episode does anything it should make the Australian Government stop and think - and realise that its push to have public data available on the Internet is going to lead to data breaches down the line.
Recent reports said that Medicare details were available for sale on a site on the dark web.
The government was caught on the hop when it surfaced that the Australian Taxation Office was reported to have told its staff that Medicare cards could not be used for identity verification after this information came to light.
-----

Transforming government services through big data

Big data has the potential to create large-scale social and economic benefits for Australians in the way that governments both deliver services and interact with citizens
Big data analytics have transformed the way businesses identify trends, challenges and opportunities. As businesses transform digitally using these digital technologies, government departments face the pressure of following suit.
Big data has the potential to create large-scale social and economic benefits for Australians in the way that governments both deliver services and interact with citizens. The value of big data lies in the Government’s ability to deploy production-graded data platforms to identify analytical insights and make better decisions on a mass scale, processing and assessing the plethora of complex and highly personal data – particularly from the taxation office, welfare, health and education  – that most individual Australians interact with.
In late 2013, the Australian Government Information Management Office (AGIMO) invited both private sector and government agencies to submit proposals for joint private-public projects (PPPs) to use its vast data holdings in innovative ways, as part of the big data Strategy.
-----
  • Jul 7 2017 at 11:00 PM
  • Updated Jul 7 2017 at 11:00 PM

Medical data more valuable than credit card details on the dark web

Medicare details sold by cyber criminals
Australia's browbeaten insurers say medical records are now even more prized by cyber criminals than financial data following recent dark web scandals.
Breaches of privacy, such as the illicit sale of Medicare card details for less than $30 online that was exposed this week, and the ransomware attack that froze computer's across the UK's National Health Service, are becoming worryingly common.
Insurers say they are not feeling adequately prepared to cope with the fallout as health records become a hot commodity on a hidden part of the internet known as the dark web.
Search engines cannot search and do not index this unlisted section of the internet, meaning illegal items, including personal data and drugs, can be traded with relative ease.
-----
3 July 2017

Queensland breast-screen results set to go digital

Posted byTMR Staff
BreastScreen Queensland is set to introduce automated electronic delivery of screening results to GPs, replacing the current system where results are sent by post.
The screening service will use secure-messaging vendors which are integrated into GP desktop software to deliver more timely and efficient results to GPs and patients. Currently, results of a screening test can take up to 10 days to arrive at a GP practice when sent by post.
Testing of the new automated system is expected to begin on August 4, with the system to go live on September 4.
-----

Fitbit's smartwatch plans hit more snags just months from debut

Mark Gurman and Selina Wang
Published: July 3 2017 - 11:59AM
Fitbit, months away from the debut of its smartwatch, has lost several people working on the project and fallen behind on its app store, putting in peril the company's most important product in years.
Hard hit by the sinking popularity of its fitness trackers, Fitbit has bet its future on the smartwatch. But such devices are typically wedded to an ecosystem of compatible devices, apps and services that lure then lock people in. While Fitbit's watch can play music and handle payments, according to people familiar with the product, a discussed partnership with Spotify failed to materialise and technical challenges mean the app store may not be ready when the watch arrives this year. Many app developers, meanwhile, are unenthusiastic about Fitbit's watch.
-----

1ST Group Limited

Record Sales in Q4
Market update
HIGHLIGHTS
  • Monthly Recurring Revenue (MRR) sales increases $43k quarter-on-quarter (or $516k annually), a new quarterly record – excluding usage fees, one off fees, advertising and other variable fees
  • Marketing investments in Q3 and Q4 driving strong sales growth


1ST Group Limited (ASX: 1ST), the Australian online health, media and technology group, today provided a market update advising a record increase in sales during the quarter ending June 30.
New contracts sold in the June quarter of FY17 (Q4) increased 1ST Group’s MRR by $43k, a quarterly record for the company and an increase of 169% from $16k in the previous quarter. An increase in $516k in annual recurring subscription revenue, excluding new usage fee product sales, one off fees, and variable fees.
-----

APS5 Customer Care Analyst

  • Front Line Support & Technical Implementation Services Division
  • Brisbane based position
Tasked with improving health outcomes for Australians through the delivery of digital healthcare systems and the national digital health strategy for Australia, the Australian Digital Health Agency (the Agency) is responsible for national digital health services and systems, with a focus on engagement, innovation and clinical quality and safety. Our focus is on putting data and technology safely to work for patients, consumers and the healthcare professionals who look after them.

The Agency is currently seeking people with a desire to make a difference to health outcomes, who are passionate about the use of digital health to meet these goals and have the relevant experience to deliver solutions in a highly complex stakeholder and technical environment.
Reporting to the Customer Care Manager, the APS5 Customer Care Analyst is responsible for providing superior customer service to customers by answering enquiries, triaging technical issues, achieving resolutions for problems, and having an in-depth understanding of the digital health landscape.
-----

Flying Doctor chief: NBN to bring 78% cost reduction

The chief executive of the Royal Flying Doctor Service of Australia expects the arrival of the national broadband network to its bases in remote areas to result in savings of millions of dollars based on recent deployments and a special rate for the Sky Muster service.
Martin Laverty told a Senate Estimates hearing last week that a deployment in Rockhampton was an illustration of the savings the airborne health service expected to achieve.
“I will give the illustration of the deployment of the NBN in Rockhampton at one of our 24 aero bases,” he said.
“In the current financial year, we will pay $32,000 for access to ADSL broadband in Rockhampton. In the next financial year, we expect to spend $7000. That is a 78% reduction in our costs at Rockhampton for accessing broadband services because of the arrival of the NBN at that location.
-----
Enjoy!
David.

2 comments:

Trevor3130 said...

Re Peter Shergold's review of Medicare security, what's more likely?
1. The access logs are inadequate.
2. The logs are there, but cannot be used to prevent unauthorised access.
Either would suggest the "guts" of Health's systems of databases won't be able to support reliable security of MyHR.
I'm assuming the task (by AFP) of finding the exact point where the system was accessed to get that journalist's number is trivial. But, if they cannot gather the evidence for a prosecution, then what?
I guess Shergold will have to test the HPOS, running at 45000 per day, with enough rigour to allow the Minister to stand behind its security (despite rare illegal entries). If the review cannot assure the Minister of that, then is it likely Health will have to put MyHR on ice till repairs, or, worse, re-configs, are done?

Anonymous said...

It is just never ending - http://mobile.abc.net.au/news/2017-07-12/tax-office-slip-up-reveals-new-phone-hacking-capabilities/8698800?pfmredir=sm

said the instructions were dated but was surprised the ATO were sharing that level of technical advice.

"It's very odd to see the ATO with a PowerPoint presentation on something that's more the domain of signals intelligence," he told the ABC.

Now if we cannot trust Security personnel at the ATO, how am I expected to trust a department and an agency run by someone with a proven record of using citizens information in less than transparent and consented fashion?