Department of Health’s site and data security

April 7, 2016 |

The new E health records system is attracting considerable attention…of the unwanted kind as the model switches from an opt in to an opt out system.  The latest development is the poor data security in the opt out page.  As in it was not encrypted.  Hard to believe but true.

This development is covered by crikey in ‘Sure you can opt out of giving govt your info — by giving govt your info’.  The article sets out in detail how poorly designed the E Health system is.  There will no doubt be more coverage on this issue.

The article provides:

The Department of Health does not seem to know a lot about online security.
Not super keen on the government storing all of your personal information in its e-health system? No problemo, just provide the government with all of your personal information?—?on an unencrypted website.
Or at least that was the plan, until those meddling kids on Twitter shamed the government into encrypting the site?—?badly at first, and then finally up to proper standard.
Late last year, Health Minister Sussan Ley announced an overhaul of the e-health record system. Patients would be automatically signed up to the record system unless they specifically requested not to be included. At the start of this year, the Department of Health with the Department of Human Services began its trial in north Queensland and western Sydney for about 1 million patients, which would cost about $41 million.
On Monday, Twitter user Geordie Guy posted that the opt-out page required those opposed to the government storing identity information about them to hand over identity information to the government, including driver’s licence, passport or immigration card, as well as name, date of birth and Medicare card number. Worse still, the form to opt out of the system was not encrypted, meaning that it could potentially be vulnerable to a security breach.
Within hours of the tweet, the Department of Health rectified the issue by adding encryption to the page?—?but was initially using weak encryption that resulted in the department being given an F rating on the SSL Labs site-security checking service. This was rectified overnight by changing to a different domain that now has an A-rating.
A spokesperson for the department claimed it was “an administrative error” to leave encryption off the opt-out page, and that, as a result of the issue, “additional checks will be added to the overall quality assurance processes to ensure that this cannot happen again”.
Security expert and the man behind the “Have I been pwned?“ website, Troy Hunt, told Crikey it was alarming that the page went up unencrypted in the first place.
“Clearly, something fundamental was amiss when a page requesting such sensitive information was stood up without any encryption. It’s alarming that this might happen in the first place, but at least they got onto it quickly.”
Information management specialist and the chair of the Australian Privacy Foundation’s health committee, Bernard Robertson-Dunn, said he was worried that it could even happen.
“This is an enterprise-class application. Have they never heard of System Development Life Cycle processes? Any important application development process, especially one that involves highly sensitive data like that on the opt-out page, should follow standard, well tried and practised processes. The worry from a professional IT development perspective is that this didn’t seem to have happened.”
He said encrypting all communications should have been part of the standard development process, and if it wasn’t specified in the development, or not tested, it indicated poor process, and potentially a result of inter-departmental collaboration between Health and Human Services on the trial.

“It shows very poor governance and project management. For Health to say that ‘additional checks will be added to the overall quality assurance processes to ensure that this cannot happen again’ indicates that they don’t properly understand quality system development. Quality needs to be built in to all processes, not just a check the end.”
Another potential issue facing the My Health Record website is that it is incompatible with up-to-date browsers for the consumer portal, while on the provider portal, Chrome and Mac are not supported at all.
The opt-out system is aimed at boosting enrolment in the e-health record system, which the government?—?under both Labor and Liberal?—?has spent more than $1 billion implementing, with just over 2.5 million patients registered. As of February there were 300 GPs using the system each week, with an average of 10,900 consumers accessing their records online each week. There are 74,805 “health summaries”?—?information on the health of a patient?—?uploaded to the system as of February 11.
The rebranding from Personally-Controlled E-Health Record under Labor to “My Health Record” under the Coalition was revealed to be $1.48 million, in a department response to a question on notice from the last round of Senate estimates hearings.

One Response to “Department of Health’s site and data security”

  1. Department of Health’s site and data security | Australian Law Blogs

    […] Department of Health’s site and data security […]

Leave a Reply