Government response to Medicare card data saga disappointing and messaging contemptible: Centre for Internet Safety

A propensity to spin messaging coupled with a lack of education in cybersecurity leaves the University of Canberra body disappointed in the Australian government and its ministers.
Written by Chris Duckett, Contributor

The Centre for Internet Safety (CIS) at the University of Canberra has slammed the government's response to revelations that Medicare card details of Australians were being traded on the dark web.

Writing to the Australian Senate Finance and Public Administration References Committee, CIS managing director Nigel Phair said the response from the Department of Human Services and its overseeing minister Alan Tudge was disappointing.

"The messaging was confusing and often contemptible," Phair wrote [PDF]. "Unfortunately we are plagued by a culture at all levels of government to 'spin' the message, including events related to cybersecurity.

"There is nothing good to come from this in the long term."

Phair said the use of language when communicating about information security incidents was crucial, and key to whether the response to incidents is deemed successful by the public. This was having an impact on the perception of the federal government's electronic My Health Record, which if was handled in the same manner by the government in the future, would result in Australians trusting it less, he said, and uptake of the record remaining slow.

"Until we reach a maturity where departmental and ministerial spokespersons are fully educated on cyber terminology; the broader online threat environment and its impact on public trust, safety and confidence; combined with a willingness to accept mistakes and inform citizens how they are being addressed then we will never move forward with full adoption of the My Health Record (and indeed many other government online service delivery projects)," Phair wrote.

The inquiry launched earlier this month is tasked with looking into "any failures in security and data protection" that allowed the July breach to happen, as well as whether there are any systemic issues in the Health Professional Online Services (HPOS) system, the implications for the My Health Record system, and the practices and proceedings surrounding the handling of Medicare information.

Working under the title of "Circumstances in which Australians' personal Medicare information has been compromised and made available for sale illegally on the 'dark web'", the committee is due to report by September 30.

The HPOS system is also being investigated by a panel made up of professor Peter Shergold, president of the Australian Medical Association Dr Michael Gannon, and president of the Royal Australian College of General Practitioners Dr Bastian Seidel. This panel is due to report by September 30 and will examine the balance between convenience and security.

HPOS is currently used 45,000 times daily and allows medical practitioners and health providers to look up Medicare details when a person does not have a Medicare card on them. The system has not been significantly changed since its introduction eight years ago, the government said previously.

In July, Tudge downplayed the cyber aspects of the data leak.

"The advice that I've received from the chief information officer in my department is that there has not been a cybersecurity breach of our systems as such, but rather it is more likely to have been a traditional criminal activity," he said at the time.

The minister said the department had referred the matter to the Australian Federal Police, and refused to comment on whether the information leak was a result of an employee with access to Medicare data selling the information.

Editorial standards