Serious security and privacy problems with My Health Record are inevitable, an IT security expert tells parliamentary inquiry
IT experts have challenged assurances that an alleged theft of Medicare numbers has no bearing on the security of the My Health Record.
Monash University lecturer Robert Merkel, a specialist in software testing and fault analysis, told a parliamentary inquiry last week that he believed the most likely source of the breach was the Department of Human Services’ HPOS system, which doctors log into via the PKI or PRODA channels.
He said he was concerned that ease of access for health practitioners had taken priority over security in the design of the health IT system, leading to the breach which resulted in Medicare numbers being offered for sale on the internet.
“Without going into the details of the weaknesses, both of those systems are less secure than they should be, and in the case of PRODA, the weaknesses are a plausible means by which criminals could gain illegitimate access to Medicare details,” he said.
Dr Merkel said the HPOS system seemed to demonstrate a “disconnect” between decision-makers and IT security expertise.
“Secondly, it prioritises convenience for healthcare providers over IT security,” he said.
“So I’m concerned that these two factors are likely to apply, or are, indeed, already baked into the design of the My Health Record. I think that serious security and privacy problems with My Health Record are inevitable.”
Paul Power, an IT consultant and principal of eHealth Privacy Australia, said reliance on a centralised data base with more than 100,000 legitimate access points made the MyHR system difficult to defend.
“The possibility of securing over 100,000 GP PCs is close to zero, which means the probability of it being hacked is close to 100%,” he said.
“With respect to general practitioners, their cyber security is not world class,” he said.
Officials from the Australian Digital Health Agency and the DHS also gave evidence at Friday’s hearing of the Senate Finance and Public Administration References Committee.
They said the data breach, revealed in the media in early July, had no relationship to the MyHR.
Caroline Edwards, deputy secretary of health and aged care at DHS, said the intrusion appeared to be the work of “person or persons” illegally tapping into the channel used by doctors to access Medicare numbers.
“We are clear that it was not a cyberattack in the sense of a hack into the back-end of our systems. It’s also clear it wasn’t an internal DHS officer accessing systems inappropriately,” Ms Edwards told the committee.
“It appears to have been an external person or persons making an illegitimate use of a legitimate channel by which providers access Medicare numbers when they need them.”
ADHA chief Tim Kelsey said a Medicare number was only one of five pieces of information, including a patient’s individual health identifier, on top of conformance software and certifications, needed to access the MyHR data base.
RACGP and AMA representatives told the inquiry that it was important to make sure that any response to the data breach did not make access to the MyHR system more difficult for GPs and patients.
Dr Rob Hosking, deputy chair of the RACGP’s EHealth and Practice Systems Committee, said he understood security for MyHR access at the practice end and the government data base end was “generally pretty good”.
“There is quite a difficult process to get involved. To create more barriers would turn more people away. I think there are a number of practices who haven’t participated, because it is quite difficult and onerous to get on board at the moment,” Dr Hosking said.