Quote Of The Year

Quote Of The Year - Paul Shetler - "Its not Your Health Record it's a Government Record Of Your Health Information"

Wednesday, January 09, 2019

ZDNet Does A Much Better Than Average Job Of Explaining The #myHealthRecord Data Breaches.

This appeared last week:

My Health Record had 42 data breaches in 2017-18 but no 'malicious' attacks: ADHA

Highest category of breaches was due to attempted Medicare fraud, the Australian Digital Health Agency has said in its 2017-18 annual report.
By Chris Duckett | December 31, 2018 -- 02:49 GMT (13:49 AEDT) | Topic: Security
Australia's troubled My Health Record recorded 42 data breaches between July 1, 2017 and June 30, 2018, the Australian Digital Health Agency (ADHA) has said in its 2017-18 annual report [PDF].
Three of the breaches were reported to the Office of the Australian Information Commissioner (OAIC) and involved one breach of unauthorised access due to an incorrect Parental Authorised Representative being assigned to a child, and two breaches due to suspected Medicare fraud that resulted in the potential fraudster seeing records without authority.
ADHA also said 17 breaches were found from the Department of Human Services identifying intertwined records where two or more people have been using the same Medicare record, and 22 breaches from attempted Medicare fraud where unauthorised claims appeared incorrectly in the My Health Record of affected users.
"There have been no purposeful or malicious attacks compromising the integrity or security of the My Health Record system," ADHA said.
The Department of Human Services had corrected the records in all instances, ADHA said.
The My Health Record operator said as of July 27, 2018, almost one quarter of Australians had a record.
"In 2017–18 the Agency, as System Operator, registered 935,206 people for a My Health Record," it said. "There were a total of 42,877 cancelled registrations during the year."
ADHA said 221,580,930 documents were uploaded to the system in 2017-18, and 798,000 people accessed their records through its portal in that time frame.
As of June, ADHA reported connecting 178 of the country's 208 private hospitals to My Health Record, and 815 of Australia's 1,108 public hospitals to the system.
Australians have until January 31 to opt-out of the national health record system or they will have a record created for them if they do not already have one.
By October 19, 1.147 million had removed themselves from the system, but ADHA said it was happy with the result.
In the wake of the annual report, Labor has reiterated its call for OAIC to review the system, and hit out at the AU$20 million deficit that ADHA reported.
There is a good deal more here:
This paragraph is the one that matters:
“Three of the breaches were reported to the Office of the Australian Information Commissioner (OAIC) and involved one breach of unauthorised access due to an incorrect Parental Authorised Representative being assigned to a child, and two breaches due to suspected Medicare fraud that resulted in the potential fraudster seeing records without authority.”
What this says is that there was 1 human error and two episodes where a fraudster viewed viewed som records. Frankly no matter what the sophistry of the ADHA the last two were unauthorised viewing of records and were clearly breaches in any common understanding of the word.
Chris Duckett does, by the way, accurately report what page 59 of the Annual Report says.
So the ADHA is flat out lying with all this. It is a simple as that!
You can see how blatant they are from their release (the first para is just blatant):

Responsible reporting of notifiable data breaches

31 December 2018
There have been no reported unauthorised views of a person’s health information in My Health Record in the six years of its operations. More than 6.3 million people have a My Health Record.
The Agency, which was established in July 2016,  has a legal responsibility under the My Health Records Act 2012 to report ‘notifiable data breaches’ to the Office of the Australian Information Commissioner (OAIC). These ‘notifiable data breaches’ have been routinely reported by the Agency and the Department of Human Services which runs the identity scheme which underpins My Health Record  to the OAIC.   These reports are published annually by the OAIC. Details are also described on page 59 of the Agency’s 2017-2018 Annual Report. Errors of this type occur due to either alleged fraudulent Medicare claims or manual human processing errors, as was the case for the breaches reported during the 2017-2018 financial year. There has been no reported unauthorised viewing of any individual’s health information from a ‘notifiable data breach’.
In each case, the affected individuals have been contacted and the OAIC has examined the circumstances of the breach and no unauthorised breach has been determined. In all instances of data breaches reported by the Chief Executive Medicare, the Department of Human Services took action to correct the affected My Health Records.
When a person’s health information is stored in different places – hospitals, doctors’ offices, filing cabinets, computers – they don’t know who is accessing it or when. In a My Health Record, every access is listed in a persons’ record access history. A person can be notified by text message about who is accessing their record or restrict access to all or parts of their record.
If a person feels someone has looked at their record when they shouldn’t have, they can call on 1800 723 471 and the Australian Digital Health Agency will investigate immediately. It is criminal for someone to have unauthorised access to a record, and serious penalties apply.
Here is the link:
Changing topics, the report of the usage of the system, highlighting that less than 1/6 of those individuals currently with a record had actually accessed the portal for any reason whatsoever over a full year – even to check if that they are lucky enough to have one – or not, is revealing. Note this is less than 4% of the whole population who have felt the need to access their record – and probably much less given the very few who actually use the system probably have multiple log-on episodes.
Just why the ADHA will not release useful and worthwhile usage stats is a mystery – we know they have them from the Board Minutes – and basically confirms the system is a flop and totally uninteresting or useful to most. That the move to opt-out is being inflicted on us all just confirms what a popular failure it is.
Enough said.
David.

8 comments:

Anonymous said...

These were discovered manually through sample testing. The ADHA has no real way of checking these. It is either authorised access or failed attempt. That is only the tip of what lays under the surface. This will be a telling year and will be interesting what rats stay with the ship.

Anonymous said...

You would have to assume that the opt out numbers must be around 2million based on when 1.2 million where grudgingly produced.

Bernard Robertson-Dunn said...

Sydney Criminal Lawyers aren't impressed with the thing:

Dozens of Breaches of the My Health Record Database Have Already Been Recorded

https://www.sydneycriminallawyers.com.au/blog/dozens-of-breaches-of-the-my-health-record-database-have-already-been-recorded/

'However, Dr Bernard Robertson Dunn, who chairs the health committee at the Australian Privacy foundation, asserts there are significant flaws in the way the scheme has been set-up, including the fact that it is vulnerable to any deficiencies in external hospital systems, practices and procedures.

This, he states, is additional to concerns regarding infiltration of the government database itself.

“So… [he explains] there is no way the Government would know who has accessed that data, and it is untraceable and untrackable that that access has occurred”. '

And remember, this is not a bug; uploading from and downloading data to other systems is a design feature.

Andrew McIntyre said...

Access to such a huge centralized database should be controlled with individual PKI keys, but they are being phased out anyway. Never mind that as the signing keys on the usb keys were wrongly setup and can be used without a password, reducing the authentication to a single factor! They did not appear concerned when we advised them of this huge stuff up. Basically possession of a individual key for a few seconds would allow you to digitally sign something like a script without knowing the passphrase! If this is the level of quality of security my confidence level in the security of MyHR is very low.

Anonymous said...

@8:00AM. You kidding surely? How would this pass even a basic TRA. And more concerning is the way good advice is brushed away seemingly without little care.

Anonymous said...

There's two things this government hasn't yet realized.

My Health Record is not fit for purpose, any purpose

The ADHA is incapable of doing anything about it. Not support it, not change it

Watch out for rats leaving the sinking ship. They'll be in the best lifeboats.

Anonymous said...

Why should I bother to watch out for rats leaving a sinking ship. Surely it won't affect me, will it?

Anonymous said...

It depends if you care what happens to My Health Record and healthcare in Australia.
The sooner it sinks the better for everyone, except those who have a vested interest in My Health Record as a thing, not a means of achieving improved healthcare.