My Health Records System: Opt-in or Opt-out?

Tue, 04 Sep 2018 20:23:11 Z

According to the Australian Government, My Health Record is an electronic summary of a person’s health information. Healthcare providers are able to add information about a consumer's health to their My Health Record, in accordance with the consumer’s access controls. This may include information such as medical history and treatments, diagnoses, medications and allergies.

Benefits of the MyHealth Record System

There is constant debate around the MyHealth Record system coming online in Australia by the end of 2018. Opt-in or Opt-out? So far thousands have opted out and some predict over 25% of Australians will have opted out by the November 15 deadline. MyHealth Record is a great idea in principle where all doctors could get to see the same information, removing the duplication of effort and the unnecessary step of repeating the same procedures or tests. The main benefit is that by having a centrally stored record, it will eventually make healthcare management for patients and their doctors easier, safer and could be life-saving in the event of an emergency. We have all been to the GP for a check-up where we get asked the same questions we were asked last time, “Do you have any allergies?” or “What medicines are you taking?”. Imagine where GP’s have access to this level of information immediately, especially in emergency situations where you may be unconscious or unaware of your surroundings.

Why are so many Australians opting out?

Connected to the MyHealth Record system will be almost 6 million people, 13,000 health professionals and around 6,500 GP’s. But that’s where the problem starts. “The edge”, which is the term given to the users and devices that access the system creates an enormous attack surface and the information could be easily hacked. A third of all data breaches globally relate to health data, with Anthem Blue Cross being the largest breach back in 2015 when almost 80 million patient records were stolen including names, addresses, social security numbers and insurance information. We also had the WannaCry ransomware attack last year where National Health System computers in the UK were encrypted causing appointments to be cancelled and surgeries delayed.

More recently hackers stole health records of 1.5 million Singaporeans including Prime Minister Lee Hsien Loong in the city-state’s biggest ever data breach.

Closer to home and since the Notifiable Data Breach scheme came into effect in February, almost 50 disclosures have been from healthcare, making it the biggest target of hackers in Australia. As well as getting access to names, date of birth and address information, hackers can also get access to someone’s prescription history, blood type and medical conditions making the data more valuable on the dark web than credit card information.

How healthcare professionals can ensure data is kept safe

Now back to the MyHealth Record system, Health Minister Greg Hunt said "it's arguably the world's leading and most secure medical information system at any national level". The problem is not the system itself, it’s the fact that healthcare workers are not trained in cybersecurity best practices and is common to have information on shared systems with generic credentials. Even with individuals having separate systems and passwords, again it’s common for passwords to be easily guessed, even written down on a post-it-note attached to the device. It’s also common for systems to remain unlocked throughout the day to make it easy to get to the information when it’s needed.

Is there a solution to this? You could make sure that all your systems are up to date on system patches and that you have a patch strategy to make sure you stay protected. You could also deploy an application whitelisting technology to make sure that when a GP clicks on that attachment within email that says ‘Test results’ that the associated ransomware can’t execute locally and infect the machine. You also need to have a security awareness program to continually reinforce the threats of cyber-attacks which may also help. The problem is that the surface attack is so vast that it’s going to be almost impossible to protect all 13,000 healthcare individuals accessing the system, and for that reason I think it’s only a matter of time before a breach on the system occurs.

Reduce the Risk of Human Error Through Automation

Fri, 20 Apr 2018 01:24:16 Z

A number of years ago, approximately one month after leaving a previous organisation I worked for, I received an email from the HR department with an excel spreadsheet attached that contained the sales plans and compensation for the entire local sales team in the Australia and New Zealand office. Apparently I had the same first name as the intended recipient and as I had been in conversation with the HR team based around my departure. As that person started typing in the “‘To” field, my name popped up and I was selected as the recipient by mistake.

Having experienced firsthand how easy it is for a simple typo to cause the leakage of valuable information, I can understand how over half of the reported breaches under the new Australian Notifiable Data breach act were the fault of human error. The statistics for January-March show that approximately 51 percent of breaches reported in the Notifiable Data breach were as a result of human error. This is still less than the global average reported by the Ponemon Institute for 2017 which reported that nearly 70 percent of compromised records last year was the result of human error.

What are the main causes of a data breach?

Common errors are the misconfiguration of a database or an error in the way a cloud server has been provisioned which can lead to much bigger data breaches than an actual cyber intrusion. Also a common misconception is with cloud security. Moving your data to the cloud doesn’t actually mean it’s any more or less secure than it was if you kept it in house, and it’s not Microsoft or Amazons responsibility to secure your data, it’s yours.

Users make mistakes, and due to any number of reasons such as working double shifts in a hospital, working over the weekend at the office getting that project done while keeping an eye on the sports game or just trying to multi-task to get more done, there is a chance that you can forget to do something that results in some form of data loss.

How to reduce data breaches caused by human error

There are a few simple ways to help reduce the amount of ways human error can lead to the exposure of data records. One of those is through automation, especially around cloud provisioning or database configurations. By using run book automation and removing the human involvement in these two areas, you can greatly reduce the chances of error as the same rules are being applied time after time. IT personnel no longer have to manually configure something on local or cloud provisioned systems.

The same concept of automation applies to patch management , which can be the result of a human error during a patch cycle, but can lead to malicious attacks as important patches either aren’t applied or configured correctly leaving holes in your network ready for attackers to exploit. Automation can help with this by taking the vulnerability scanning, and patch deployment tasks away from the IT person and letting them run in an automated and controlled fashion.

By using automation. you also get the added benefits of time savings and increased security. You no longer have to work those extra hours doing the same tasks over and over plus the organization improves its security posture by knowing that tried and tested provisioning steps, configurations or patch steps are being carried out on time.

For information on how Ivanti can help you automate your infrastructure, click here.