Health providers’ security flaws will leave My Health Record open for hacking 
17 Aug 2018|

There’s been a lot of focus on the security arrangements for the My Health Record system. Most of the commentary has been about protecting the data, how secure the platform is for storing the data, and who will have access to the database. But very little attention has been given to the glaring security weaknesses of the health provider systems that will be used daily to access patient information stored in My Health Record.

In addition to hospitals and large health providers, a range of small providers will be able to access My Health Record. These include not only general practitioners and medical specialists, but also allied health professionals such as physiotherapists, speech pathologists, osteopaths, optometrists and dentists, who can also register to access My Health Record. There are many thousands of these small health providers across Australia and most are small clinics with only a handful of staff.

What this amounts to is an attack surface comprising hundreds of thousands of endpoints, most of which have a level of cybersecurity that is virtually non-existent. This is further compounded by staff who have little or no cybersecurity awareness. As an IT service provider with over 14 years’ experience working exclusively with small businesses, including small health providers, I believe these organisations are ill-equipped to provide an acceptable level of security.

The situation isn’t helped by the fact that, to date, these organisations have never been required to adopt or adhere to a common set of cybersecurity standards. Of course, you could point to the requirements of the Australian privacy principles and the notifiable data breaches scheme, which do apply to health providers. But the reality is that most have only a vague understanding of those rules. Whenever I’ve discussed the privacy principles or the data breaches scheme with the heads of these organisations, most are oblivious to their obligations and consider it an ‘IT issue’. Certainly, none have ever seen or heard of the guidelines on securing personal information issued by the Office of the Australian Information Commissioner.

So, with all of this in mind, it would be reasonable to assume that the Australian Digital Health Agency—the body responsible for national digital health services and systems, including My Health Record—has considered this challenge. Perhaps there’s a cybersecurity framework comprising documented minimum standards, a concise easy-to-understand guide, an education program, a compliance regime, and at least some basic level of monitoring and auditing. The unfortunate reality is that almost none of this is in place.

Both the Australian Digital Health Agency and the My Health Record websites have plenty of content on information security for health providers. Typical of many government sites providing cybersecurity information, it’s a dog’s breakfast—a situation highlighted in a recent policy paper published by AustCyber.

The Australian Digital Health Agency website has a page titled ‘Digital Health Cyber Security Centre’ with a box that provides links to six pieces of cybersecurity guidance, ranging from short webpages on using emails and social media to guides on ransomware and patching aimed at IT professionals. The most useful of these is the Information Security Guide for small healthcare businesses. The document was put together by Stay Smart Online in 2017 and, although it’s a stretch to call it a guide, it does provide some easy-to-understand information about IT security.

On the My Health Record website, there’s a section under ‘For healthcare professionals’ titled ‘Recognise your privacy and security obligations’. Under the heading ‘Implementing security practices and policies’, there’s a statement that ‘healthcare organisations that access digital health records need to meet the requirements under the My Health Records Rule’. It includes a link ‘for a checklist that is based on the requirements outlined in the My Health Records Rule 2016’.

Someone with enough time and energy to follow the link will then end up on a page titled ‘Security practices and policies checklist’. There they’ll find a ‘checklist’ that can be ‘used as a guide to implementing security practices and policies in your healthcare organisation’. The very first point provides an indication of just how useful the checklist is:

  • The organisation has a My Health Record system security policy.

Elsewhere on the My Health Record website, there’s a page about the legislation that governs the way the data is managed by health providers, which includes:

  • My Health Records Act 2012
  • My Health Records Rule 2016
  • My Health Records Regulation 2012
  • Healthcare Identifiers Act 2010
  • Privacy Act 1988.

I challenge anyone to make any sense of all that, let alone the person responsible for running a small clinic. Where do you start, what is essential, and what is optional?

After wading through it all, I couldn’t find any stated minimum cybersecurity standard that a health provider accessing My Health Record data would be required to implement. Not even the absolute bare minimum—have a password policy with a minimum level of complexity, use a password manager, implement two-factor authentication, and ensure all staff have at least one hour of cybersecurity-awareness training.

My Health Record will put vast amounts of confidential health data into a single online database, and no matter how well the central repository itself is protected, it can only ever be as secure as the weakest link. With thousands of small health providers that have only minimal cybersecurity arrangements accessing My Health Record, it has the potential to leak like the proverbial sieve.