19 Jul 2018
My Health Record is a perfect gift for hackers
The former head of the federal government’s Digital Transformation Agency, Paul Shetler, has pointed out that the way the My Health Record has been set up means millions of Australians are being given an online record without realising that they have to change their security settings manually to protect their medical history.
He observed that with an opt-out system people’s data could be accessed for things that had nothing to do with their heath.
The issue highlights the widespread security vulnerabilities in our healthcare system. Outdated computer systems are putting hospitals at risk of hackers. Last year the Victoria Auditor-General’s Office found that the state’s healthcare systems weren’t securely configured. In many cases the systems were so outdated that the original developer no longer was issuing security updates. The auditor concluded there was a real risk of hackers stealing or altering hospital, financial or patient data.
Similar findings would apply in other states. Attackers could cause “denial of service” attacks and restrict healthcare users from using health services. Last year in the US there was a recall of 465,000 pacemakers because of the possibility of hackers reprogramming the devices.
The emergence of the “internet of things” medical devices being connected to healthcare networks also poses risks: they allow hackers direct access into hospital systems.
There’s no state or national standards for the security of such devices. Many of these devices — such as CAT scanners — aren’t designed to be patched. Malicious individuals could take over the devices and gain unauthorised access to health networks.
A targeted cyber attack on the healthcare sector could affect the care provided to many thousands of patients. Last August hackers took down the computer systems of a major trauma centre in the US for six weeks.
Hackers target medical institutions because they’re soft security sites with easy access to a patient’s name, address, Medicare number and driver’s licence details. A criminal seeking to create false identities has an excellent start with the information contained in the average medical record.
We have to have confidence that health data won’t be stolen.
We have to have confidence that health data won’t be stolen. Such information could be used in everything from school bullying to workplace discrimination.
Medical data is moving into the digital era at a record-breaking pace. X-rays, pathology results, pharmacy records and even online consultations via telehealth are all within the digital sphere. The risk is that the pace and push for e-data will outstrip the security needed to safely manage it.
Centralised storage of personal information could be targeted by hackers. Last year we saw the federal police launch an investigation into the leak of sensitive Medicare details, which allegedly were sold by criminals on the so-called dark web.
In 2016 there was a security breach of personal data of more than 550,000 blood donors which included information about at-risk sexual behaviour stolen from the Australian Red Cross blood service.
Hospitals don’t want to spend money on things that aren’t related to patient health. IT security isn’t always seen by hospitals as related to patients’ care. IT for health is expensive to develop, costly to buy and difficult to interface with myriad different hospital systems. Our healthcare systems need to work more closely with our cyber security agencies. We’ve been warned.