Windows Server 2012 Resource Centre
[ad] Windows Server 2012 redefines the server category, delivering hundreds of new features and enhancements spanning virtualization, networking, storage, user experience, cloud computing, automation, and more. Click here to visit our Windows Server 2012 Resource Centre with case studies, white papers and articles about Windows Server 2012.
Nokia Lumia Smartphones: Innovation's calling
[ad] Nokia Lumia with Windows Phone comes with unique camera technology, wireless charging and turn-by-turn navigation. Make every image picture perfect. See your city differently. Charge without wires. Click here to learn more.
Save up to $199 on Dell XPS 12 Ultrabooks: Power for your projects and passions.
[ad] This convertible Ultrabook™ delivers the speed and performance you expect from the XPS family in a sleek new design that's ready for work and play. Don't get two pieces of technology when one will do it all. The Dell XPS 12 is a tablet and Ultrabook combined to produce the perfect laptop.
Great articles on other sites
- Proof the internet filter lives on by other means
- Budget 2013: Heavy on 'showcasing', light on strategy
- CGU to replace core insurance system
- Google Australia calls for mandatory comp sci until year 10
- Spectrum fail could help Libs fight Labor's regional NBN
- Offended By Fraudband? Maybe You Shouldn’t Have Said It First
- Brisbane Grammar School prepares for Lync
- Coalition wants ex-Telstra players for NBN board
- That NBN Speed Comparison Site Now Looks More Realistic
- GovHack to encourage agencies on open data
Managing virtualised environments: Free whitepaper
[ad] Virtualisation is one of the single most important technologies for efficiently operating servers. This free whitepaper presents information about current trends in virtualisation adoption, risks associated with single vendor virtualisation, and the benefits of open source virtualisation. Click here to download the whitepaper.
One More Thing - iOS App Maker Conference - 24th May
[ad] If you make iOS apps, come listen to the best in the industry share their tip & tricks for App Store success. Melbourne, 24th May, 2013 - use the coupon code "delimiter" for 5% off.
Enterprise IT, News - Written by Nayantara Mallya, Chillibreeze on Monday, March 12, 2012 10:18 - 8 Comments
E-health record will be hacked, says AusCERT
news One of Australia’s top IT security organisations has warned that the Federal Government’s flagship e-health records project is likely to be broken into, with Australians’ medical and identity information to be used for fraud and other criminal activities.
AusCERT, Australia’s Computer Emergency Response Team, which is not associated with the Government, in its submission to an inquiry about the legislation dated in January (PDF), criticised the Government’s Personally Controlled Electronic Health Records (PCEHR) Bill (2011). In its commitment to protecting the privacy and security of Australian Internet users, AusCERT has expressed concern that miscreants could potentially use the PCEHR for identity theft and fraud. The submission was first reported by the AustralianIT.
AusCERT opines that enabling accessibility to personal identifying information in the form of the PCEHR from personal computers over the Internet will only worsen an ongoing problem that will make Australians vulnerable to fraud and identity theft. The submission focuses on the use of untrustworthy end point computers and mobile devices, which when compromised, will enable attackers exert full control over the PCEHR to look at or change its contents with the same privileges as the owner or authorised users.
The legislation to create the national electronic health record scheme was approved in June 2010, with funding of $466.7 million in the year’s Federal Budget. The program was scheduled to commence in 2012-13. The promise given by Federal Health Minister Nicola Roxon was that the records would be controlled by individuals and not the government. AusCERT, however, feels this emphasis on the records being fully personally controlled is misleading, especially when it comes to individuals who do not understand security risks. Roxon had called the legislation an important step forward in improving the safety, quality and efficiency of health care in Australia.
The submission feels that the Australian Government’s plan to offer PCEHR over the Internet, possibly through a standard Internet connection and browser software, will expose these records to theft and compromise. It calls the statements about the security, confidentiality, integrity and availability of the records “misleading”, especially in light of the fact that any client end-user computer used to access the PCEHR might already be compromised by malicious software.
