Online health records at risk from malware

It's the same problems as banking, but different, says AusCERT

AusCERT general manager Graham Ingram has questioned the wisdom of Australia's National E-Health Strategy plans to make medical records available online, pointing to the difficulty of securing end-users' computers.

"I do not believe that personal health records should be available over the internet to end machines until they can secure them," Ingram told the Security 2011 Expo and Conference in Sydney this week.

"If I had a machine in a Medicare office that I could go into that was dedicated to that function, I'd be happy with that. But popping on my home machine or the Qantas lounge and looking at my health records is not something that I am going to be ecstatic about."

Online banking led to phishing attacks, says Ingram, and that led in turn to more sophisticated malware that relied on social engineering techniques and thence to advanced persistent threats (APTs) or, as Ingram prefers to call them, covert enterprise intrusions (CEIs). He envisages the same evolution playing out in attacks on health records.

One scenario could be noting that someone was allergic to peanuts, and changing that.

"Maybe that's on the paranoia end, and maybe I've no reason to have that paranoia," Ingram said, but nevertheless he is concerned that it would be possible to view someone's health records through simple attacks.

"The e-health people say, 'No, our databases are secure.' That's not what I'm talking about. They don't seem to get that," Ingram said. "They seem to think that if we can secure the back-end databases they've secured the system. No you haven't."

According to Ingram banks now assume that transactions might be compromised, and employ sophisticated algorithms to help detect and prevent fraud. This can include introducing delays in processing to allow time for investigation. That might not be as easy to do with health records that might be acted upon in real-time emergencies with potentially fatal consequences if mistakes are made.

"The successful attack is now almost guaranteed," Ingram said. "How do you then start to say, 'How can I reduce the damage from a successful attack? How can I detect it and mitigate it?"

Security 2011 Expo Conference Slideshow, the best from the day..

Contact Stilgherrian at, or follow him on Twitter at @stilgherrian.

Join the CSO newsletter!

Error: Please check your email address.

Tags covert enterprise intrusions (CEIsauscertadvanced persistent threats (APTs)health recordsGraham Ingramehealthmalwarephishing attacks

More about CERT AustraliaIngram MicroQantas

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stilgherrian

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place