Quote Of The Year

Quote Of The Year - Paul Shetler - "Its not Your Health Record it's a Government Record Of Your Health Information"

Thursday, April 26, 2018

It Rather Looks Like Health Information In Australia Is A Hackers Target – Not Good..

This appeared last week:

Healthcare data a growing target for hackers, cybersecurity experts warn

ABC Science
By technology reporter Ariel Bogle
In 2016 a Californian hospital desperately paid $US17,000 in bitcoin as ransom to a hacker who had seized control of its computer systems.
But in making the payment, the Hollywood Presbyterian Medical Centre unwittingly helped make the healthcare sector a growing target for hackers, says a leading cybersecurity expert.
"They paid the ransom and they were public about it," said Denise Anderson, president of the US National Health Information Sharing and Analysis Centre.
"It painted a target on the back of healthcare"
Ms Anderson works with health providers to share cyber threat information and techniques for thwarting online attacks.
Speaking at the recent Australian Cyber Security Centre conference in Canberra, she echoed a concern heard many times at the event — as we put more medical information online, healthcare is becoming one of the preferred targets.
The result is very real threats that range beyond privacy breaches to delayed surgery, blackmail and identity theft and other criminal activity.
For Ms Anderson a security breach suffered by the American health insurance provider Anthem in 2015, was also a turning point.
The personal information — including names, birthdays and social security numbers — of about 79 million people was accessed by a hacker.
"Bad actors saw that and realised the value of the data that was there," Ms Anderson said.
"Would they have been able to do that 10 years ago? Probably not."

Risk to operations

Australia's healthcare system, like transport or energy, is critical infrastructure.
That's why the WannaCry ransomware attack in 2017 was a wakeup call, said Alastair MacGibbon, head of the Australian Cyber Security Centre.
The malicious software locked up National Health System computers in the UK and demanded a ransom, causing appointments to be cancelled and surgeries delayed.
"That highlighted to some operators of hospital infrastructure that a ransomware attack can actually have life and death implications," he said.
The industry is increasingly aware of cyber risks, added Dr Nathan Pinskier of the Royal Australian College of General Practitioners and an e-health specialist.
"In Australian cybersecurity, there are only two types of healthcare organisations — those that know they've been hacked and those that don't know they've been hacked," he said.
"Everybody's a target."
While large institutions may have systems in place to detect online intrusions and deal with them, smaller general practices may not.
Dr Pinskier said his mantra is "protect, prevent, preserve", and most importantly, "backup".

Your data is also a target

Hospital systems are not the only target — your own health records could be, too.
These records are incredibly rich, Ms Anderson pointed out.
It's not just names and dates of birth, which can be used for identity theft, but someone's blood type or even the prescription drugs they take.
"If you can get a set of data saying, 'all these people are being prescribed opioids', for example, [you can] harvest their credentials and get their prescriptions," she said.
According to Mr MacGibbon, online criminals are mostly "coin-operated".
"Their preferred ... target is cash itself. If you can't get the cash, then you go for things that can be converted to cash. And personal data is one of those things," he said.
Sensitive health information, for example could be used to blackmail a public figure or extract a ransom from a medical provider.
And health data has what's called a large "threat surface" — many vulnerable points where it could be accessed.
"So, a medical practitioner, my GP, shares information with a specialist, shares information with a hospital ... then it has to be shared with Medicare, my private health insurer in order to pay bills," Mr MacGibbon explained.
Of course, not all security breaches occur as a result of access by hackers.
Figures for the first quarter of 2018 from Australia's data breach notification scheme show that over all sectors, around half of breaches were caused by human error.
The scheme found most breaches came from the healthcare sector.

What about My Health Record?

Ms Anderson also raised concerns about the Australian government's My Health Record project — an online summary of personal health information uploaded by care providers.
According to a report by the Australian Information Commissioner, 113 people were affected by unauthorised access of My Health Records by a third party in 2016-17.
In late 2018, all Australians will have a record automatically created for them if they don't already have one — unless they opt out. People will be given three months to opt out but the dates for this are yet to be announced.
Ms Anderson said she would personally be "nervous" about having such information centralised and accessible in one place.
"No matter how good you say you are at doing stuff like that, and any defensive measures that you put in place, eventually there's going to be some kind of breach," she said.
An Australian Digital Health Agency spokesperson said, "My Health Record balances safety and security with the benefits available to consumers and healthcare providers".

