Why the Medicare information leak should be taken seriously
The reported availability of Medicare card information on the dark web on Tuesday morning was responded to swiftly by the federal government, with Minister for Human Services Alan Tudge issuing a statement that said the issue was being taken seriously.
However, Tudge commented that the only information available was a Medicare card number, and said the information available was not sufficient to access any personal health record.
Speaking with ZDNet, Trent Yarwood, a member of the leadership team at Australian advisory firm Future Wise, said it is not necessarily this individual breach that's the issue.
"It's the fact that it's putting another piece of information about people out there that can then be combined with all these other sources and potentially used to either commit identity fraud or to get more specific personal information about people," Yarwood explained.
"For people like Alan Tudge to say there is no data security issue is obviously incorrect and I think reflects a very poor understanding of what the power of these sorts of linked datasets is."
In September, the Department of Health said it had pulled a public dataset from data.gov.au after it was revealed that certain information regarding the Medicare Benefits Schedule and Pharmaceutical Benefits Scheme was not encrypted properly.
Health said in a statement that the decision to remove the dataset containing de-identified medical data it released in August came after the department was alerted by a team of researchers at Melbourne University, led by Dr Vanessa Teague, that it was possible to decrypt some service provider identification numbers from the data openly available to them.
At the time, former Minister for Health Sussan Ley apologised for the breach, reaffirming that no patient information had been compromised in the process. She also pointed to Australian Attorney-General George Brandis' Privacy Act amendment, saying the government had worked swiftly to tighten privacy laws and make it illegal to re-identify de-identified government data.
"Once a data breach has happened, you don't get your privacy back by throwing the book at someone," Yarwood said of Brandis' legislation. "It's fine to have these penalties as a deterrent, and it might stop some people, but it doesn't give back the privacy that those people who have been subject to the breach have lost.
"If we're really serious about protecting people's personal information, we should be trying to put more front-end solutions in, rather than using a big stick after it's already happened."
Of key concern to Yarwood is how easy it could be for someone to simply cold-call a Medicare information line seeking further information on a patient, as a Medicare card is a valid form of identification for many services in Australia.
"It's a valid form of identification so the potential to actually be able to use that data to then go on and then apply other details -- it's the ability to be able to link all this stuff together," he explained, pointing to the accidental release of a 1.74GB MySQL database backup containing 1.3 million rows and 647 different tables from the Australian Red Cross last year. "It's an amazingly intrusive level of detail on people's lives that could be reassembled."
Yarwood concedes there is no silver bullet solution for how to handle citizen data, noting that public data and linked data has the potential to create significant health benefits. He also said, however, there is a trade-off when it comes to privacy.
"I think [collecting information] is a very complicated problem and the government hasn't exactly shown an enormous amount of confidence in managing large-scale IT projects," Yarwood added.
With a background in healthcare, Yarwood feels the biggest problem with health IT is that "most healthcare workers don't get computers and most IT geeks don't get healthcare".
"There's this fundamental disconnect between what healthcare workers understand and what they need out of their computer system, and then what IT security people want and need," he said, pointing to WannaCry, and noted that it isn't always easy to constantly patch in an emergency medical environment where patients are requiring equipment to be always-on.
"In general, there needs to be more thinking about the information security issues before this sort of stuff happens, rather than just reactionary ... and passing laws."
According to Yarwood, it's the role of government to set where the slider between obtaining information and protecting it should be, rather than where they currently sit in between doctors and security folk.
"This is part of what the problem with MyHealthRecord is ... it's a camel by committee that everybody hates because the privacy people think it's not private enough and the doctors think is crap because patients can selectively leave things out. That's potentially clinically dangerous," he explained.
"There's no right answer, but someone has to be the person who's responsible for making that decision and I honestly don't think based on the information that we can see that the government understands the issues well enough to do that."
Noting again the government's poor track record in handling large-scale IT projects, Yarwood is of the opinion that there is a role for the public sector to be involved, noting the private sector is usually driven by cost considerations.
"At least the government can potentially be able to justify more expenditure to keep things in-house to make it more secure," he concluded.