After Medicare breach we should be wary about moving health records online

By | | |
Minister for Human Services Alan Tudge did little to quell fears about public data security (Image via @techAU)

The Australian Government is digitising the country’s health system, but a serious Medicare security breach suggests we may not yet be ready, writes Monash University's Robert Merkel.

THE AUSTRALIAN FEDERAL POLICE are investigating after the Guardian discovered that the Medicare card details of Australians were available for purchase on the “dark web”.

The dark web – a collection of websites that are only accessible through anonymising systems such as Tor – allows vendors to remain largely hidden from law enforcement. There is a long-standing trade in illicit goods and services, including hacked personal data, on eBay-like dark web marketplaces.

As journalist Paul Farrell pointed out, criminal groups can use Medicare numbers to create fake Medicare cards with the details of real people. In combination with other personal information, these cards or simply the Medicare numbers themselves, could be used to commit a wide variety of fraud.

The Medicare system has security issues, but the number of fallible people and systems who will have access to our medical records in the future is also concerning.

Security weaknesses

It is not yet clear how the Medicare details were obtained.

In a press conference on Tuesday, Minister for Human Services Alan Tudge said he had been advised

“... that there has not been a cyber security breach of our systems as such, but rather it is more likely to have been a traditional criminal activity."

He would not explain what “traditional criminal activity” might include, but emphasised that the Medicare details available were insufficient to gain access to personal health records.

In my view, the Department of Human Services’s (DHS) Health Professional Online Services (HPOS), which provides health professionals with access to Medicare details, has weaknesses in its security.

HPOS is an online system for healthcare and disability service providers, such as medical practices, to interact with the Department, including by electronically submitting Medicare claims. It can also be used to find a patient’s Medicare card number based on their name and date of birth.

Any staff member at a healthcare provider with a HPOS login as well as somebody’s name and date of birth can look up the Medicare number of anyone in Australia. This matches the details requested from Farrell by the dark web vendor.

Importantly, the mechanism for protecting HPOS from unauthorised logins does not follow modern security practices. Logins to HPOS are managed through another online system called Provider Digital Access (PRODA). This was recently rolled out as an alternative to Human Services Public Key Infrastructure certificates (PKI) that also give access to online services.

PRODA uses “two-factor authentication” to, in theory, ensure that simply stealing a username and password is insufficient to gain illicit access.

Many people are now familiar with two-factor authentication codes sent via SMS when using online banking, or authentication apps on smartphones that generate a secret code used to log in. PRODA offers both options. However, it also supports sending the code via email.

Even SMS-based two-factor authentication has security problems sufficient for the US National Institute of Standards and Technology to no longer recommend it for new systems. However, it is much better than email-based two-factor authentication. Sending a “secret token” via email is almost completely useless as a security measure.

Any compromise of a computer used for HPOS access, which gives a criminal access to the PRODA username and password, would likely give access to the email account to which the PRODA authentication codes are sent. Subsequent accesses to HPOS by the criminal would merely require them to use the stolen username and password, and to monitor the compromised email account.

In response to a request for comment, a DHS spokesperson emailed o say that HPOS was designed 'with security at the forefront'.

The statement continued:

Health providers must undergo a stringent registration process to gain access to HPOS. Access is granted to individuals (not to whole medical practices) when they have proven their credentials.

The department treats the security of personal data extremely seriously and conducts thorough investigations into any claims of misuse.

Medicare numbers and mission creep

The technical flaws in HPOS and PRODA can probably be fixed over time. However, this may not be sufficient to protect Medicare numbers.

At its foundation, HPOS gives thousands of potentially corruptible and fallible humans, at locations across the country, with variably-maintained IT systems, access to Medicare numbers.

Even if the Department’s systems can be secured, Medicare numbers are also stored on the practice management systems of those thousands of providers.

As such, keeping them completely secure from criminals with the scent of Bitcoins in their nostrils is likely an exercise in futility.

Rather than insisting on perfect security for an insecure number, it may be more fruitful to limit the harm from its misuse. Medicare cards, for instance, can be used as part of a 100-point ID check. Perhaps it’s time to consider whether this kind of extended use is appropriate.

My Health Record: a security challenge

Over the next few years, the scope of medical information held by the Federal Government will expand greatly.

My Health Record is a program for a centralised, electronic medical record. While it is currently an opt-in system for most Australians, in 2018 it will switch to an “opt-out” model.

Medical professionals can access patient details from My Health Record without patient authorisation in an emergency, and the system faces many of the same personnel and organisational risks as HPOS.

The sheer number of people and systems with access makes it almost impossible to keep this much more sensitive data wholly secure, regardless of the detailed technical protective measures taken.

The Medicare data breach, as serious as it is, is also an advance warning of the much greater risks we are about to run.

The ConversationFor what it’s worth, I opted out of My Health Record for my daughter after her birth and will do the same for myself when it’s rolled out nationally.

Robert Merkel is lecturer in software engineering at Monash UniversityThis article was originally published on The Conversation. Read the original article.

Monthly Donation


Single Donation


Subscribe to IA. It's a good move.

Recent articles by The Conversation
Albanese Government restarts water buybacks to save environment

Labor has announced a strategy to recover much-needed water for the environment ...  
La Niña could become the norm for Australia

Climate change is slowing down the conveyor belt of ocean currents that brings ...  
Big data: How we are being watched — all the time

Surveillance expert Ausma Bernot explains the many ways in which we are consta ...  
Join the conversation
comments powered by Disqus

Support Fearless Journalism

If you got something from this article, please consider making a one-off donation to support fearless journalism.

Single Donation


Support IAIndependent Australia

Subscribe to IA and investigate Australia today.

Close Subscribe Donate