news One of Australia’s top IT security organisations has warned that the Federal Government’s flagship e-health records project is likely to be broken into, with Australians’ medical and identity information to be used for fraud and other criminal activities.
AusCERT, Australia’s Computer Emergency Response Team, which is not associated with the Government, in its submission to an inquiry about the legislation dated in January (PDF), criticised the Government’s Personally Controlled Electronic Health Records (PCEHR) Bill (2011). In its commitment to protecting the privacy and security of Australian Internet users, AusCERT has expressed concern that miscreants could potentially use the PCEHR for identity theft and fraud. The submission was first reported by the AustralianIT.
AusCERT opines that enabling accessibility to personal identifying information in the form of the PCEHR from personal computers over the Internet will only worsen an ongoing problem that will make Australians vulnerable to fraud and identity theft. The submission focuses on the use of untrustworthy end point computers and mobile devices, which when compromised, will enable attackers exert full control over the PCEHR to look at or change its contents with the same privileges as the owner or authorised users.
The legislation to create the national electronic health record scheme was approved in June 2010, with funding of $466.7 million in the year’s Federal Budget. The program was scheduled to commence in 2012-13. The promise given by Federal Health Minister Nicola Roxon was that the records would be controlled by individuals and not the government. AusCERT, however, feels this emphasis on the records being fully personally controlled is misleading, especially when it comes to individuals who do not understand security risks. Roxon had called the legislation an important step forward in improving the safety, quality and efficiency of health care in Australia.
The submission feels that the Australian Government’s plan to offer PCEHR over the Internet, possibly through a standard Internet connection and browser software, will expose these records to theft and compromise. It calls the statements about the security, confidentiality, integrity and availability of the records “misleading”, especially in light of the fact that any client end-user computer used to access the PCEHR might already be compromised by malicious software.
The four main categories of threats that AusCERT is concerned about are:
- The back-end central infrastructure including server databases and data processing systems
- Intermediate data storage and processing systems
- Data transport and communications
- End point devices and software used by users. Users refer to the individuals whose personal information is included in the electronic health record, health professionals who will access and update the information, and IT or administrative staff who will access the record as required
The submission points out that the computer used to connect to the system can range from a smartphone, a home PC, laptop, an enterprise PC on a public or private network to a publicly used PC located in Internet kiosks and business lounges; these devices are often targeted by criminals for identity theft and fraud. Techniques like ‘phishing’ and malware used by these criminals have been documented and firmly established.
Responding to a statement from Tony Abbott, former Minister for Health equating access to health records to access to bank account details, the submission states that this discounts the fundamental difference between the Australian banks’ business model and that of the Department of Health and Aging (DHA). While banks cannot ensure the confidentiality of online transactions, they can protect the integrity of the transaction by detecting fraudulent transactions. With online health records, both the confidentiality and the integrity must be maintained; the submission states that detecting unauthorised access and changes will be difficult. AusCERT feels that most end users do not possess adequate knowledge, resources or skills to manage the risks.
AusCERT points out that in 2010, ACMA reported that 25,000–30,000 computers are compromised in Australia everyday, adding up to a total of about 4 million PCs. The submission asserts that such compromises are persistent and possibly undetected by the user or anti-virus software. It maintains that if the owners or users had the skills to protect their computers, they would not have been compromised in the first place.
One claim by AusCERT is that some of the information contained in the PECHR, including full name, date of birth, current address and Medicare number can be used by criminals for illicit financial gain. Another concern in the submission is the possibility of the PECHR providing information to criminals that could be used to fraudulently get hold of pharmaceutical drugs under prescription.
AusCERT’s concerns are legitimate ones. Creating a huge, centralised, government-run database of electronic health records is an activity which will no doubt draw online criminals and fraudsters like flies to a honeypot. There is absolutely no doubt that the security of the Government’s e-health records project will be defeated at various points, due simply to the fact that thousands of Australians will be accessing the database from insecure computers. When the endpoint cannot be secured, neither can the centralised data.
However, AusCERT’s concerns are also highly generalised ones. Banks, other government agencies and a wealth of other organisations hold data on Australians in centralised databases. Do we block Australians from using Internet banking because of poor security of some endpoint devices such as PCs and mobile phones? No. Does the ATO stop businesses from accessing their information online because of the same reason? No.
In this sense, AusCERT, if it wants to argue against the PCEHR project, must illustrate that the initiative is somehow less secure than the databases held by these other organisations. There seems no reason to believe that the PCEHR database can’t be reasonably secured, at least to the standard of Internet banking systems, through a combination security system featuring multi-factor authentication. Alleging that it can’t is nothing less than scaremongering.
Opinion/analysis by Renai LeMay