Australia’s medical records are proposed to go online, in the form of personally controlled e-health records (PCEHR). But there has been much concern over the security of the personal information which will be available online for potential hackers. We examine what this could mean for your identity and your credit file if your details were hacked.
By Graham Doessel, Founder and CEO of MyCRA Credit Rating Repairs and www.fixmybadcredit.com.au.
Personally controlled e-health records are currently the subject of a Senate Inquiry, with submissions currently being made into the PCEHR Bills.
A few days ago, computer emergency response team, AusCERT, expressed its grave concern over the introduction of an e-health system. It told the Senate Inquiry that PCEHR will be wide open to hacking.
The Australian covered this in its story ‘PCEHR open to hacking, says AusCert.’ An excerpt is below:
“The current proposal by the Australian government to provide PCEHR over the internet will allow for the exposure of these records to theft and compromise,” AusCERT warned.
“Online criminals have for many years been attacking PCs at work and home to gain access to the systems and data they desire.
“There is no reason to think criminals won’t actively target these computers specifically for the benefits they may provide once the PCEHR system goes live (on July 1).”
AusCERT said fraudsters will be only too keen to harvest “valuable” personal details including full names, dates of birth, current address and Medicare numbers.
AusCERT’s biggest concern, is that the Federal Health Department cannot ensure the security of every computer using the system:
It notes that the federal Health department “is promoting the benefits of PCEHR over the internet on the basis that it will be secure”.
“These statements cannot be assured and are misleading,” it said. “If any end-user computer is already compromised by malicious software, the confidentiality of the PCEHR may be easily compromised…
AusCERT said the department “appears to be focused on the security of the back-end systems” rather than the endpoint systems and software people will use to connect to the system.
“At best this is misleading and at worst it is a misrepresentation of the level of risk,” it said.
“The computer used to connect to the system can be anything from a smartphone, a home PC or laptop, an enterprise PC on a public or private network to a publicly used PC located in an internet kiosk or business lounge.
“Since 2003 these ‘consumer’ devices have been effectively targeted for compromise typically by criminals for the purpose of identity theft and fraud, with the end result being access to personal identifying information and access credentials stored or processed on these devices.
“If the computer has been compromised then it is impossible to protect the confidentiality of information.”
AusCERT put out some alarming statistics from an Australian Communications and Media Authority report from 2010. The ACMA found that some 25,000-30,000 computers are compromised in Australia every day; annually that equates to about 4 million PCs.
“Imagine if each of these computers had at least one user who had used it to access their PCEHR. That represents potentially millions of records compromised by online criminals.”
MyCRA has been watching the unfolding of PCEHR with interest. The security of personal information should be a topic argued over extensively in this way whenever personal information is transferred to any form of online setting, and we are glad to see AusCERT has made these concerns known.
In all instances it is so important for all Australians to be aware that when we are improving the access of personal information, that we are not trading off on the security of that personal information.
There is the danger of possible data breaches from within any company or organisation, and as AusCERT warned, dangers of possible malicious hacking of personal computers – both of which potentially compromise a the personal information and the very identity of those consumers that use that service.
Criminals do target home computers – as the ACMA statistics reveal.
Sometimes fraudsters are lucky enough to gather enough information to resume someone else’s identity. Most times they can then go about taking out credit in the victim’s name, and most identity theft victims don’t even know about it until they attempt to take out credit in their own right and are refused due to a bad credit history they didn’t initiate.
The problems don’t stop there. The identity theft victim can be in a world of pain trying to recover their good name. Bad credit history is not easy for anyone to clear – let alone the identity theft victim, who would be required to produce police reports and other documentation to prove to creditors they are not responsible for the bad credit history.
The Government’s Stay Smart Online website offers some ways you can protect your home computer from being compromised by malicious software, or any kind of identity theft attempt. Here is their secure computing checklist:
1. Use only supported operating systems
Vendors, including Microsoft, stop supporting operating systems that become dated. New versions offer improved security. Third-party vendors, which make application software for these operating systems, also stop support of older versions.
2. Enable automatic updates of your operating system
Automatic updates install small corrections to the operating system. These corrections are known as patches and include security and functionality improvements. When you enable the automatic installation of the fixes, you reduce the chance of exposure to security threats.
3. Enable a limited-rights account for each user and use it for routine online activities such as browsing the web and reading email
It is important to use a limited account for daily tasks as many malware authors depend on users running administrator (or privileged user) default accounts.
Operating as a limited user greatly reduces the effectiveness of many types of malware but this does not mean limited users are protected from malware completely.
4. Install and update security software that provides functionality for antivirus and anti-spyware software and a personal firewall.
These products help prevent computers from infection by malware. Make sure that they are configured to update automatically. Do not install more than one product that duplicates any of these functions. Either install a product that combines these functions, or install separate products for each of these functions. For example, install a combined antivirus and anti-spyware product and a separate firewall product.
5. If using broadband, turn your computer off when not in use.
6. Secure your email software
One method of compromising your computer is via email. If you secure your email software, then you greatly reduce your chances of being compromised.
7. Secure your web browser
Another risk to your computer is during web browsing. If you secure your web browser, you can reduce the chance of your computer being compromised.
8. Do not click on links or open attachments in spam email or email that is otherwise suspicious.
If you, or someone you know has been a victim of identity theft it is important to check your credit file. This will determine whether you have bad credit history as a result of identity fraud. Contact MyCRA Credit Rating Repairs for help with your credit file, and repairing any bad credit history from identity theft.
PH tollfree 1300 667 218 or info@mycra.com.au or visit our website for more information www.mycra.com.au.
CIO recently featured some interesting comment from AusCERT general manager, Graham Ingram on this matter in their story, titled Australians should not opt-in to e-health records: AusCERT read more here:
http://www.cio.com.au/article/418324/australians_should_opt-in_e-health_records_auscert/
“You have to look at it in terms of the value of the transaction. If your electronic health records are lost to an online criminal gang, will the government pay you the value of that loss? And of course there’s no transaction.
“You can’t compensate someone for the loss of their personal information, this is the distinction. Comparing health records with banking transactions are not fair comparisons, it is apples and oranges.
“Once your identity has been stolen it can never be returned, it’s theirs to use for perpetuity and a lot of people don’t realise that… If you talk to people who have been the target of identity theft they will tell you what a miserable life they lead.”
Ingram said the ability to access personal e-health records at anytime from anywhere was unnecessary and did not have enough advantages to make it worth the risk.