Medicare breach response doesn't cut the mustard
The slightly delayed Digital Hospitals Handbook and news that Telstra Health had been granted access to the My Health Record system for its HealthNow app may have been the most popular stories on Pulse+IT this week, but out in the wider health and IT communities one story dominated, and that was the Guardian newspaper's discovery that Medicare numbers were for sale in the darker recesses of the internet.
Guardian journalist Paul Farrell was able to buy his own number for the price of a few bitcoins from a cheery-sounding vendor on the dark web, and his resulting story made waves around the country on Tuesday. It doesn't appear that everyone's numbers have been released but Mr Farrell's investigations show that the vendor had made a few tidy sales, numbering about 75 all up.
Getting information about the situation from the Department of Human Services (DHS) was tough as the issue has been referred to the Australian Federal Police, so it's pretty much just speculation about what happened at the moment, but one possible culprit for the site of the vulnerability is DHS's Health Professional Online Services (HPOS) system.
HPOS is used by many healthcare practices in the country for patient verification, checking MBS item numbers and for Easyclaim processing, and that's not just medical practices but dental and allied health as well. For more on this, we recommend that in addition to the Guardian's original story, you take a look at this one from Sydney-based information security reporter Jeremy Kirk as well. It's very good.
If HPOS is the vulnerability, it should not be too hard to discover whether it is DHS's systems that have been breached or if a practice is at fault. Healthcare providers who want to use HPOS have to have a PKI certificate or a PRODA account, which uses two-factor authentication, so it might be reasonably easy to pinpoint what has gone wrong. Then again, the vendor does seem to be boasting about batch releases for sale, so who knows what he's got his hands on.
The major concern about the potential breach seems to be that as Medicare numbers are commonly used as identification, identity theft and fraud are the most likely criminal uses. But it wasn't long before the usual suspects came out to tie the breach to the My Health Record and its potential to expose everyone's sexually transmitted diseases to the world, which Sue Dunlevy quickly did over at News Corp. Ms Dunlevy is still under the impression that everyone's historical information is automatically going to be uploaded to the system and that details about abortions, STIs and mental health diagnoses are going to go up too without consent.
This is nonsense but she's not alone. Those people innately suspicious of government and its desire to get its hands on your medical information are now adding this new breach and lingering fears about the My Health Record to other data 'debacles' such as that which occurred with last year's census, the ATO's IT difficulties and Centrelink's notorious Robo-debt situation.
The Minister for Human Services, Alan “Tudgie” Tudge, has done no one any favours with his response to these issues, which he seems to dismiss out of hand. Tudgie made a bit of an effort this week to seem concerned about Medicare numbers for sale but his statement that the breach was due to old-fashioned criminal enterprises didn't sway anyone.
However, despite our cracks at News Corp's fear-mongering we are pretty certain that this issue will affect trust in the My Health Record system, even though there is no real link between the two. It, like all IT systems, is vulnerable to hacking and there's no doubt there will be a breach one day, whether from a criminal enterprise, a nosy healthcare provider or innocent error. When it comes time to flick the switch to opt-out, the government is going to need to do some serious public relations to ensure everyone knows what they are getting into.
This week, AMA president Michael Gannon did a pretty good job in several radio interviews to allay some fears about the safety of MyHR, but the government, the Department of Health and the Digital Health Agency need to find someone quick smart who can front up to the media at a moment's notice and speak with authority about the system's defences when situations like this arise again, which they will. Old Tudgie just doesn't cut the mustard.
This brings us to our poll question for the week: Do you think the exposure of Medicare card numbers on the dark net this week will affect the public's confidence in the security of the My Health Record system? Sign up for our weekend edition and vote in our poll, or comment below.
Our poll last week asked: Do you think EMRs are now being viewed more positively by clinicians? It seems so: 72 per cent said yes, 28 per cent no.