This appeared on Sunday:
'You can’t undo that damage': How safe is your health data?
By Jennifer Duke
1 July 2018 — 12:15am
For the next three months, Australians have the chance to stop the government creating a digital medical health record with their information.
Among those planning to opt out is Monash University software engineering lecturer Robert Merkel, who has concerns about the safety of his information under the government's My Health Record system.
“I don’t think the security measures [health care providers have] are commensurate with the sensitivity of that data and the incentives that some criminals may have to illegally gain access to it,” Dr Merkel said. “The security on your bank systems is not perfect either, but in general if you lose money, you can be compensated for that. If your private health information is leaked you can’t undo that damage.”
A bitter pill to swallow
From February, when the rules were changed to force businesses to report data breaches that cause "serious harm", to the end of March, about a quarter of the 63 incidences reported to the Privacy Commissioner involved health care providers. About 100 people were affected.
Not every data breach is a cybersecurity issue, but hackers are increasingly looking for weak systems to collect information for intelligence reasons, fraudulent insurance claims, identity theft and "ransomware", where a malicious program stops a user from accessing devices until a payment is made.
However, even in the world’s most online security-focused countries like Israel, which was among the first to digitise health records, protecting medical organisations is a relatively recent consideration.
Speaking at Tel Aviv University's annual international cybersecurity conference, Cyber Week 2018, professor Isaac Ben-Israel, head of the Blavatnik Interdisciplinary cyber research centre and chairman of the conference, said he had focused on cybersecurity for decades but health was often overlooked.
In 1999, when working for the Israel Defence Forces, Professor Ben-Israel gave the Israeli government a 36-strong list of critical infrastructure, from power production and water supply to banking, under threat from cyber attacks. Healthcare was not added to the list until 2010.
“We had a red team [a group of white-hat, or ethical, hackers that test security] sent to one of the hospitals in Israel ... what they found is still common to all hospitals,” he said.
They discovered many ways to cause harm by compromising hospital security systems.
Part of the difficulty is simply the public nature of hospitals, explains Ophir Zilbiger, head of the Israel-based BDO Cybersecurity Centre and a speaker at Cyber Week.
“Imagine yourself walking the corridors of a hospital,” Mr Zilbiger said. “Computers are just mixed with the general public, it’s not like a bank branch, where the tellers' computers are behind the desk and the public is in front of the desk.
“So it’s really easy for hackers to gain access to medical information side-by-side with the fact healthcare represents privacy risks."
Then consider how many different branches and clinics there are across the country, each often using different software and devices.
In early-2018, for instance, a flaw found in software used by more than 40,000 health specialists in Australia, and distributed by Telstra, left some medical records potentially exposed to hackers.
Macquarie University senior lecturer in cyber security Stephen McCombie said small branches could be considered “easy targets” by attackers who wanted quick access.
“The difficulty with health is you have lots of small providers, the potential to be attacked is pretty big as there are a lot of places where a compromise can happen," Dr McCombie said.
He believes the government's awareness of the risks has benefited from the 2017 North Korean ransomware attack WannaCry that hit 230,000 computers globally, including a dozen Australian businesses, and drastically affected UK hospitals.
Much more here:
With only a few weeks to run till the commencement of the three month opt-out period for the myHR it is useful to see that the mainstream media is pointing out that the case for having a myHR is not a lay down mazaire, there being a range of security, privacy, accuracy and technical risks which ought not be ignored.
I hope at least this will encourage more informed discussion and decision making.
David.
1 comment:
Adding a wider point of concern - the language used when reporting of a data breach needs to change across the ICT industry, so that the general puboic is better informed. Information isn't "stolen" as much as "copied"; and pragmatically that means that once information has been released to the wild it can never be "recovered". I support the ideals of the MRH, however all systems are vulnerable to attack and the custodians of our medical records need support and budget to do it right.
Post a Comment