The four main categories of threats that AusCERT is concerned about are:
- The back-end central infrastructure including server databases and data processing systems
- Intermediate data storage and processing systems
- Data transport and communications
- End point devices and software used by users. Users refer to the individuals whose personal information is included in the electronic health record, health professionals who will access and update the information, and IT or administrative staff who will access the record as required
The submission points out that the computer used to connect to the system can range from a smartphone, a home PC, laptop, an enterprise PC on a public or private network to a publicly used PC located in Internet kiosks and business lounges; these devices are often targeted by criminals for identity theft and fraud. Techniques like ‘phishing’ and malware used by these criminals have been documented and firmly established.
Responding to a statement from Tony Abbott, former Minister for Health equating access to health records to access to bank account details, the submission states that this discounts the fundamental difference between the Australian banks’ business model and that of the Department of Health and Aging (DHA). While banks cannot ensure the confidentiality of online transactions, they can protect the integrity of the transaction by detecting fraudulent transactions. With online health records, both the confidentiality and the integrity must be maintained; the submission states that detecting unauthorised access and changes will be difficult. AusCERT feels that most end users do not possess adequate knowledge, resources or skills to manage the risks.
AusCERT points out that in 2010, ACMA reported that 25,000–30,000 computers are compromised in Australia everyday, adding up to a total of about 4 million PCs. The submission asserts that such compromises are persistent and possibly undetected by the user or anti-virus software. It maintains that if the owners or users had the skills to protect their computers, they would not have been compromised in the first place.
One claim by AusCERT is that some of the information contained in the PECHR, including full name, date of birth, current address and Medicare number can be used by criminals for illicit financial gain. Another concern in the submission is the possibility of the PECHR providing information to criminals that could be used to fraudulently get hold of pharmaceutical drugs under prescription.
AusCERT’s concerns are legitimate ones. Creating a huge, centralised, government-run database of electronic health records is an activity which will no doubt draw online criminals and fraudsters like flies to a honeypot. There is absolutely no doubt that the security of the Government’s e-health records project will be defeated at various points, due simply to the fact that thousands of Australians will be accessing the database from insecure computers. When the endpoint cannot be secured, neither can the centralised data.
However, AusCERT’s concerns are also highly generalised ones. Banks, other government agencies and a wealth of other organisations hold data on Australians in centralised databases. Do we block Australians from using Internet banking because of poor security of some endpoint devices such as PCs and mobile phones? No. Does the ATO stop businesses from accessing their information online because of the same reason? No.
In this sense, AusCERT, if it wants to argue against the PCEHR project, must illustrate that the initiative is somehow less secure than the databases held by these other organisations. There seems no reason to believe that the PCEHR database can’t be reasonably secured, at least to the standard of Internet banking systems, through a combination security system featuring multi-factor authentication. Alleging that it can’t is nothing less than scaremongering.
Opinion/analysis by Renai LeMay
Leave a Comment
Enterprise IT, Featured, News - May 21, 2013 14:34 - 0 Comments
More In Enterprise IT
- Oracle reveals swathe of Aussie rollouts
- Australia’s universities hacked on a regular basis
- 32 years later, CGU replaces insurance IT platform
- Guzman y Gomez likes the taste of NetSuite
- Microsoft finally launches Surface Pro in Australia
News, Telecommunications - May 21, 2013 11:01 - 6 Comments
More In Telecommunications
- Optus launches TD-LTE 4G trial in Canberra
- Is FTTN vectoring just a pipe dream?
- Turnbull rejects Labor’s NBN subsidy claims
- ASIC blocked “numerous” sites over 9 months
- Telstra suffers another data breach
Blog, Gadgets - May 13, 2013 15:52 - 0 Comments
More In Gadgets
- HP Slate 7 to land in Australia shortly
- Why touchscreens matter for laptops
(Or, review of the ThinkPad X1 Carbon Touch)
- Amazon Appstore challenging Google Play as Australian launch looms
- Consoles to suffer as tablets triple mobile games downloads by 2017
- Despite Aussie windfall, does Apple profit slide suggest hard times ahead?