By Boaz Fischer on Aug, 7 2018
Can We Trust The Government To Protect Our Personal Identifiable Information?
“No one likes to see a government folder with his name on it.”
― Stephen King
Times are changing and even the Government is trying to get its act together. As different industries have slowly digitalized many of their services, the health care industry has also joined the bandwagon and moved towards digitalization. In fact, this has been the basis for a new service being offered by the Government of Australia in the form of the “My Health Record” – MyHR program that is developed by the Australian Digital Health Agency – ADHA and has been actively released.
Designed to improve the way patients and healthcare providers interact, “My Health Record” is an online platform where everyone can keep all their documents, data and other details that are part of their clinical history. The platform also offers ease in connecting with the right professionals and is meant to improve the way patients and doctors interact with each other.
Many of Australia’s health bodies such as the Australian Medical Association, Pharmacy Guild of Australia, the Royal College of Australian General Practitioners, Australian Healthcare and Hospitals Association Pharmaceutical Society of Australia, and the Consumers Health Forum also wholeheartedly support the application of “My Health Record.”
Currently the platform has around 6,677,045 clinical documents uploaded to it by different healthcare organizations. On a weekly basis, around 18,500 new records are being created and to date, “My Health Record,” has around 5.98 million user profiles.
A Change In The Program
While the “My Health Record,” platform was previously functioning on an opt-in basis, the rules have been revised. Now, it is working on an opt-out basis where it is considered mandatory for everyone unless they ask to not be included. Requests for opting out can be submitted from 16th July 2018 till 15th October 2018. It should be noted that opting out of the “My Health Record” program right now does not mean that you cannot make an account later in the future.
However, unless you give prior notice, you will be given a “My Health Record” account. This has raised quite a few concerns but the biggest are in relation to the security measures available. In “My Health Record,” they don’t apply automatically to user accounts. Users have to log-in to their accounts and manually define the parameters that give or limit access to their sensitive information which other healthcare organizations, doctors and other individuals can see on their accounts.
In this case, the risk of a data breach is very high with the “My Health Record” platform. Currently, data storage with organisations is very elementary, relying on the customers to provide them with their private data and trust the organisation to protect it. In this paradigm, the organisation treats the data as their own but this often leads to carelessness and eventually, a breach occurs. While data breaches were considered to be rare, anyone who follows the news now knows that this approach is fraught with risks.
Data breaches where corporations accidentally end up leaking private data entrusted to them have become an almost daily occurrence. A major example of this can be seen in the data breach suffered by Equifax. In 2017, the Equifax breach revealed and compromised large amounts of personal data of half of all American citizens. Before 2017, many Americans probably had never heard of Equifax or known that Equifax possessed such a large amount of their personal data.
The lack of proper data security measures is more worrying as the numbers of data breaches keep growing with each passing year as well. It’s not just about global data breaches. There have been plenty of national data breaches which made headlines. The more notorious ones happened in Government run programs as well such as the following major ones:
- In October 2016, the Australian Red Cross Blood Service’s website, DonateBlood.com.au suffered a data breach when a file that had personal data, including the medical histories of around 550,000 blood donors, was accidently moved to a portion of the web server that was publically accessible. The cause of the breach was investigated by the Australian Information and Privacy Commissioner and chalked up to employee error. While the issue was corrected immediately, the risk that 550,000 people faced is still immeasurable.
- In November 2017, a massive data breach targeted the Australian Department of Finance, the National Disability Insurance Agency and the Australian Electoral Commission and workers in the private sector in organizations like Rabobank, AMP and UGL. The breach was caused by a private contractor and around 5,000 federal public servants and 50,000 Australians suffered because of it. The compromised information consisted of passwords, names, data related to ID, numbers of credit cards and the expenses and salaries of a person. Further investigation showcased that the data was from March 2016 and much of the information was expired, there was still cause for concern. While the gravity of the breach was downplayed on this angle, the disclosure of passwords and email addresses still places them at risk.
A concerning thing is that government based data breaches aren’t just restricted to the Australian government. A report conducted by Thales Data highlighted that in the past year, around 57% of US federal agencies suffered from a data breach. In comparison, only 26% of non- US agencies have suffered from a data breach in the last year.
One of the biggest data breaches in the history of the US government happened in 2015 to the United States Office of Personnel Management – OPM. Said to be ‘one of the most sensitive agencies in the US,’ the data breach in OPM directly compromised around four million government employees - former and current. A total of 21.5 million records were stolen from OPM’s database.
The breach exposed sensitive data including the security clearance information, personal details such as addresses, email addresses, information on health insurance and life insurance and more of federal agents, officials and employees. Further investigation also highlighted that the stolen data included 5.6 million records of fingerprints which put secret agents and people with new identities under threat.
