myGov has robust security systems in place: DHS

The Department of Human Services (DHS) has rejected concerns over the security of the myGov website, saying it meets all of the government's security requirements for the protection of personal information.

myGov is a single sign-on site that is linked to a number of government services, including Medicare, Centrelink and the PCEHR, and will shortly be used by the Australian Taxation Office for filing online tax returns.

The Sydney Morning Herald recently revealed that a very common vulnerability had been found in the system by security researcher Nik Cubrilovic, who notified the department. He believes the cross-site scripting (XSS) flaw has since been fixed, but this has not placated some in the security industry.

eHealth security expert Trish Williams said cross-site scripting was a fairly basic security issue and the designers should have done better testing.

“They should have been more aware of the basic security issue in the first place,” Dr Williams said. “This is a common problem because security is seen as an add-on, whereas if it had a better quality process in development, those issues would not have been in there in the first place.”

Constellation Research principal analyst Steve Wilson said the system was not fit for purpose. “[A] government system like this has a risk assessment and a privacy impact assessment that goes with it, it's got a detailed design process, there are design teams and architecture teams, and then there are reviews and then there is testing,” Mr Wilson said.

“There are four or five points at which this sort of thing should have been headed off at the pass, and it was not. Colossal weaknesses have got through four or five stages. We need a really deep review of the system.”

A DHS spokesperson said that whenever it receives claims of security concerns, “these are promptly and thoroughly investigated”.

“We can assure you that happened in this instance, and that the myGov service has robust systems in place to protect people’s personal information,” the spokesperson said.

“Access to myGov and other DHS online services is audited and monitored by the department and we routinely subject myGov to independent security testing. As technology changes and new challenges emerge, we update our systems to ensure that the service continues to be secure.”

Pulse+IT asked DHS to outline what security measures are being used to protect consumer data as Mr Cubrilovic believes there may be other potential vulnerabilities.

We also asked why this flaw was not discovered before myGov went live, and whether the department would consider introducing two-factor authentication to the site, as recommended by many security experts.

The department spokesperson did not answer that question and said DHS would not discuss specific details of its security arrangements “as to do so would increase risk for our customers”.

“However, the community can rest assured that any information provided to us is acted on. The myGov service meets all of the Australian Government’s security and privacy requirements for the protection of personal information. myGov security is also protected by law.”

The spokesperson also said myGov users have an important part to play in their own security and they need to make sure they keep their username, password and secret questions safe. DHS also said it was inappropriate to use public access computers or those without virus scanning to conduct secure online services of any kind, and directed us to the government's StaySmartOnline website.

The national Commission of Audit recently recommended that myGov be used as an opt-out system for much of the day-to-day transactions between citizens, businesses and government departments and act as the centrepiece in what it says should be “an aggressive new approach” to digital policy.

Posted in Australian eHealth

You need to log in to post comments. If you don't have a Pulse+IT website account, click here to subscribe.

Sign up for Pulse+IT eNewsletters

Sign up for Pulse+IT website access

For more information, click here.

Copyright © 2017 Pulse+IT Magazine
No content published on this website can be reproduced by any person for any reason without the prior written permission of the publisher.