Key Points
- Cybersecurity experts say Australians' health data remained a key target for hackers.
- Online health database My Health Record remains vulnerable, experts say.
- Australia should consider strengthening data protection for consumers, one expert said.
Cybersecurity and privacy experts are warning the health data of Australians remains a target of hackers, even more so after the .
The data breach of the country's biggest private health insurer exposed the health records of 9.7 million Australians - 40 per cent of the population.
And it's raised concerns about another cache of health data: My Health Record.
Are there concerns about a My Health Record hack?
David Vaile, chair of the Australian Privacy Foundation, said there was potential My Health Record could be subject to a "massive data breach".
"The security model for My Health Record is appalling. I've been monitoring it and trying to engage with this discussion, you know, wearing several hats over about 10 or 15 years.
"They ended up with something [a system] that gives default access to probably hundreds of thousands of people," he told SBS News.
The system was designed to ease access patient information among clinicians, but this is a weakness from a cybersecurity perspective.
"At one stage in the debate on the early iteration of the My Health Record, the estimates were in the range of 700,000 to 1.1 million Australians with potential access to the My Health Record."
Established in 2012 by the federal government, the database contains the profiles of more than 23.4 million Australians with information including specialist reports, test results, prescriptions, dental records, billing details, and notes on symptoms and diagnoses.
The Australian Digital Health Agency, which manages the platform, says 90 per cent of Australians have a My Health Record profile, with a large boost in numbers during the pandemic when people acquired the COVID-19 vaccination certificates.
The My Health Record system became when it switched over to an opt-out system in 2019 with short notice.
Dr David Glance, director of the Centre for Software Practice at the University of Western Australia, said the security infrastructure for My Health Record is robust, but another factor to consider is how much information is contained in the profiles.
"My Health Record isn't exactly heavily used, despite all the attempts by the government to make it something useful. The amount of information in there is somewhat limited [for a number of individuals, including myself], and certainly would be less problematic than Medibank, for example, who have all the claims data and data about mental health and abortion procedures and other things."
Questions remain over how frequently the system is being used by Australians and clinicians.
A found that among 88 pharmacists and physicians, half had used My Health Record at least once, but barriers to its use remain, including an "outdated content, a lack of trust, a low perception of value, no patient record and multiple medical record systems".
What would happen in the event of a hack?
Cybersecurity experts say the extortion potential of the information is what hackers target to keep their criminal operation going - with the dark web and cryptocurrency fuelling the activity.
Dr Suelette Dreyfus, a digital security and privacy expert at the University of Melbourne, said there is no evidence to suggest a cyber attack on My Health Record is imminent, but that a proactive plan is necessary for all groups holding health data.
"The health area has to be much more serious about upping its cybersecurity game to protect health records."
She said the July 2018 attack on Singapore's largest healthcare group, SingHealth, demonstrates the end goal and tactics of hackers seeking sensitive health data.
The cyber attack exposed the data of 1.5 million patients, including Prime Minister Lee Hsien Loong.
"What was interesting about that hack is that the forensic teams found the hackers actually specifically targeted the records of powerful politicians and ministers," Dr Dreyfus said.
"Imagine if you knew (and it wasn't known to the public) that a prime minister had a terminal disease and wasn't going to probably live more than two or three years ... that would be incredibly valuable information to other nation states leaders, but also potentially to markets or companies that might be making decisions about investments."
What is the government doing about it?
The federal government agency that manages My Health Record said a new review of the cybersecurity risks was conducted after the recent Medibank hack, in September and Medicare exposure in 2020.
"In light of these breaches, the agency reviewed relevant identification processes to continue to ensure that only authorised persons can access a My Health Record," the Australian Digital Health Agency said in a statement.
The agency said progress had been made to improve the cybersecurity vulnerabilities highlighted by the Australian National Audit Office (ANAO) in a 2019 report that found "management of shared cyber security risks was not appropriate and should be improved".
