Australia's Digital Health Records System Was AttackedOfficials Says Attacker Did Not Access Health or Personal Information
Australia’s digital healthcare records system was subject to an attack within the last year, but no access to records was gained, according to a government official who testified to Parliament this week on cyber resiliency.
The incident was reported to the Office of the Australian Information Commissioner, the regulator that deals with data breaches, says Ronan O’Connor, who is National Health CIO.
O’Connor oversees My Health Record, Australia’s digital medical records project that's administered by the Australian Digital Health Agency. He spoke on Tuesday to the Parliament’s Joint Committee of Public Accounts and Audit, which is holding hearings on the cyber resilience of government agencies.
“Somebody tried to hack our system - the external perimeter of our system,” O’Connor said, according to a transcript. “I want to assure the committee that there was no access into the My Health Record in any way whatsoever. No health information or personal sensitive information was accessed.”
O’Connor said the ADHA’s monitoring tools detected a potential vulnerability. The ADHA was unable to identify the attacker, he said.
The Joint Committee of Public Accounts and Audit’s hearing is a follow-up to a report released last November by Australian National Audit Office into My Health Record (see: Auditor: Australia's Digital Health Records Need Improvement).
At least 90 percent of Australians have a digital health record. The records initiative, which started about eight years ago, has been marked by a series of missteps and concerns over privacy.
Initially, low numbers of people chose to create a My Health Record. The government pivoted and created one for everyone but allowed individuals to opt out. But the plan was dogged by questions, including how law enforcement could gain access to records, data retention policies and whether health records could be used for commercial purposes.
Eventually, Parliament passed a series of privacy changes designed to satisfy critics, allowing people to permanently delete their record, modifying retention policies and clarifying law enforcement access (see: My Health Record Changes: Too Little, Too Late?).
My Health Record has security controls to restrict access to patients’ records, but for maximum security, patients need to utilize those controls themselves. The controls include personal access codes that a patient can divulge to a care provider and granular control over who is allowed to access individual medical files.
But in an emergency situation where a patient can’t turn over their access code, it is possible for health authorities to override the controls. Because medical records are highly personal and sought after by hackers, the ADHA closely monitors the network for suspicious actions.
“This monitoring of activity includes system-to-system activity in relation to endpoints,” O’Connor told the committee. “All traffic to and from the My Health Record system is monitored and, if there is any unusual behavior or activity, we have the opportunity to notify that organization. In instances where we have particular concern, we can suspend access from that organization to the My Health Record system.”
The November audit concluded that the privacy risks around the program’s core IT infrastructure were largely well managed, but the management of shared cybersecurity risks was not.
For example, shared risks include the more than 16,000 health care providers across Australia that have access to records. The audit report noted that not all healthcare providers had reached minimum cybersecurity benchmarks. The ADHA says that’s a work in progress.
“We acknowledge that there is variability in the security standards that apply across the health sector in Australia,” said Bettina McMahon, acting CEO for the ADHA, during the hearing. “Some systems have very high standards, and then some less so.
Officials also acknowledged that there are a broad range of actors targeting Australia’s health sector, including a rise since the onset of the COVID-19 pandemic. That has included COVID-19 themed social engineering attempts, O’Connor told the committee.