Circumstances in which Australians' personal information has been
compromised and made available for sale illegally on the 'dark web'
Summary
1.1
The Australian Greens believe that Australians' health data, given its
sensitive nature, should be treated with extreme care. The Medicare data breach
event, in which an Australian journalist was able to purchase their own
Medicare number on the dark web gave rise to significant concerns from the public
regarding the safety of their health information.
1.2
As is noted in the majority Committee report, we note with concern that
it was a journalist, not the government who identified this breach. The Greens
concur with the committee report that the department's failure to promptly
notify affected individuals once the breach was identified is concerning and
that responsible data management requires prompt and timely disclosure when
security breaches occur.
1.3
This breach event gave rise to concerns, from a number of submitters to
this inquiry, about the security of the HPOS system, and potential parallels
with the My Health Record system.
1.4
The Australian Greens referred this inquiry to the Finance and Public
Administration Committee in light of these public concerns. While the Committee
did not receive clear information about how this breach could occur, the
inquiry has raised questions about the outdated security practices used in
authenticating users of the HPOS system, and best practice in administering and
protecting, personal health data.
1.5
The inquiry also raised concerns from some, about the use of Medicare
numbers as a form of secondary ID, which gives them unintended value as a
commodity related to identity theft and fraud, compromises patients safely
using Medicare numbers for their intended purpose, which is to access
healthcare.
1.6
The Australian Greens are particularly concerned by any impact this
breach, or current practices, might have on the roll-out of the My Health
Record system. We understand the clear benefits of a personally controlled
electronic health record to best practice patient care, when executed to the
highest standards of protection.
1.7
We note the points made by security and privacy submitters to the
inquiry, regarding the need for best practice security in dealing with this
sensitive data. The Australian Greens believe that an appropriate balance must
be reached to ensure the best patient care outcomes through the use of
electronic health records, and appropriate privacy and security of personal
information of Australians.
1.8
We share concerns raised by the AMA and RACGP in the inquiry in relation
to vulnerable groups and their access to healthcare.
Medicare numbers as a form of ID
1.9
The majority committee report acknowledges that "the secondary role
of Medicare card numbers as an aspect of proof of identity under the DVS makes
the card valuable for identity theft", but that "the secondary use of
the Medicare card as a proof of identity document under the DVS falls within the
Attorney-General's portfolio".[1]
The Australian Greens support the recommendation made in several submissions
that the use of Medicare numbers under the Attorney-General’s Document
Verification Service (DVS) scheme should be reviewed.[2]
Access to healthcare information
1.10
The majority committee report states that the committee is "satisfied
that the potential for identity theft by means of a stolen Medicare card number
does not result in an individual's health information being accessed".[3]
However, Mr Tim Kelsey, Chief Executive Officer, ADHA testified that a Medicare
number is one of the five pieces of information that grants access to My Health
Record.[4]
Future Wise notes that:
the Medicare number was supposed to be an additional point of
identification to prevent the unauthorised access by registered healthcare
workers, so while technically correct that the medicare number of itself does
not allow access to myHR, it forms a part of the puzzle.[5]
Prior incidents
1.11
The Australian Greens share the concerns expressed in the majority
committee report that "the issue of potential identity fraud has arisen
before" and that the "submissions from the department do not indicate
that this risk is fully understood, or has been addressed".[6]
We recommend that DHS and ADHA are required to report on the knowledge,
actions, and outcomes in regards to these prior incidents of fraud related to
Medicare numbers.
Security standards
1.12
The majority committee report notes that a range of security issues were
identified in various submissions, but not does provide a committee view or
recommendations related to these issues.[7]
The Australian Greens recommend that these issues are addressed by DHS and ADHA
to bring security of HPOS and My Health Record up to world best-practice prior
to My Health Record transitioning to an opt-out system.
1.13
Mr Paul Power, eHealth Privacy, explained that the HPOS and My Health
Record systems are fundamentally insecure, and require an unachievable level of
security to be made secure, due to the sheer number of people who have access
to all records in the system.[8]
Mr Power notes that My Health Record is "unlike other large government
databases where restrictions are such that no users have access to all
records" and that there is "no risk mitigation to protect My Health
Records implemented as a central repository accessed over the internet by a large
number of legitimate users". Mr Power points to the system used in Germany
as an alternative, where master data is held on an encrypted eHealth card by
each citizen.
