Quote Of The Year

Timeless Quotes - Sadly The Late Paul Shetler - "Its not Your Health Record it's a Government Record Of Your Health Information"

or

H. L. Mencken - "For every complex problem there is an answer that is clear, simple, and wrong."

Wednesday, September 20, 2017

The Privacy Foundation Highlights The Risks Of Having A Vast Centralised Collection Of Health Records.

In the last week or so possibly the largest information leak of detailed personal information occurred. Full personal details of approximately 143 million people were exposed.
Here is a report:
September 14, 2017 / 2:04 PM / 2 days ago

Equifax says web server vulnerability led to hack

FILE PHOTO: Credit reporting company Equifax Inc. corporate offices are pictured in Atlanta, Georgia, U.S., September 8, 2017. REUTERS/Tami Chappell
(Reuters) - Credit reporting company Equifax Inc blamed a web server vulnerability in its open-source software, called Apache Struts, for the recent data breach that compromised personal details of as many as 143 million U.S. consumers.
The massive data breach had exposed valuable information to hackers between mid-May and July and sent Equifax shares tumbling, the company said last week.
“We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement,” Equifax said in a statement on Wednesday.
Cyber security experts said it was among the largest hacks ever recorded and was particularly troubling due to the richness of the information exposed - names, birthdays, addresses and Social Security and driver’s license numbers.
 Here is the link:
Here is the press release from the Privacy Foundation.

Kissing goodbye to your health privacy? Governments must work harder.

This week ID information from the financial records of over 120 million people in the United States was hacked – the latest reminder that IT security failure is a global epidemic.
Health records are just as valuable to hackers. The current system for storing and using health records in Australia is hopelessly deficient. But with lousy data security, and a world where data breaches are a daily event, the Australian Government’s reluctance to fix this problem is looking negligent!
The Australian Privacy Foundation (APF) highlights the need for law reform and effective administration in order to protect the health records of all Australians.
It has just filed its submission to the Independent Review of Accessibility by Health Providers of Medicare Card Numbers, established  following reports that Medicare Numbers are being sold on the Dark Web.
This problem must be fixed. It can be fixed by long overdue law reform, and by changes to the way health identifiers are handled by the private sector and our Government.
David Vaile, chair of APF, today said “These changes are now urgent because Australia is establishing the billion dollar MyHR program, intended to create electronic access to the medical records of most people across Australia.”
“There needs to be a full independent review of the whole controversial MyHR program, given the widespread concerns by health, information technology and legal specialists that its design, security model and implementation is fundamentally flawed” said Mr Vaile.
“Trust is the basis of effective medicine, and the clinical relationship at the heart of it, but there is no trust in My Health Record’s defective design and inadequate operation. The Government system is so inadequate that Australians’ health records will be a click away from being stolen.”
Mr Vaile called for establishment of a ‘Privacy Tort’, i.e. a national law providing a right to compensation for anyone who has experienced a serious breach of privacy. The Tort has been recommended by Commonwealth, state and territory law reform commissions and parliamentary committees over the last decade, after the High Court found there was no existing remedy and called for Parliament to address it. A Privacy Tort is a common sense solution to a problem that will not go away.
A Privacy Tort exists in most major economies. Australians are now almost alone in remaining exposed to massive privacy breaches without any enforceable legal remedy. Australia is increasingly isolated by its failure to offer this basic self-help protection for citizens’ rights in the digital age.
The Foundation also calls for strengthening of the Office of the Australian Information Commissioner, the under-fed national privacy watchdog.
There needs to be greater transparency in disclosure by government of data breaches, particularly those relating to health records, said Mr Vaile . “We should not rely on journalists to discover that our privacy has been breached.”
The Foundation opposes calls for establishment of a multi-purpose national identity card – a new Australia Card – to replace the Medicare Card or Medicare Number. Such a card will not meaningfully inhibit identity crime. It will require resources that are more usefully invested in public health. It will not be a trustworthy solution. It will erode the privacy of all Australians.
Here is the link:
There is press commentary here:

Australian Privacy Foundation wants 'privacy tort' to protect health data

The Australian Privacy Foundation wants the federal government to act swiftly in ensuring the health information of citizens is safe from suffering the same fate as Equifax clients.
By Asha McLean | September 11, 2017 -- 07:41 GMT (17:41 AEST) | Topic: Security
The Australian Privacy Foundation (APF) has requested that the federal government urgently reform existing laws and reconsider the administration of My Health Record, saying the recent Equifax data breach has highlighted the urgency of protecting citizen information.
In its submission to the Independent Review of Accessibility by Health Providers of Medicare Card Numbers, APF said that health records are just as valuable to hackers, and that the current system for storing and using health records in Australia is "hopelessly deficient".
"With lousy data security, and a world where data breaches are a daily event, the Australian government's reluctance to fix this problem is looking negligent," APF chair David Vaile said.
Vaile called for the establishment of a "privacy tort", such as a national law providing a right to compensation for anyone who has experienced a serious breach of privacy.
According to the APF, the tort has been recommended by Commonwealth, state, and territory law reform commissions and parliamentary committees over the last decade.
"A privacy tort is a common sense solution to a problem that will not go away," the APF claimed. "A privacy tort exists in most major economies. Australians are now almost alone in remaining exposed to massive privacy breaches without any enforceable legal remedy. Australia is increasingly isolated by its failure to offer this basic self-help protection for citizens' rights in the digital age."
Similarly, the APF also called for strengthening the Office of the Australian Information Commissioner (OAIC), labelling the agency led by Timothy Pilgrim as being "underfed".
"There needs to be greater transparency in disclosure by government of data breaches, particularly those relating to health records," Vaile added. "We should not rely on journalists to discover that our privacy has been breached."
More here:
The bottom line with all this if a 30Billion Information Management expert company like Equifax can leak information how confident can be in the myHR. Surely the answer is that the myHR is an accident waiting to happen and that the approaches outlined in Sunday’s blog are far to be preferred to prevent large scale information leaks and breaches.
Or do I have the wrong? Comments welcome!
David.
Disclosure: I am a member of the Health Subcommittee of the Privacy Foundation.

No comments: