“Sleepwalking into catastrophe” with myGov and the PCEHR
eHealth security experts have reacted with dismay to revelations in the Sydney Morning Herald about a basic security flaw in the myGov website that potentially opened up sensitive personal information, including health information held on the PCEHR, to malicious attacks.
myGov is a single sign-on gateway for consumers to access a number of online federal services, including Medicare, Child Support and the PCEHR, and is soon to also be used by the Australian Taxation Office to file electronic tax returns.
Last month, SMH journalist Ben Grubb wrote several stories about the potential weaknesses in the myGov website, prompting a Wollongong security researcher and entrepreneur called Nik Cubrilovic to take a closer look.
What Mr Cubrilovic found – detailed in full on his website – was a very common cross-site scripting flaw that allowed him to easily gain access to another person's myGov account and from that to access other linked accounts. A video showing how easy it was to hack the site is available on the SMH website.
Trish Williams, an associate professor and eHealth research group leader at Edith Cowan University's School of Computer and Security Science and chair of HL7 Australia, said cross-site scripting was a very common method that works by capturing information from cookies or other web session information.
“A cookie is just a text file and when you go to a certain website, it retains on your computer some information about what you've done,” Dr Williams said. “It is not necessarily your log-in details but some of the connection details. Cross-site scripting code uses known vulnerabilities in web-based applications. A cookie is just a text file so it doesn't do anything on its own. However, cross-scripting allows malicious content to capture and use this information.”
Dr Williams said cross-site scripting was not an individually targeted method but was more an opportunistic way to potentially hack a site. The problem with it affecting single sign-on sites like myGov is that you then have access to a whole range of other sites, including the PCEHR.
“If I can get into myGov and use that, it automatically authenticates to the other sites,” she said. “That is the beauty of having single sign-on: from the user's point of view you don't have to remember all of your other passwords. But this vulnerability gives you access to a whole range of things.”
Mr Cubrilovic wrote on his website that the flaw now seems to have been fixed, but both Dr Williams and security expert Steve Wilson, vice-president and principal analyst at Constellation Research, say that this just shows the site wasn't built using good security protocols in the first place.
“It is a fairly basic security issue so they probably should have done better testing, but that is an after-the-fact thing,” Dr Williams said. “They should have been more aware of the basic security issue in the first place. This is a common problem because security is seen as an add-on, whereas if it had a better quality process in development, those issues would not have been in there in the first place.”
Mr Wilson said the situation was appalling. “This is supposed to be a government single sign-on solution to accessing what are your most important and sensitive government dealings, and it is not fit for purpose,” he said.
“It shows no sign of the careful design that should go into the master key for all of your government digital assets.”
Mr Wilson said talk of patching vulnerabilities and fixing problems as they arose was not good enough.
“[A] government system like this has a risk assessment and a privacy impact assessment that goes with it, it's got a detailed design process, there are design teams and architecture teams, and then there are reviews and then there is testing,” he said.
“There are four or five points at which this sort of thing should have been headed off at the pass, and it was not. Colossal weaknesses have got through four or five stages. We need a really deep review of the system.”
Single sign-on is often seen as a user-friendly way for average consumers to access information, and even though anecdotal evidence suggests the myGov website has proved quite difficult to people wanting to sign up to the PCEHR, most security experts believe two-factor authentication is essential to protect personal data such as healthcare information.
Mr Wilson said it is possible to find a balance between convenience and security, but serious two-factor authentication is a must. Using extra authentication like SMSs can be difficult, but he believes we are close to having passkey-type security available through mobile phones.
“Instead of messing around with SMSs we should be using digital signature capabilities on the phone, we should be using NFC (near field communication), we should be using SIM card security,” he said.
“I'm staggered. We have a single sign-on solution for government that is much weaker than what internet banking was 10 years ago. There's no second factor in sight. I'd like to see them use SIM cards or to use smartcards. You could use NFC smartcards that you wave in front of your phone or your tablet and it is rock solid, it is world's best practice security.”
While the Department of Human Services (DHS) issued an assurance to Mr Cubrilovic that it “takes the security of its digital services extremely seriously” and that “myGov users can be confident that their personal information and records are in very safe hands”, this has been widely derided by security experts.
Mr Wilson described the situation as bizarre, and said that while the government's digital first policy was a good one, as was the recommendation of the Commission of Audit to make digital the first point of call for consumer dealings with the government, Australia simply does not have the infrastructure to cope. And when it comes to the most personal information, security was not being taken seriously enough.
“We are just sleepwalking into catastrophe with myGov and the PCEHR,” he said. “There is no room for error. The surprising thing about the Royle review [into the PCEHR] is how naïve it is with respect to security. You have to assume that security is imperfect and you make policy based on that, but you can't make eHealth policy based on blind faith that the security is okay because there's no room for error.”
The recommendation in the Royle review to make the PCEHR an opt-out system, which the Consumers Health Forum, the Australian Medical Association and Health Minister Peter Dutton all strongly support, will bring security issues such as this to fore. However, Dr Williams said it didn't matter whether the PCEHR was opt-in or opt-out – the security measures should be identical.
“When you talk about opt-out it just means they will automatically be more registrations in the first instance,” she said. “That does not mean that there will be any more usable clinical records. It does not mean that your health summary is there, nor does it guarantee its use; it just means that you have a registration.
“The delivery of the PCEHR is not necessarily the problem here. We do not actually have to change the model for that delivery but I dare say from the things that have happened and from a security perspective, they should look at having a different method of access. This is only the user access … as clinical access is through different portals, and you'd hope that the security for all of the other portals is different.”
One problem facing the industry – and one voiced off the record by many software developers working in eHealth – is that no one actually knows how secure those other portals are.
“Nothing is going to be 100 per cent secure ever,” Dr Williams said. “If you have large corporations like Google who have security issues then who are we to think everything is going to be completely secure? But you can definitely have something that's a bit more secure than what they're talking about at the moment.
“One problem is that they won't tell you. I was on the original committee that looked at the risk assessments for the PCEHR; however, as soon as this engagement activity was complete, they would not tell those involved in that work what had been done or how the security is ensured."
Dr Williams said it was possible to set up a new, more secure system for the PCEHR and that it is possible to build a population-level eHealth record that has proper security, but Mr Wilson said he would not recommend retrofitting the existing system.
He said he did not see any evidence that the PCEHR itself was robust, as shown by the cases of incorrect information that has been inadvertently added to the wrong patient's record, such as incorrect PBS data.
“I do think you can have a population-scale health record,” he said. “They seem to be able to do that in Scandinavia, but with the Royle review, if people want to make a parental decision on behalf of the entire population that you will be in by default, they need to make it opt-out grade.
“We need proper two-factor authentication for every single access to the system and you need two-factor authentication for patients. And you need a system that doesn't upload medication records for the wrong people. There's much more to this than just building a portal in front of the existing PCEHR.”
The Department of Human Services has been approached for comment.
Posted in Australian eHealth