More follow up from the Senate Enquiry: Security
Mar 8, 2012h/t to Bridget Kirkham from MSIA for pointing out an amazing submission to the Senate enquiry into the pcEHR from AusCERT:
The inclusion of personal identifying information (PII) in the form of PCEHR to be accessible from personal computers over the Internet which are easily compromised, is compounding a problem that has been progressively getting worse over several years and will expose more Australians to fraud and identity theft.
The AusCert argument is simple:
- The PCEHR is claimed to be a secure system
- But people will access it from their own computers
- People’s own computers are hopelessly compromised
- Criminals use compromised computers to gain access to Personal Identifying Information and access credentials
- End-users can’t manage this
- a breach of PCEHR confidentiality can’t be repaired, as a bank account breach can be
All of that is quite true. But what AusCERT don’t do is come to any conclusion. The logical conclusion is that we can’t give users access to their own records, though they don’t say that. They also raise some vague and ill-defined concern about prescriptions, without postulating any attack vector that makes sense…. I guess that free speech is, well, free.
AusCERT don’t differentiate between 3 different breaches that they raise as possibilities:
- personal identifying information (PII)
- access tokens
- health records
With regard to personal identifying information, it’s not clear to me why access to an individual’s PII via the PCEHR is at all relevant, given that there’s so many other rich sources of PII scattered around their computer, and all over the cloud. I suppose that there’s an argument that an individual’s health record will contain more dependable PII than other sources, but I doubt that the % difference matters given the overall signal to noise ratio of that kind of data for the criminals. After reading what AusCERT wrote, I wondered whether they carry PII on their body - what’s to stop someone knocking them down and stealing it from them? How do they plan to prevent that?
As for access tokens, the only access token that a person may have for the PCEHR is the access token for the PCEHR itself, which is given to healthcare professionals to grant access to the record (if the patient wishes for this). I don’t see how stealing either this or a person’s health records makes sense in the general criminal sense. Some mafioso in Khazakhstan gets my latest radiology report… what are they going to do with it? It’s only of interest when it’s a targeted personal attack. And if that attacker has gained access to an individual’s computer… how significant will the breach of the PCEHR itself be compared to everything else?
AusCERT do briefly mention the possibility that the person’s health data itself may be damaged, but in raising this prospect they miss the fact that the system is designed to prevent that because the patient might decide to try that on their own account.
Finally, AusCERT don’t say what to do. Is it their contention that access to the PCEHR should be confined to the new iPad (gratuitous mention), since they are the only secure computing platform available to the public? (I don’t count iPhone as a computing platform, and I doubt the iPad is actually secure or will stay that way, but it’s the nearest).
Secure computers aren’t so useful. Nor are secure lives. We’re just going to have to figure out how to mitigate the damages (starting with mitigating the risk of fraudulently impersonating a person with widely available data would be a good one).