1.14
Mr Paul Power, eHealth Privacy, notes that it is virtually impossible to
determine who is responsible for a breach, as "although we may be able to
identify one or many legitimate access points as a source of breach, there is no
reasonable way to rule out the possibility that such sources have been hacked."[9]
1.15
Future Wise notes that the security measures used for HPOS only attempt
to restrict unauthorised access, whereas "improper use by users who do
have a valid reason for accessing the system is not prevented."[10]
Future Wise also states that "unequivocally the greatest risk to the
privacy of myHealthRecord holders" is not hackers or cybercriminals, but
"improper access by authorised users".[11]
1.16
Future Wise also highlights that registration to PRODA is not protected
against identity theft:
Registration is via three forms of identification, verified
online. There is no protection against identity theft; the combination of a
compromised email address and a stolen wallet, combined with publicly
accessible information from the web would be sufficient to register for an
account with identity verification. Status as a healthcare worker is verified
by comparing the biographic details entered with the provider’s registration
number with the Australian Health Professionals Regulation Authority
registration number. This number is available to public search via APHRA’s
website, and requires only the name and professional stream of a healthcare
worker to find.[12]
1.17
Mr Power states that the two methods of access to HPOS (PKI and PRODA)
are both vulnerable to attack.[13]
Dr Robert Merkel states that neither PKI nor PRODA implement "contemporary
information security best practices", with issues related to the PKI
system's use of cryptographic hash functions and the PRODA system's use of
email-based 2-factor authentication.[14]
1.18
Future Wise also notes issues with the 2-factor authentication (2FA)
used for HPOS that involves storing a certificate on a memory stick, which is
often left plugged into a practice admin computer, compromising security.[15]
Future Wise also notes issues with the Android App that is an option for 2FA
for PRODA, as well as no option for widely accepted 2FA standards such as
OTP/TOTP.[16]
1.19
Future Wise also state that the Australian Government’s data protection
practices cannot be considered best practice:
Major Australian Government IT projects have been beset with
technical and planning failures and subject to widespread criticism in the
mainstream media, in technical circles and by the general public. In the last
18 months, in addition to this breach, there has been the reidentification of
provider numbers from the Data.gov.au Medicare dataset; the leaking of
parliamentarians’ phone numbers, the deliberate release of personal information
of blogger Andie Fox in response to her articles about the Centrelink automated
debt recovery, and the public service census data breach potentially leaking
the personal details of 96,000 public servants.
These examples are specifically related to data protection,
and have occurred at the same time as a large number of non-security-related IT
issues – the electronic census website outage now popularly known as "#Censusfail"
and multiple outages of the Australian Tax Office's website.[17]
Conclusion and Recommendations
1.20
The Australian Greens are concerned that this breach occurred and we
call on the government to take the necessary steps to ensure that health
services employ world best-practice data security practices. We look forward to
the government’s response to this inquiry and the “Independent Review of Health
Providers’ Access to Medicare Card Numbers”, with detailed next steps that the
government will take to ensure that this kind of breach is not repeated in
future.
Recommendation 1
1.21
The Australian Greens recommend that the use of Medicare numbers under
the Attorney-General's Document Verification Service (DVS) scheme should be
reviewed.
Recommendation 2
1.22
The Australian Greens recommend that security and privacy issues raised
in this inquiry are addressed by DHS and ADHA to bring security of HPOS and My
Health Record up to world best-practice.
Recommendation 3
1.23
The Australian Greens recommend that DHS and ADHA report on their
knowledge, actions, and outcomes in regards to the prior incidents of fraud
related to Medicare numbers, as raised in October 2015 Estimates.
Recommendation 4
1.24
The Australian Greens recommend that the government implements the
recommendations of the "Independent Review of Health Providers' Access to
Medicare Card Numbers" as soon as possible.
Senator Richard Di Natale
Australian Greens
Navigation: Previous Page | Contents | Next Page