Highlights
- Cyber security experts say Australians’ health data remained a prime target for hackers.
- Online health database My Health Record is still vulnerable, experts say.
- Australia should consider strengthening data protection for consumers, an expert has said.
Cyber security and privacy experts warn that the health data of Australians remains a target for hackers, even more so after .
The data breach of the country’s largest private health insurer exposed the health records of 9.7 million Australians – 40 per cent of the population.
And it has raised concerns about another cache of health data: My Health Record.
Are there concerns about a My Health Record hack?
David Vaile, head of the Australian Privacy Foundation, said there was the potential for My Health Record to be the subject of a “massive data breach”.
“The security model for My Health Record is terrible. I’ve been monitoring it and trying to engage in this discussion, you know, wearing several hats over about 10 or 15 years.
“They ended up with something [a system] which gives default access to probably hundreds of thousands of people,” he told SBS News.
The system was designed to facilitate access to patient information among clinicians, but this is a weakness from a cybersecurity perspective.
“At one point in the debate over the early iteration of My Health Record, estimates were in the range of 700,000 to 1.1 million Australians with potential access to My Health Record.”
Created in 2012 by the Federal Government, the database contains the profiles of more than 23.4 million Australians with information including specialist reports, test results, prescriptions, dental records, billing details and notes on symptoms and diagnoses.
The Australian Digital Health Agency, which manages the platform, says 90 per cent of Australians have a My Health Record profile, with a big increase in numbers during the pandemic as people obtained covid-19 vaccination certificates.
The My Health Record system was when it switched to an opt-out system in 2019 at short notice.
Dr David Glance, director of the Center for Software Practice at the University of Western Australia, said the security infrastructure for My Health Record was robust, but another factor to consider was the amount of information contained in the profiles.
“My health record is not exactly widely used, despite all attempts by the authorities to make it useful. The amount of information there is somewhat limited [for a number of individuals, including myself]and would certainly be less problematic than Medibank, for example, which has all the claims data and the data on mental health and abortion procedures and other things.”
Questions remain about how often the system is used by Australians and clinicians.
ONE found that among 88 pharmacists and doctors, half had used My Health Record at least once, but barriers to its use remained, including an “outdated content, lack of trust, low perception of value, no patient record and multiple record systems”.
What would happen in the event of a hack?
Cyber security experts say the extortion potential of the information is what hackers are targeting to keep the criminal operation going – with the dark web and cryptocurrency driving the activity.
Dr Suelette Dreyfus, a digital security and privacy expert at the University of Melbourne, said there was no evidence to suggest a cyber attack on My Health Record was imminent, but a proactive plan was needed for all groups holding health data.
“The healthcare space needs to be much more serious about upping its cybersecurity game to protect health records.”
She said the July 2018 attack on Singapore’s largest healthcare group, SingHealth, demonstrates the ultimate goal and tactics of hackers seeking sensitive healthcare data.
The cyber attack exposed the data of 1.5 million patients, including Prime Minister Lee Hsien Loong.
“What was interesting about that hack is that the forensic teams found that the hackers were actually specifically targeting the archives of powerful politicians and ministers,” Dr Dreyfus said.
“Imagine if you knew (and it wasn’t public knowledge) that a prime minister had a terminal illness and probably wasn’t going to live more than two or three years … that would be incredibly valuable information to other nations, say leaders, but also potentially to markets or companies that can make investment decisions.”
What is the government doing about it?
The federal government agency that manages My Health Record said a new review of cyber security risks was carried out following the recent Medibank hack, in September and Medicare exposure in 2020.
“In light of these breaches, the agency has reviewed relevant identification processes to continue to ensure that only authorized individuals can access a My Health Record,” the Australian Digital Health Agency said in a statement.
The agency said progress had been made to improve cyber security vulnerabilities highlighted by the Australian National Audit Office (ANAO) in a 2019 report which found “management of shared cyber security risks was not appropriate and should be improved”.
The OAIC has produced one with tips on protecting My health record, which you can find .
![Handy with Google lock screen widgets for iOS [Video]](https://www.entrebastidors.info/wp-content/uploads/2022/10/Google-iOS-widgets-iPhone-14-Pro-Max-3-120x120.jpg "Handy with Google lock screen widgets for iOS [Video]")