The most disappointing aspect of the data breach is that it could have been prevented. In 2014, a breach was identified by the Department of Homeland Security – DHS but apart from releasing a public statement that no personal information had been comprised, no further action was taken. However, OPM had been given multiple warnings of the security risks they were exposed to in the past which were not heeded.
In March 2015, a semi-annual report to Congress highlighted this fact as well but there was no action taken until after a second breach was discovered in April 2015. Even more worrying is the fact that the Chinese government was found to have a hand behind this. Apart from making arrests and asking for the resignation of Archuleta, the Director of OPM, it is unclear what other measures have been deployed to correct the damage done.
Can We Trust The Government To Protect Our Personal Identifiable Information?
With so many data breaches being experienced by government bodies, and little accountability on their part, it is time to put your foot down. Many data breaches have occurred because of simple mistakes made by employees and failure to adopt proper measures by the agencies.
Moreover, statistics don’t show this trend of data breaches in government agencies improving. In fact, the “Notifiable Data Breach Second Quarterly Report” highlighted that the private health sector is among the top sector for data breaches - 49 notifications in this quarter alone. Last month, the Singaporean government's online health system was hacked and 1.5 million health records were compromised. Even more worrying is the fact that the compromised data included the personal identifiable information of the Prime Minister as well.
A major reason why health records are targeted is because they are far more valuable on the dark market than other personal information such as credit card details or phone numbers. Health records are a major means of identification of a person. Through them, not just the personal information about an individual but also their family and their medical history can be traced and misused with ease. Due to this factor, they also fetch a high price on the dark web and hackers will often sell them to the highest bidder without a second thought.
Given these circumstances, the ‘My Health Record’ platform has a high chance of experiencing a data breach because it is a veritable gold mine of sensitive data. The security measures being adopted to minimize risks are not being highlighted either which does not help to diffuse the mistrust, confusion and fears of users. More troubling is the fact that “My Health Record” is already experiencing leaks in their infrastructure in relation to news.
An insider leak by none other than the GP of ‘My Health Record,’ Dr. Edwin Kruys, highlighted that the Australian Digital Health Agency – ADHA has made the decision to avoid discussing any risks for consumers on the website. Once ADHA was reached out for comment, they not only became aware of this statement but also edited it to remove the comment and its relation to any secondary use of the data on ‘My Health Record.’
In a now deleted paragraph, the GP of ‘My Health Record,’ stated that, “It has been decided that the risks associated with MyHR will not be explicitly discussed on the website. This obviously includes the risk of cyber-attacks and public confidence in the security of the data.” However, this is an area of concern for many individuals and they have a right to know because of the clause in the My Health Records Act 2012.
Under this clause, ‘My Health Record,’ has the right to use, disclose and collect information, for any discernible purpose, as long as they have the consent of the person. To facilitate secondary use of the data, ‘My Health Record’ will be making use of system operators. One of the main responsibilities for a system operator will be to provide and prepare information which has been de-identified to use it for public health and research purposes.
While organizations such as RCA – Rare Cancers Australia and MSA – Multiple Sclerosis Australia have shown support and transparency in favour of secondary usage of the data on My Health Record for research purposes, not every organization has been so forthcoming. In fact, the Law Council of Australia has called for cautionary measures and released a statement which included that, “Measures should be adopted in the framework to require ‘opt in’ for the use of personal data for secondary purposes to ensure that any use of personal data is by consent, as required by the legislation.”
Despite this fact, the fears of data breaches, security issues and misuse of secondary data usage options have not been allayed yet, but it is something that Dr. Edwin Kruys has recognized and is actively trying to address. The inclusion of trained system operators and more cannot hide the fact that a large number of data breaches occur because of employee error or from some other internal fault. With the current refusal to discuss the security measures being implemented, it does take away faith from the ability of the “My Health Record” program and the government agencies such as Australian Digital Health Agency –ADHA to safeguard the data on it properly.
How Can We Help You?
The growing increase in privacy regulations here and abroad have highlighted key concerns for most organizations when it comes to their crown jewels:
- What data do we have that is sensitive / classified / of value / would land us in trouble if breached?
- Where is it and how is the organization using it?
- Is it at risk / who has access to it / is accessing / should have access?
- Is it in use / can we potentially get rid of it or archive it?
The answers to those questions and more can be answered through a simple and yet effective Data Risk Assessment (DRA).
The Data Risk Assessment provides organisations with the ability to quickly ascertain the level of risk associated with their data; identify where is their sensitive data, how much do they have, identify who has access to it, who is accessing it, where it’s over exposed, the amount of stale data and the extent of legacy artefacts and misconfiguration which represents a level of risk. It is a short term, light touch consultative engagement culminating in the presentation and delivery of a report.
if you need some more resource material, download the Insider Threat eBook by CommsNet Group, completely free of charge. For more information, you can also send them an email at: email@example.com OR give us a call at: +61 2 6282-5554.