Concerns about the security of medical records have re-emerged in the wake of the 31 January conclusion of the My Health Record (MHR) opt-out period.
All Australians who did not opted out will now be given a MHR, consolidating their electronic medical history into a single record that is accessible by healthcare practitioners within a range of service-delivery contexts.
The need to protect that data has been an ongoing concern for privacy bodies and others, who have lobbied the government for watertight restrictions about who can access the records and under what circumstances.
Security concerns were again raised at the end of December, when an Australian Digital Health Agency annual report revealed that the system suffered 42 data breaches during 2018.
Healthcare organisations face an increased burden to maintain the privacy of the MHR data, Proofpoint Asia-Pacific and Japan vice president Tim Bentley warned, noting that today’s cybersecurity attacks “primarily target people, including doctors, nurses, and administrators, rather than infrastructure, to access data.”
Often, he said, very attacked people (VAPs) are employees that have high degrees of access to sensitive information, such as clinical researchers and pharmaceutical directors. “These individuals are likely more vulnerable due to their level of privilege and access to easily monetised content,” Bentley said.
Such vulnerabilities reinforced the importance of continuing user training and phishing simulations to make sure that errant clicks on malicious emails don’t compromise data or interrupt services at healthcare organisations – as famously occurred in 2016 when the Royal Melbourne Hospital was pushed back to manual processing after a virus attack.
Mark Perry, APAC chief technology officer with Ping Security, sees the ongoing compromise of healthcare credentials as a sign that conventional methods of identity – based, as is MHR, on documents such as birth certificates, drivers licenses, Medicare numbers, and similar documents – “can no longer be considered ‘secret’ or ‘protected’.”
Data breaches, social engineering and the non-secure handling of objects that identify who people are has made it increasingly easier for cybercriminals to impersonate victims,” he said, “for nation-state operators to fool targets into providing credentials, and for anyone to purchase personally identifiable information on the dark web.”
“The only path forward is a complete rethink and rebuild of our identity system, and the My Health Record is a timely reminder of the need to protect your identity from birth.”
A recent Unisys survey suggested that a third of Australians are still uncomfortable with the idea of committing their personal information to a centralised database of electronic health records.
Recognising the transition continues to throw up challenges, UNSW Canberra cyber director Nigel Phair was calling for another delay to the opt-in period so the government “can spend more time explaining to Australians what it means to participate in the digital economy, particularly with respect to an e-health record.”
Such participation necessarily includes a more proactive approach to controlling personal data held in the system, with Aura Information Security’s Australian country manager, Michael Warnock, warning that demonstrated markets for healthcare data had shown how easily healthcare data can be monetised.
That made MHR “a timely reminder for the community at large to stop and think about how they can improve the security of their own personal data,” he said. “This involves knowing the different types of personal data you have provided to a third party and its criticality to your own privacy should that third party suffer a data breach.”
Phil Kernick, chief technology officer with CQR Consulting, continued to argue the merits of alternatives to MHR – such as chip-based Medicare cards capable of carrying a patient’s medical history – and predicted that widespread citizen reprobation could take the wind out of the program’s sails.
“Once data is exposed it can’t be put back in the box,” he warned, “and the idea that personal information won’t be compromised, or misused, simply because of legislation or monetary fines is fanciful at best.”