Daily Bulletin


The Conversation

  • Written by Robert Merkel, Lecturer in Software Engineering, Monash University

The Australian government is digitising the country’s health system, but a serious Medicare security breach suggests we may not be ready.

The Australian Federal Police are investigating after the Guardian discovered that the Medicare card details of Australians were available for purchase on the “dark web”.

The dark web – a collection of websites that are only accessible through anonymising systems such as Tor – allows vendors to remain largely hidden from law enforcement. There is a long-standing trade in illicit goods and services, including hacked personal data, on eBay-like dark web marketplaces.

As journalist Paul Farrell pointed out, criminal groups can use Medicare numbers to create fake Medicare cards with the details of real people. In combination with other personal information, these cards or simply the Medicare numbers themselves, could be used to commit a wide variety of fraud.

The Medicare system has security issues, but the number of fallible people and systems who will have access to our medical records in the future is also concerning.

Security weaknesses

It is not yet clear how the Medicare details were obtained. In a press conference on Tuesday, Minister for Human Services Alan Tudge said he had been advised “that there has not been a cyber security breach of our systems as such, but rather it is more likely to have been a traditional criminal activity”.

He would not explain what “traditional criminal activity” might include, but emphasised that the Medicare details available were insufficient to gain access to personal health records.

In my view, the Department of Human Services’s (DHS) Health Professional Online Services (HPOS), which provides health professionals with access to Medicare details, has weaknesses in its security.

HPOS is an online system for healthcare and disability service providers, such as medical practices, to interact with the department, including by electronically submitting Medicare claims. It can also be used to find a patient’s Medicare card number based on their name and date of birth.

Any staff member at a healthcare provider with a HPOS login as well as somebody’s name and date of birth can look up the Medicare number of anyone in Australia. This matches the details requested from Farrell by the dark web vendor.

Importantly, the mechanism for protecting HPOS from unauthorised logins does not follow modern security practices. Logins to HPOS are managed through another online system called Provider Digital Access (PRODA). This was recently rolled out as an alternative to Human Services Public Key Infrastructure certificates (PKI) that also give access to online services.

PRODA uses “two-factor authentication” to, in theory, ensure that simply stealing a username and password is insufficient to gain illicit access.

Many people are now familiar with two-factor authentication codes sent via SMS when using online banking, or authentication apps on smartphones that generate a secret code used to log in. PRODA offers both options. However, it also supports sending the code via email.

Even SMS-based two-factor authentication has security problems sufficient for the US National Institute of Standards and Technology to no longer recommend it for new systems. However, it is much better than email-based two-factor authentication. Sending a “secret token” via email is almost completely useless as a security measure.

Any compromise of a computer used for HPOS access, which gives a criminal access to the PRODA username and password, would likely give access to the email account to which the PRODA authentication codes are sent. Subsequent accesses to HPOS by the criminal would merely require them to use the stolen username and password, and to monitor the compromised email account.

In response to a request for comment, a DHS spokesperson said HPOS was designed “with security at the forefront”.

“Health providers must undergo a stringent registration process to gain access to HPOS,” she said in an email. “Access is granted to individuals (not to whole medical practices) when they have proven their credentials.

"The department treats the security of personal data extremely seriously and conducts thorough investigations into any claims of misuse.”

Medicare numbers and mission creep

The technical flaws in HPOS and PRODA can probably be fixed over time. However, this may not be sufficient to protect Medicare numbers.

At its foundation, HPOS gives thousands of potentially corruptible and fallible humans, at locations across the country with variably-maintained IT systems, access to Medicare numbers.

Even if the department’s systems can be secured, Medicare numbers are also stored on the practice management systems of those thousands of providers.

As such, keeping them completely secure from criminals with the scent of Bitcoins in their nostrils is likely an exercise in futility.

Rather than insisting on perfect security for an insecure number, it may be more fruitful to limit the harm from its misuse. Medicare cards, for instance, can be used as part of a 100-point ID check. Perhaps it’s time to consider whether this kind of extended use is appropriate.

My Health Record: a security challenge

Over the next few years, the scope of medical information held by the federal government will expand greatly.

My Health Record is a program for a centralised, electronic medical record. While it is currently an opt-in system for most Australians, in 2018 it will switch to an “opt-out” model.

Medical professionals can access patient details from My Health Record without patient authorisation in an emergency, and the system faces many of the same personnel and organisational risks as HPOS.

The sheer number of people and systems with access makes it almost impossible to keep this much more sensitive data wholly secure, regardless of the detailed technical protective measures taken.

The Medicare data breach, as serious as it is, is also an advance warning of the much greater risks we are about to run.

For what it’s worth, I opted out of My Health Record for my daughter after her birth, and will do the same for myself when it’s rolled out nationally.

Authors: Robert Merkel, Lecturer in Software Engineering, Monash University

Read more http://theconversation.com/after-the-medicare-breach-we-should-be-cautious-about-moving-our-health-records-online-80472

Writers Wanted

'Severely threatened and deteriorating': global authority on nature lists the Great Barrier Reef as critical

arrow_forward

'Unjustifiable': new report shows how the nation's gas expansion puts Australians in harm’s way

arrow_forward

The Conversation
INTERWEBS DIGITAL AGENCY

Politics

Prime Minister Interview with Ben Fordham, 2GB

BEN FORDHAM: Scott Morrison, good morning to you.    PRIME MINISTER: Good morning, Ben. How are you?    FORDHAM: Good. How many days have you got to go?   PRIME MINISTER: I've got another we...

Scott Morrison - avatar Scott Morrison

Prime Minister Interview with Kieran Gilbert, Sky News

KIERAN GILBERT: Kieran Gilbert here with you and the Prime Minister joins me. Prime Minister, thanks so much for your time.  PRIME MINISTER: G'day Kieran.  GILBERT: An assumption a vaccine is ...

Daily Bulletin - avatar Daily Bulletin

Did BLM Really Change the US Police Work?

The Black Lives Matter (BLM) movement has proven that the power of the state rests in the hands of the people it governs. Following the death of 46-year-old black American George Floyd in a case of ...

a Guest Writer - avatar a Guest Writer

Business News

Nisbets’ Collab with The Lobby is Showing the Sexy Side of Hospitality Supply

Hospitality supply services might not immediately make you think ‘sexy’. But when a barkeep in a moodily lit bar holds up the perfectly formed juniper gin balloon or catches the light in the edg...

The Atticism - avatar The Atticism

Buy Instagram Followers And Likes Now

Do you like to buy followers on Instagram? Just give a simple Google search on the internet, and there will be an abounding of seeking outcomes full of businesses offering such services. But, th...

News Co - avatar News Co

Cybersecurity data means nothing to business leaders without context

Top business leaders are starting to realise the widespread impact a cyberattack can have on a business. Unfortunately, according to a study by Forrester Consulting commissioned by Tenable, some...

Scott McKinnel, ANZ Country Manager, Tenable - avatar Scott McKinnel, ANZ Country Manager, Tenable



News Co Media Group

Content & Technology Connecting Global Audiences

More Information - Less Opinion