Australians will have to decide for themselves

Professor Bronwyn Hemsley, head of speech pathology at the University of Technology Sydney, has researched attitudes to My Health Record.
She said the scheme could make an important difference to patient care by easing barriers to information access between doctors and patients.
"When health information is not shared appropriately ... then we see mistakes happening," she said.
Because the system is opt-out, Australians will have to decide for themselves whether the convenience of having vaccination and medication information in one place outweighs any risk, and act upon it.
"When you connect data up, when you make it mobile, when you make it accessible, by its very nature, that increases the threat surface of that data," Mr MacGibbon said.
"There is no such thing as absolute security."
Here is the link:
It is excellent to see the issue in the mainstream media and a more balanced view of risk and benefits being put.


Anonymous said...

David this is probably worth adding to the conversation - https://finance.yahoo.com/news/more-1-million-children-were-152743423.html

All I would say is that if we do not tread carefully we could put online healthcare back many many years. Is the MHR crusade worth the risk?

Bernard Robertson-Dunn said...

This also worth adding

Consent and ID after Cambridge
Andrew Ryan
April 26, 2018

"... for consent to be valid, four key elements should be satisfied.”

Those elements include the fact that an individual must be adequately informed before giving consent. Second, consent must be provided voluntarily. Consent must be current and specific; and finally, an individual must have the capacity to understand and communicate their consent.

“None of these things happened in the case of Cambridge Analytica,” she concluded.

“While there may be some time before the Australian Government introduces similar regulations, the recent Open Banking Review made specific recommendations regarding simplified user consent that enables the consumer to be in control of their data and how it's shared.


“What needs to happen is that we have to ensure that consumers have a simple way of consenting to share their data,” he said.

These simple methods of consent could include the ability to time-box consent, and ensuring that the same consents are readily available and not necessarily layered.

Mr Steele also said that consent needs to be managed by the consumer, and that such consents would include the right to be forgotten."

Two observations:

1. The legislation that enables My Health Record to become opt-out removes the need to obtain consent.

2. My Health Record has no right to be forgotten

The landscape around myhr is changing.

Grahame Grieve said...

hi Bernard. The right to be forgotten is an issue causing consternation throughout the IT world right now - all of us have heaps of logs, often signed, that we are suddenly legally required to tamper with. But you just can't rewrite history, and it's a breath taking scope increase for lawmakers to make retrospective laws like this (European GDPR). I expect that someone big will challenge that part in court, and the law will be adjusted so that you have to provide convincing undertakings to not use your historical logs to reconstrucut usable data, but that you don't have to destroy all your historical records. (and here's something I'm yet to get a straight answer on: is it ok to retain records confirming that you've complied with a request to forget everything about someone?)

But note, however, that GDPR, which is the most intrusive legislation imaginable, still allows for organizations to retain data for 2 reasons related to MyHR: retaining records that must be stored for legal reasons, and public health utility. I'm sure that every almost every piece of healthcare data falls into one or both of those categories (even without stretching the law), so there's no reason to think that any rational law on this subject (which wouldn't go as far as GDPR) would touch the MyHR. Personally, I think it's perfectly reasonable for MyHR audit trails to not be tampered with by requests to be forgotten. Just remove all records from the current data store (which is not quite what the policy is, it's hedging in between). Further, there's no way to enforce/insist that anyone who's read a document out of the MyHR also forget about it - firstly, you might not be able to push a request to them, and secondly, most of them will either be under direct patient control, or have convincing legal reasons to retain the document.

Bernard Robertson-Dunn said...

Thanks for the input/observations.

Data ownership/custodianship/access etc are very complex issues and something as simple as "the right to be forgotten" is meaninglessly vague.

In the case of myhr, when most if not all the data is a copy of data held elsewhere "forgotten" makes little sense.

If a hospital uploads a discharge summary which is then downloaded to a GP's system then there are (at least) three copies. The patient would need to specify who to forget the data and go to each to request it. The issue of logs makes it even more complex.

I don't have any particular position on the right to be forgotten, but I do on consent. I think the government is going down a risky path removing the need to get consent and making it difficult (impossible) for a person to properly manage consent.

Where I see problems are in:

* the government's lack of openness and transparency in what they are doing.

* the lack of discussion/debate regarding many of the decisions they are making with regard to our data

which gets back to an observation that several people have already made - it's a people problem. In this case, IMHO, the people are the politicians and bureaucrats in government.