Quote Of The Year

Quote Of The Year - Paul Shetler - "Its not Your Health Record it's a Government Record Of Your Health Information"

Wednesday, October 11, 2017

More Questions Keep Coming About The Security Of The myHR. Maybe A Little More Disclosure Would Help Allay Concerns.

This appeared last week:

Are organisations in denial about My Health Record’s safety?

6 October 2017


If you believe the RACGP, the AMA and the Australian Digital Health Agency, the illegal sale of Medicare numbers doesn’t expose any security dangers with My Health Record.
All three organisations have fronted a Senate inquiry into how Medicare numbers ended up for sale on the ‘dark web’ for a bargain rate of about $25 each in July.
The prevailing theory is that whoever stole the Medicare numbers exploited legitimate access to the Health Professional Online Services (HPOS) website, and senators wanted to know if the My Health Record could be vulnerable in the same way.
AMA chair of general practice Dr Richard Kidd told the inquiry: “It’s unfortunate that media reports incorrectly link the sale of Medicare card details to My Health Record’s security because it can undermine public confidence in it.”
Digital Health Agency CEO Tim Kelsey added that a Medicare number was just one of five bits of information needed to access My Health Record. That’s in addition to IT security measures like PKIs, HPI-Is and NASHes, he said. 
It’s acronym city and sounds pretty safe, but is it much different from accessing HPOS? Let’s look at the theory behind how someone used HPOS to obtain the Medicare numbers and sell them on.
A buyer supposedly sent whoever was obtaining the numbers a person’s name and birthdate, which they used to look up the Medicare number in HPOS. To do this they would have to be using a computer fitted with a valid PKI certificate to access HPOS. And this leads to the theory that whoever the dark web vendor was, they were probably using a practice computer.
Now, if you look at the My Health Record provider portal fact sheet, you’ll see the system required to gain access is not too different. You need the patient’s first name, last name, birthdate, Medicare number and gender. So, on paper, anyone wanting to access the system could do so as long as they had the Medicare number. 
All they would then need to do is guess the right gender, given that they already have the individual’s birth date and name.
More here:
It seems to me the author is making a cogent case for some clarity as to where he is wrong or some changes to make sure he is really wrong!
I look forward to the press release explaining the next steps!

1 comment:

Anonymous said...

A couple of concerns, 1. I am not convinced there is sufficient corporate memory in ADHA to understand what this hodgepodge or system of
Things does or how it works, 2. Accenture’s data breech or data give away today gives me little confidence I hope there is no planning to put this in a cloud arrangement with a global company like Accenture.

In regards to an earlier post related to PulseIT where some in ADHA claimed certain things, I am sure we will see the true side
come out and more placing of inderviduals to meddle and manipulate the market and respected bodies.