Telstra on defensive as reverse-engineering of Medicare data highlights healthcare-security risks

Submissions caution against putting private healthcare data into hands of profit-minded outsourcer

The security of Australians' healthcare information came under the spotlight after the federal Department of Health pulled massive dataset of Medicare-related information and Telstra faced concerns it lacks the cybersecurity credentials to support a major contract it was awarded earlier this year.

A massive deidentified data set was released earlier this year to give data researchers fodder to analyse prescribing and service consumption patterns through the Pharmaceutical Benefits Scheme (PBS) and Medicare Benefits Scheme (MBS) programs, which are administered by the department on behalf of every Australian citizen.

Patient and provider ID numbers were encrypted using original PIN and ID numbers as the seeds, but a University of Melbourne research team – featuring cryptography experts Dr Vanessa Teague, Dr Christopher Culnane, and Dr Benjamin Rubinstein of the university's Department of Computing and Information Systems – raised the alarm this week after working through 10 percent of the data finding that it was possible to decrypt some of the service provider identification numbers.

“The dataset does not include names or addresses of service providers and no patient information was identified,” the department said in a statement on the matter that noted the department had pulled the data set and would be undertaking a “full, independent audit of the process of compiling, reviewing and publishing this data”. The data set would only be restored “when concerns about its potential vulnerabilities are resolved,” the department said.

The findings have raised concerns at the Office of the Australian Information Commissioner (OAIC), where Australian privacy commissioner Timothy Pilgrim said in a statement that he had opened an investigation into the issue that would assess the adequacy of departmental processes for deidentifying information before it is published.

Although the Department of Health was quick to point out that no confidential healthcare information had been compromised, such incidents highlight ongoing concerns around the industry's ability to securely aggregate healthcare information. Telstra faced similar concerns this week as it fronted a Parliamentary inquiry into the awarding of a $220m cancer-screening register contract earlier this year.

The win – which is to be enabled by the National Cancer Screening Register Bill 2016 – was a coup for the company's Telstra Health subsidiary, which was founded in 2013 as a standalone business unit and acquired several companies to bolster its capabilities in digital healthcare management.

The company's for-profit nature and relative inexperience in handling such sensitive data raised concerns across the healthcare fraternity, which addressed data security as a key concern around the registry in the 23 submissions received to date.

Noting “a lack of transparency around the process for awarding this contract” – particularly to an organisation with no experience in operating “registries of this kind”, the Australian Medical Association said in its submission to the enquiry that it “would be more comfortable” if the registry were operated by government, a tertiary institution, or not-for-profit entity “that has little interest in how the data in the register might otherwise be used”.

Security advocates have echoed their concerns about the choice of Telstra given its history of breaches like the one prosecuted by the OAIC in March 2014, or the December 2011 breach in which the company published the personal information of around 734,000 customers online.

The OAIC flagged concerns about the security of register data in its submission to the Parliamentary enquiry, which noted that the wording of the bill appears “to authorise the use of personal information in the Register for research purposes without specifically requiring compliance with” Privacy Act controls around the use of healthcare data for research.

The OAIC submission also postulated that additional controls – including mandatory rules around reporting and handling of data breaches – might need to be applied to the arrangement “since the collection and retention of large amounts of sensitive health information in a centralised database can pose a number of security and privacy risks, particularly if the database can be accessed from many access points”.

Pathology Australia noted in its submission that the for-profit nature of Telstra Health “does not exempt them from the privacy and legislative requirements for the implementation” of the registry. Data breaches – of which “human nature would expect there to be a small number” – should be headed off with a “stronger deterrence effect” as well as penalties for a breach that are “appropriate and of a significant amount”.

Other submissions echoed similar themes, with expectations of strong controls around the privacy of personal data and promotion of strong penalties and reporting requirements around breaches of the register that might occur.

Healthcare information remains a major target for data thieves, with recent half-year figures from security firm Gemalto's Breach Level Index suggesting that healthcare organisations account for 27 percent of all data breaches globally and 5 percent of all records stolen. This was up 25 percent over the previous six months, with some 64 percent of data breaches involving identity and personal data theft, the report warned.

Other recent Gemalto research found that 69 percent of surveyed organisations said they weren't confident their organisation's data would be secure if their perimeter security was breached.

Join the CSO newsletter!

Error: Please check your email address.

Tags data backupOffice of the Australian Information Commissioner (OAIC)healthcare-security risksPharmaceutical Benefits Scheme (PBS)Medicare datasecurity risksprivacyCSO AustraliaTelstranetwork securitydata recoverypersonal dateDavid Braueloss prevention

More about Australian Medical AssociationBillDepartment of HealthGemaltoMBSUniversity of Melbourne

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place