Wednesday, October 11, 2017
More Questions Keep Coming About The Security Of The myHR. Maybe A Little More Disclosure Would Help Allay Concerns.
This appeared last week:
6 October 2017
If you believe the RACGP, the AMA and the Australian Digital Health Agency, the illegal sale of Medicare numbers doesn’t expose any security dangers with My Health Record.
All three organisations have fronted a Senate inquiry into how Medicare numbers ended up for sale on the ‘dark web’ for a bargain rate of about $25 each in July.
The prevailing theory is that whoever stole the Medicare numbers exploited legitimate access to the Health Professional Online Services (HPOS) website, and senators wanted to know if the My Health Record could be vulnerable in the same way.
AMA chair of general practice Dr Richard Kidd told the inquiry: “It’s unfortunate that media reports incorrectly link the sale of Medicare card details to My Health Record’s security because it can undermine public confidence in it.”
Digital Health Agency CEO Tim Kelsey added that a Medicare number was just one of five bits of information needed to access My Health Record. That’s in addition to IT security measures like PKIs, HPI-Is and NASHes, he said.
It’s acronym city and sounds pretty safe, but is it much different from accessing HPOS? Let’s look at the theory behind how someone used HPOS to obtain the Medicare numbers and sell them on.
A buyer supposedly sent whoever was obtaining the numbers a person’s name and birthdate, which they used to look up the Medicare number in HPOS. To do this they would have to be using a computer fitted with a valid PKI certificate to access HPOS. And this leads to the theory that whoever the dark web vendor was, they were probably using a practice computer.
Now, if you look at the My Health Record provider portal fact sheet, you’ll see the system required to gain access is not too different. You need the patient’s first name, last name, birthdate, Medicare number and gender. So, on paper, anyone wanting to access the system could do so as long as they had the Medicare number.
All they would then need to do is guess the right gender, given that they already have the individual’s birth date and name.
It seems to me the author is making a cogent case for some clarity as to where he is wrong or some changes to make sure he is really wrong!
I look forward to the press release explaining the next steps!
Posted by Dr David G More MB PhD at Wednesday, October 11, 2017