29 September 2017
Dr Ayman Shenouda
Cybersecurity in healthcare
The recent darknet Medicare breach came only a few months after the UK malware attack on the NHS locking its systems. You would expect the focus of authorities on potential threats to be high given the fallout from that. But we’re told the Government only became aware of the darknet issue from the media. And, that it had been there a while too: the data had been for sale on the darknet auction site for nearly nine months. So, while 75 Australians’ had their Medicare details sold, it appears neither the Department nor our security services were actively monitoring this posting.
We clearly need to get better at this. The Government had already demonstrated through the botched handling of the 2016 Census how unready it really was when it comes to predicting even the most predictable of attacks. The ABS website was crashed by a series of DDoS attacks which shut the census website down for nearly two days. Unfortunately, successive security and data breaches from government agencies like these only serve to undermine public trust.
Risks and benefits
Digitalisation of healthcare is a positive innovation but it comes with certain risks. It is a simple fact that the value of healthcare data makes our system more vulnerable to privacy breaches. You could say that publishing data of any kind potentially holds great risk to privacy. But certainly, the benefits in terms of service planning and health research outweigh those risks. It all comes down to how risks are managed so not to stifle policy or undermine public trust.
If we want to achieve a more integrated healthcare system then the only way forward is through enabling policies. The integration solution lies in policies such as those being pursued through the My Health Record.
We know the risk on our healthcare system and organisations through data theft attacks are becoming more common. As in health, prevention is always better than a cure and on this issue, the approach is the same. The focus here not only needs to be on how governments’ handle our personal information but how providers can be better supported to ensure organisational readiness.
My Health Record
There are a number of policy implications in terms of increased health information technology-based reforms. As the complexity of health services increase, the number of entities involved will increase and with that comes more risk around potential privacy breaches. We’re on the cusp of implementing long-awaited reform through the rollout of opt-out participation of the My Health Record system. It’s important to ask if this latest breach has shifted patients’ perceptions or altered their digital trust in moving forward on this policy.
We know that a Medicare card number alone is not enough to access a patient’s My Health Record. The official website reassures us that My Health Record is a secure online summary of a patient’s health information. That it is up to you what goes into it, and who is allowed to access it. While that last statement may be true, how well can this containment really be controlled?
Meanwhile, it seems take up in the pre-implementation phase of the opt-out My Health Record seems quite promising. The official stats show that almost 21 percent of Australians have already registered. The web page boasts that over 5 million people already have a My Health Record, with an average of 1 new record being created every 38 seconds. As with any good policy news, you can even follow progress with a helpful link provided: Keep up-to-date with the latest statistics on the My Health Record here.
Digital trust and implications for My Health Record
The Senate Finance and Public Administration References Committee Inquiry in August following the dark web breach has brought some new perspectives to the issue of digital trust. The 13 submissions provide some valuable insights, some of these I’ve summarised below.
The first cab off the rank, the Centre for Internet Safety, certainly didn’t hold back on the implementation of My Health Record. Stating that the shift to an opt-out system ‘has done little to quell public anxiety surrounding the placement of sensitive health details into the online world’. Critical also of the Government’s communication strategy which it says has not managed to convince on matters of security. This, combined with the constant reporting of breaches is all contributing to diminished trust, safety and confidence.
Their submission also states that the promotion of privacy issues and the importance of the protection of personal information is critical to the ongoing functioning of the online environment. To secure buy-in, it is important to create ‘benefit profiles’ alongside these new technology projects to truly test measures of ‘consumer trust, safety and confidence in the intended service delivery’. In terms of My Health Records, they warn uptake will be very slow unless the Department can adequately address the trust, safety and confidence benefits and competently communicate these to the public.
The Australian Information Commissioner’s input provided some useful guidance stating that ‘the use of personal information should be necessary, proportionate and reasonable to achieve the policy goals’. The Privacy Impact Assessment (PIA) is a policy tool designed to assist agencies to consider these matters measuring possible impacts on the privacy of individuals. The Commissioner stated that, in the case of the Medicare breach, a PIA would have highlighted privacy impacts associated with assessing Medicare care numbers through an online portal environment. Importantly, it would have identified any further proactive measures required to mitigate those impacts.
Both the RACGP and the AMA do not believe this latest breach will have any implications for the My Health Record roll-out. The University of Western Australia, while outlining the value of Medicare identification information to a criminal – identity fraud, prescriptions to obtain painkillers and possibly S8 medications as well as to divert Medicare rebate payments from a legitimate account to a false one - also state motivations to access to My Health Records or medical records of any kind as being less likely.
Importantly, the RACGP highlighted that even with preventative measures in place, real risks persist for any organisation in terms of internal or external data breaches in an interconnected world. There are College resources to support GPs to minimise risks including the RACGP Computer information security standards (CISS). It states that those practices implementing the cybersecurity and privacy guidance provided here are less vulnerable to a data breach.
Both the Department of Health and the System Operator of the My Health Record System, the Australian Digital Health Agency, state that is important to note that illegally obtained Medicare card numbers are not sufficient on their own to provide access to clinical records or an individual’s My Health Record.
The System Operator appropriately provides a detailed response to the impact on the rollout from the Medicare information breach. Reassuringly, it states that security and operation of the system protect against the unauthorised disclosure of health information from the My Health Records for individuals with access to Medicare numbers. Additional information is required to authenticate consumers and healthcare providers. But, despite these reassurances, it is clear in other submissions including those from the University of Melbourne, Deakin University and the University of Newcastle that concerns remain with the My Health Record system and its pending rollout. Future Wise give an excellent technical response to the issue as well as policy solutions in moving forward.
The policy lessons
It is important to see the risks in terms of potential implications to the rollout of the opt-out My Health Record system tested through this consultation. It will be interesting to see what recommendations are made in the Senate Finance and Public Administration References Committee Inquiry in its report due in October. Overall, I think more work needs to be done here with much more focus required on strategies to protect patient data in rebuilding trust.
From these consultations, mechanisms for overseeing and monitoring access seem lacking, so are the required assurances around data storage and controls and the system-wide capacity to provide the security controls to mitigate risks remain unconvincing. The collective wisdom provided in these submissions will help guide policy to safeguard from further threats in the future. As stated earlier, the success of important reforms including My Health Record comes down to how risks are managed so not to stifle policy or undermine public trust.
 Yaraghi N. Hackers, phishers, and disappearing thumb drives: Lessons learned from major health care data breaches. Centre for Technology Innovation at Brookings. May 2016. Available from: http://wikiurls.com/?https://www.brookings.edu/research/hackers-phishers-and-disappearing-thumb-drives-lessons-learned-from-major-health-care-data-breaches/
Dr Ayman Shenouda