Quote Of The Year

Timeless Quotes - Sadly The Late Paul Shetler - "Its not Your Health Record it's a Government Record Of Your Health Information"

or

H. L. Mencken - "For every complex problem there is an answer that is clear, simple, and wrong."

Sunday, March 17, 2019

It Seems The #myHealthRecord And The Parliamentary Network Have a Similar And Hard To Fix Vulnerability.

This appeared a few days ago.

MPs make security hard, says the Department of Parliamentary Services

DPS says “variety of software and services utilised by parliamentarians” makes it hard to implement ASD’s ‘Essential Eight’
Rohan Pearce (Computerworld) 15 March, 2019 12:19
The variety of applications and services employed by MPs and their staff present a security challenge that is probably unique across the federal public sector, according to the Department of Parliamentary Services.
In a letter to a parliamentary committee scrutinising the cyber resilience of a number of Commonwealth entities, the department’s secretary, Rob Stefanic, said that DPS has faced limitations on its ability to implement the Australian Signals Directorate’s ‘Essential Eight’ security strategies.
The ASD in late 2017 unveiled the Essential Eight, building on the mandatory ‘Top 4’ mitigation strategies that the organisation says could prevent the overwhelming majority of security incidents it responds to. The Top 4 comprise OS and application patching, application whitelisting, and locking down administrative privileges based on user duties.
On top of those four, the Essential Eight adds limiting the use of Microsoft Office macros, using multi-factor authentication, daily backups, and user application hardening.
The challenge faced by the DPS is the heterogeneous collection of applications and services employed by MPs and their staff, according to Stefanic.
Lots more here:
Of course the myHR has many more contact points, terminals and portals based on all sorts of different software and users of highly variable skill to recognise all sorts of issues such as phishing!
Worse than this there are stories circulating of trainers in practices and pharmacies suggesting that anyone who is authorized by a practice or pharmacy (desk staff, sales clerks etc.) can access the myHR.
This has always been a vexed topic regarding just who and who can’t access a remote terminal / portal.
This link is useful in this regard:

Roles and responsibilities

The Healthcare Identifier (HI) Service and the My Health Record system require people working in Seed Organisations to be assigned to roles, which authorises them to carry out certain actions. The roles recognise the different responsibilities in an organisation from administration through to healthcare provision.

Understanding the Seed and Network organisations structures

Healthcare provider organisations participate in the My Health Record system either as a Seed Organisation only or as a Network Organisation that is part of a wider ‘network hierarchy’ (under the responsibility of a Seed Organisation).

A Seed Organisation is a legal entity that provides or controls the delivery of healthcare services. A Seed Organisation could be, for example, a local GP practice, pharmacy or private medical specialist.

An example of a Network Organisation could be an individual department (e.g. pathology or radiology) within a wider metropolitan hospital. A network hierarchy operating in the My Health Record system consists of one Seed Organisation and one or more Network Organisations.

The majority of Healthcare Provider Organisations in Australia are independent – for example, suburban GP practices, pharmacies, private health specialists, or allied health care organisations. They will most likely participate in the My Health Record system as an independent Seed Organisation, rather than part of a network hierarchy.
Your Seed Organisation will identify staff for two key roles – the Responsible Officer (RO) and the Organisation Maintenance Officer (OMO). An OMO can also be identified for a Network Organisation.
Here is the link:
Unless I misread badly basically anyone the organization authorises can do pretty much anything they wish and can certainly look up private personal information etc.
These paragraphs seem pretty clear:

“Other digital health roles and responsibilities

Healthcare Provider (HPI-I): a healthcare provider with a valid HPI-I is able to perform all functions within the MHR, except the administration functions that are managed by the RO or OMO.
Authorised Employee (HI Service): an individual within an organisation who requires access to IHI records and provider identifiers from the HI Service to assist with patient administration.
Authorised Employee (My Health Record system): a person authorised by a healthcare organisation to access the My Health Record system on behalf of the organisation. Authorised users may be individual healthcare providers and other local users who have a legitimate need to access the My Health Record system as part of their role in healthcare delivery.
The table below outlines the different roles, examples of the types of employees who may fulfil each role within a General Practice, and some of the actions which a person in that role is able to carry out.”
It up to the “Boss” to decide who does and can do what.
Think about just what this might mean in practice for privacy and security. In passing, just how many do you think grasp the risks and complexity of all this?
David.

3 comments:

Anonymous said...

Perhaps the ADHA would like to make public the ASD evaluation of them against the essential 8. Just saying it would not make for comforting reading

Bernard Robertson-Dunn said...

The lawyers are already getting ready for their day in court.....

My Health Record: Ins and outs

https://www.liv.asn.au/Staying-Informed/General-News/General-News/March-2019/My-Health-Record--Ins-and-outs

"... legal practitioners will need to take the time to become familiar with the system and consider the risks and opportunities for our clients."

Opportunities? sounds ominous.

Anonymous said...

They will need to be quick Bernard, only the Digital Health Agency can be sued. I don’t see that organisation being around for more than 18 months