{"id":41465,"date":"2018-08-17T11:32:45","date_gmt":"2018-08-17T01:32:45","guid":{"rendered":"https:\/\/www.aspistrategist.ru\/?p=41465"},"modified":"2018-08-17T11:32:45","modified_gmt":"2018-08-17T01:32:45","slug":"health-providers-security-flaws-will-leave-my-health-record-open-for-hacking","status":"publish","type":"post","link":"https:\/\/www.aspistrategist.ru\/health-providers-security-flaws-will-leave-my-health-record-open-for-hacking\/","title":{"rendered":"Health providers\u2019 security flaws will leave My Health Record open for hacking\u00a0"},"content":{"rendered":"
<\/figure>\n

There\u2019s been a lot of focus on the security arrangements for the My Health Record system. Most of the commentary has been about protecting the data, how secure the platform is for storing the data, and who will have access to the database. But very little attention has been given to the glaring security weaknesses of the health provider systems that will be used daily to access patient information stored in My Health Record.<\/p>\n

In addition to hospitals and large health providers, a range of small providers will be able to access My Health Record. These include not only general practitioners and medical specialists, but also allied health professionals such as physiotherapists, speech pathologists, osteopaths, optometrists and dentists, who can also register to access My Health Record. There are many thousands of these small health providers across Australia and most are small clinics with only a handful of staff.<\/p>\n

What this amounts to is an attack surface comprising hundreds of thousands of endpoints, most of which have a level of cybersecurity that is virtually non-existent. This is further compounded by staff who have little or no cybersecurity awareness. As an IT service provider with over 14 years\u2019 experience working exclusively with small businesses, including small health providers, I believe these organisations are ill-equipped to provide an acceptable level of security.<\/p>\n

The situation isn\u2019t helped by the fact that, to date, these organisations have never been required to adopt or adhere to a common set of cybersecurity standards. Of course, you could point to the requirements of the Australian privacy principles and the notifiable data breaches scheme, which do apply to health providers.\u00a0But the reality is that most have only a vague understanding of those rules. Whenever I\u2019ve discussed the privacy principles or the data breaches scheme with the heads of these organisations, most are oblivious to their obligations and consider it an \u2018IT issue\u2019. Certainly, none have ever seen or heard of the guidelines on securing personal information issued by the Office of the Australian Information Commissioner.<\/p>\n

So, with all of this in mind, it would be reasonable to assume that the Australian Digital Health Agency\u2014the body responsible for national digital health services and systems, including My Health Record\u2014has considered this challenge. Perhaps there\u2019s a cybersecurity framework comprising documented minimum standards, a concise easy-to-understand guide, an education program, a compliance regime, and at least some basic level of monitoring and auditing. The unfortunate reality is that almost none of this is in place.<\/p>\n

Both the Australian Digital Health Agency<\/a> and the My Health Record<\/a> websites have plenty of content on information security for health providers. Typical of many government sites providing cybersecurity information, it\u2019s a dog\u2019s breakfast\u2014a situation highlighted in a recent policy paper published by AustCyber<\/a>.<\/p>\n

The Australian Digital Health Agency website has a page titled \u2018Digital Health Cyber Security Centre<\/a>\u2019 with a box that provides links to six pieces of cybersecurity guidance, ranging from short webpages on using emails and social media to guides on ransomware and patching aimed at IT professionals. The most useful of these is the Information Security Guide for small healthcare businesses<\/a><\/em>. The document was put together by Stay Smart Online in 2017 and, although it\u2019s a stretch to call it a guide, it does provide some easy-to-understand information about IT security.<\/p>\n

On the My Health Record website, there\u2019s a section under \u2018For healthcare professionals\u2019 titled \u2018Recognise your privacy and security obligations<\/a>\u2019. Under the heading \u2018Implementing security practices and policies\u2019, there\u2019s a statement that \u2018healthcare organisations that access digital health records need to meet the requirements under the My Health Records Rule\u2019. It includes a link \u2018for a checklist that is based on the requirements outlined in the My Health Records Rule 2016\u2019.<\/p>\n

Someone with enough time and energy to follow the link will then end up on a page titled \u2018Security practices and policies checklist<\/a>\u2019. There they\u2019ll find a \u2018checklist\u2019 that can be \u2018used as a guide to implementing security practices and policies in your healthcare organisation\u2019. The very first point provides an indication of just how useful the checklist is:<\/p>\n