Security Market Segment LS
Thursday, 15 November 2018 09:58

Security expert says My Health Record a disaster waiting to happen Featured

Santosh Devaraj: "The implications of a breach or misuse of medical information could be severe." Santosh Devaraj: "The implications of a breach or misuse of medical information could be severe." Supplied

A provider of cyber security services to the government has spoken out about the weaknesses that dog the Federal Government's My Health Record system, claiming it cannot guarantee the privacy of sensitive Australian information.

Secure Logic chief executive Santosh Devaraj told iTWire there were serious concerns about the security and privacy principles which the My Health Record platform relied upon, as hundreds of thousands of medical practitioners would have access to the data.

And this would be with "limited access controls, including underage patients. This creates potential entry points for hackers which are subject to little-to-no security oversight", he said.

Devaraj, who earlier this month called for the government to put in place laws to make Internet of Things devices safer, said the existing MHR system had no reliable mechanism that would guarantee confidentiality and privacy of data.

"With the little-known ‘secondary use of data’ feature enabled by default, people cannot reliably manage their data use. Even when the data is anonymised, the opportunities for malicious re-identification are numerous, and the consequences could be catastrophic," he said.

My Health Record has been dogged by controversy due to its default policy of opting everybody in.

Said Devaraj: “The problem is amplified by the rapidly increasing number of IoT devices being used in the health industry, and the whole new array of attacks still to be detected. With IoT still being a largely unregulated area, medical practitioners cannot assure the integrity of the data. Even when a compromise is detected, it won’t be possible to validate if the data is genuine, and separate it from tampered records. We need effective regulatory initiatives from government addressing regulation, law, and educational aspects on the issue.”

The MHR system has also faced a row over privacy recently and the government has had to back down and change the laws governing release of data.

Devaraj said the opt-out nature was "not compatible with the opt-in nature of the Record Access Code – an optional recipient-controlled PIN which would restrict unauthorised access".

"Without having this access code as the default, most users will inadvertently leave their records exposed in the event of a breach in a single access point. Subsequently, a security failure in just one doctor’s office could provide unfettered access to the sensitive information of millions of Australians," he said.

“The implications of a breach or misuse of medical information could be severe – medical institutions have become among the most prized targets for local and international cyber criminals because of the value this data has for blackmailers and on the dark web. We’ve seen this play out in the recent hack of Singapore’s SingHealth database.”

In the incident he cited, Singapore's government health database was breached by attackers who stole the personal information of about 1.5 million people, with the data of Prime Minister Lee Hsien Long specifically targeted.

“A blockchain-based platform could deliver on the dual goals of bringing healthcare into the digital age, while maintaining the security and privacy of Australians’ sensitive information," Devaraj said.

"However, under the current security regime, I would encourage Australians to opt out, and the government to extend the opt out period to ensure the public has made a properly informed choice about their participation."

Under pressure from the opposition Labor Party, the government has now extended the date for opting out to the end of January 2019.

“The introduction of tougher penalties for those who misuse the system is unlikely to provide a major deterrent to cyber criminals, particularly those based overseas and far away from the jurisdiction and reach of the Australian federal authorities," Devaraj said. "We need to be focused on preventive, rather than punitive, measures.”

Read 3821 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


If you're looking at enabling Microsoft Teams for your contact centre, you should bookmark this webinar.

Marketing budgets are now focused on Webinars combined with Lead Generation.

Our panellists from Whangarei District Council (NZ) and Maurice Blackburn Lawyers (Aus) were closely involved in recent projects to enable Microsoft Teams for their own contact centres.

They have kindly agreed to join Enghouse and Microsoft to talk about some of the things they would recommend as most critical for IT and CX professionals planning a Teams Contact Centre migration.

Date: 11 May 2022
Time: 12pm AEST | 2pm NZST | 10am SGT

We look forward to having you join us. Please click the button below to register.



The past year has seen a meteoric rise in ransomware incidents worldwide.

Over the past 12 months, SonicWall Capture Labs threat researchers have diligently tracked the meteoric rise in cyberattacks, as well as trends and activity across all threat vectors, including:

Encrypted threats
IoT malware
Zero-day attacks and more

These exclusive findings are now available via the 2022 SonicWall Cyber Threat Report, which ensures SMBs, government agencies, enterprises and other organizations have the actionable threat intelligence needed to combat the rising tide of cybercrime.

Click the button below to get the report.



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News