Wednesday, September 27, 2017

Despite All The Bluff And Bluster Not Everyone Is Convinced Regarding The Security Of The MyHR.

This appeared last week:
20 September 2017

Fresh fears raised over MyHR security

Posted by Julie Lambert
IT experts have challenged assurances that an alleged theft of Medicare numbers has no bearing on the security of the My Health Record. 
Monash University lecturer Robert Merkel, a specialist in software testing and fault analysis, told a parliamentary inquiry last week that he believed the most likely source of the breach was the Department of Human Services’ HPOS system, which doctors log into via the PKI or PRODA channels.  
He said he was concerned that ease of access for health practitioners had taken priority over security in the design of the health IT system, leading to the breach which resulted in Medicare numbers being offered for sale on the internet.  
“Without going into the details of the weaknesses, both of those systems are less secure than they should be, and in the case of PRODA, the weaknesses are a plausible means by which criminals could gain illegitimate access to Medicare details,” he said.  
Dr Merkel said the HPOS system seemed to demonstrate a “disconnect” between decision-makers and IT security expertise.  
“Secondly, it prioritises convenience for healthcare providers over IT security,” he said. 
“So I’m concerned that these two factors are likely to apply, or are, indeed, already baked into the design of the My Health Record. I think that serious security and privacy problems with My Health Record are inevitable.”
Paul Power, an IT consultant and principal of eHealth Privacy Australia, said reliance on a centralised data base with more than 100,000 legitimate access points made the MyHR system difficult to defend. 
“The possibility of securing over 100,000 GP PCs is close to zero, which means the probability of it being hacked is close to 100%,” he said. 
Officials from the Australian Digital Health Agency and the DHS also gave evidence at Friday’s hearing of the Senate Finance and Public Administration References Committee.
They said the data breach, revealed in the media in early July, had no relationship to the MyHR.  
Caroline Edwards, deputy secretary of health and aged care at DHS, said the intrusion appeared to be the work of “person or persons” illegally tapping into the channel used by doctors to access Medicare numbers.  
More here:
The article is based on submissions to the Senate Inquiry on the Medicare Data Breach:
Here is the link to the enquiry home page:
The submissions make interesting reading as does the transcript of the questioning by the Senators
Here is the overall link and those who responded:
1              Centre for Internet Safety (PDF 47 KB)          
2              Office of the Australian Information Commissioner (PDF 4429 KB)            
3              RACGP (PDF 380 KB)      
4              Australian Digital Health Agency (PDF 153 KB)    
5              Dr Culnane, Dr Rubinstein, Dr Teague  (PDF 388 KB)        
6              Professor Danuta Mendelson and Dr Gabrielle Wolf (PDF 907 KB)            
7              Department of Human Services (PDF 390 KB)     
8              eHealth Privacy Australia (PDF 423 KB)  
9              Future Wise Australia (PDF 2040 KB)       
10           University of Newcastle Legal Centre (PDF 132 KB)          
11           Australian Medical Association (PDF 149 KB)       
12           Dr David Glance (PDF 203 KB)    
You can download as a single .zip file and browse at your leisure or click the hyperlinks.
The Committee reports October 16. It will be fascinating to see what they make of all the submissions and testimony.
David.

8 comments:

  1. IMHO, the IT security aspects of MyHR are a red herring.

    Documents can legitimately be downloaded into other systems and then all MyHR rules and regulations no longer apply. If a patient hasn't set up a MyGov account and/or looked at their MyHR they will not even know this has happened.

    Not only that, but if data in the MyHR can be obtained from other sources, then the MyHR rules and regulations don't apply anyway.

    And how you protect against an unauthorised person looking at an unattended screen in a hospital, medical centre, pharmacy or dentists has never been explained.

    And comparing MyHR with bank level IT security is another red herring. It doesn't stop credit/debit card fraud, and it doesn't stop money laundering. Just ask the Commonwealth Bank.

    David's recent blog postings re direct access to point of care systems should be giving ADHA great cause for concern. The security of these systems is still not perfect but it's a lot better than the MyHR honeypot.

    ReplyDelete
  2. Your last point has great merit Bernard, I still don’t understand why in this day and age the MyHR exists. The richer the bounty the more tempting it is. I guess when will soon discover how good this cyber security unit is, they certainly did not show at the cyber games they held in Canberra, perhaps they are no longer allowed outside.

    ReplyDelete
  3. Private information and identity and the protection of, is incredibly important, we should also not loose sight of other purposes, especially actions related to disruption. There is indication that recent cyber attacks have not yield much in monetary value, but as it the case for wannacry it certainly caused a lot of disruption in the case of the NHS possible life threatening

    ReplyDelete
  4. A quote from my GP last week: "We need access to patient information; we need better data sharing. What we don't want to do is also give it to the government. Having the government involved will only prevent data sharing, not enable it".

    IMHO, the basic, fundamental feature of MyHR - that the government gets a copy of a huge amount of your medical treatment data, which it then keeps (effectively) for ever, - will be its downfall.

    ReplyDelete
  5. Don’t forget the secondary use aspect of the legislation, that will keep the thing alive for a few more years

    ReplyDelete
  6. My understanding of the legislation says that the need to get consent to acquire and store a patient's medical data has been removed when opt-out applies.

    It also says that secondary use is OK if the data has been acquired with the consent of the patient.

    It is not clear, to me anyway, if they can make secondary use of MyHR opt-out data.

    The consultation re secondary use was halted a while ago and AFAIK, nothing has happened since.

    They may have shot themselves in the foot. We'll need to wait and see,

    ReplyDelete
  7. I don’t get a sense that consent will get in their way, very little has prevented anything before. With events unfolding in NT and the way eHealth is pretty much a niche little club I think a widespread inspection across eHealth would not be a bad thing, it is a small world and run by a recurring set of people. I would see it as a great way to smooth growing concerns.

    ReplyDelete
  8. Bernard Sept 27. 12:10 PM. The whole secondary use exercise from memory pitted out a few years ago, the comments regarding secondary use had me do a quick search online to se if the ADOJA was upto anything. Well who would have guessed - http://www.amsant.org.au/wp-content/uploads/2017/09/Fact-Sheet-3-Secondary-Use-of-My-Health-Record-Data-FINAL.pdf

    It appears there is to be a range of consolidations. The survey (note your details will be stored outside Australia as the survey tool is hosted in the US). This appears to commence on 3 October 2017.

    No mention on the ADHA website, nothing I can find on the Departments website, and seems to be funneled through the CHF. I get a sense this is another placebo consultation where only those saying what is wanted to be heard will be used.

    ReplyDelete