HOMEBUSINESSTECHNOLOGY
Is your health data safe as My Health Record hacking revealed
The attempted attack on My Health Record serves as a reminder that healthcare remains a key hunting ground for cyber criminals.
DAVID SWAN
5:18PM MAY 20, 20209
The government's My Health Record platform was the target of an attempted hack last year, Australia's national health information officer has revealed.
In a session of the Joint Committee on Public Accounts and Audit on Tuesday, Australian Digital Health Agency (ADHA) CIO Ronan O'Connor said that My Health Record had suffered two potential data breaches since July 2019, requiring it to notify the Office of the Australian Information Commissioner (OAIC).
"The first notification was reported to the OAIC and that was related to a potential compromise to external information technology infrastructures supporting the wider My Health Record system," Mr O'Connor said on Tuesday.
“Somebody tried to hack our system, so the external perimeter for our system. I want to assure the committee that there was no access into the My Health Record whatsoever. No information or personal sensitive information was accessed.”
Mr O'Connor added that neither the ADHA or the Australian Cyber Security Centre were able to determine who was behind the attempt.
“We don't have that level of information. We worked very closely with the ACSC and on that basis we don't know the actor in this instance,” he said.
The executive said that a second potential breach related to a state healthcare facility but that turned out to be a false alarm.
"They became aware their system had potentially been hacked, accessed without the healthcare recipient's authority. After investigations that were undertaken, it was confirmed that the individual whose record was accessed was indeed receiving healthcare at that facility at the time of access," he said. "So there was no compromise."
Australian Digital Health Agency interim CEO, Bettina McMahon, told The Australian that the health sector is not immune to cyber threats.
“We have a dedicated cyber security team that works with the Australian Cyber Security Centre to monitor and respond to threats. Together with the robust multi-tiered security controls in the My Health Record system, we are able to protect health information stored within the My Health Record system,” she said.
ADHA interim CEO Bettina McMahon. Source: Supplied.
“The system is built and tested to Australian government standards to protect the confidentiality, integrity, and availability of the health records so that Australians can receive the highest quality digital health services that also meet the highest security requirements in the health sector.
“We reported this matter to the OAIC, consistent with our legislative requirements and our commitment to transparency in protecting the health information that we are responsible for managing.”
Download the app
The news comes as the government moves to encourage Australians to download its COVIDSafe application, which to date has had nearly 6 million downloads.
As The Australian reported on Wednesday, Australia’s healthcare sector lags other markets for cyber security preparedness, with a cyber maturity score of 0.96 — compared to the 1.12 global average.
"Australia’s healthcare sector has a big reliance on legacy systems. The current challenge of keeping networks safe is being compounded by legacy systems that lack basic cybersecurity controls," NTT executive John Karabin told The Australian.
"Also, the addition of medical devices that connect to the network without strong security controls compounds the problem. The rise of Medical IoT and the concentration of sensitive personally identifiable information, is becoming an attractive target for adversaries looking to profit from the health industry."
Information hunting ground
Michael Warnock, head of growth APAC at cyber security specialist SecureAuth said the attempted attack on My Health Record serves as a reminder that healthcare remains a key hunting ground for cyber criminals.
"With the heightened operational pressures associated with the current pandemic, the cost and potential consequences of any down time magnifies greatly," he said.
"The positive message here is the agency has invested to build an operating cadence around the Australian Signals Directorate's Essential Eight, which for many agencies still remains aspirational, as highlighted by the ASD earlier this year.”
Mr Warnock said as more and more organisations digitally transform, the notion of geography as a defence becomes less and less relevant; organisations can be a victim of attackers based all over the world.
"In the majority of cases, this type of attack is emanating from beyond our shores and as Australia continues to drive a narrative on the world stage, it is only likely to increase our exposure to retaliatory attacks," he said.
"In the case of My Health Record, the perimeter has been targeted. As organisations increasingly move towards working from home the message needs to hit home: there is no longer a perimeter and organisations must revisit their cyber resiliency."
DAVID SWANTECHNOLOGY EDITOR
David Swan is Technology Editor for The Australian. With deep experience across start-ups, business and tech David is uniquely positioned to cover Australia’s fast-growing technology ecosystem and how it’s chan... Read more