Telstra on defensive as reverse-engineering of Medicare data highlights healthcare-security risks

The security of Australians' healthcare information came under the spotlight after the federal Department of Health pulled massive dataset of Medicare-related information and Telstra faced concerns it lacks the cybersecurity credentials to support a major contract it was awarded earlier this year.

A massive deidentified data set was released earlier this year to give data researchers fodder to analyse prescribing and service consumption patterns through the Pharmaceutical Benefits Scheme (PBS) and Medicare Benefits Scheme (MBS) programs, which are administered by the department on behalf of every Australian citizen.

Patient and provider ID numbers were encrypted using original PIN and ID numbers as the seeds, but a University of Melbourne research team – featuring cryptography experts Dr Vanessa Teague, Dr Christopher Culnane, and Dr Benjamin Rubinstein of the university's Department of Computing and Information Systems – raised the alarm this week after working through 10 percent of the data finding that it was possible to decrypt some of the service provider identification numbers.

“The dataset does not include names or addresses of service providers and no patient information was identified,” the department said in a statement on the matter that noted the department had pulled the data set and would be undertaking a “full, independent audit of the process of compiling, reviewing and publishing this data”. The data set would only be restored “when concerns about its potential vulnerabilities are resolved,” the department said.

The findings have raised concerns at the Office of the Australian Information Commissioner (OAIC), where Australian privacy commissioner Timothy Pilgrim said in a statement that he had opened an investigation into the issue that would assess the adequacy of departmental processes for deidentifying information before it is published.

Although the Department of Health was quick to point out that no confidential healthcare information had been compromised, such incidents highlight ongoing concerns around the industry's ability to securely aggregate healthcare information. Telstra faced similar concerns this week as it fronted a Parliamentary inquiry into the awarding of a $220m cancer-screening register contract earlier this year.

The win – which is to be enabled by the National Cancer Screening Register Bill 2016 – was a coup for the company's Telstra Health subsidiary, which was founded in 2013 as a standalone business unit and acquired several companies to bolster its capabilities in digital healthcare management.

The company's for-profit nature and relative inexperience in handling such sensitive data raised concerns across the healthcare fraternity, which addressed data security as a key concern around the registry in the 23 submissions received to date.

Noting “a lack of transparency around the process for awarding this contract” – particularly to an organisation with no experience in operating “registries of this kind”, the Australian Medical Association said in its submission to the enquiry that it “would be more comfortable” if the registry were operated by government, a tertiary institution, or not-for-profit entity “that has little interest in how the data in the register might otherwise be used”.

Security advocates have echoed their concerns about the choice of Telstra given its history of breaches like the one prosecuted by the OAIC in March 2014, or the December 2011 breach in which the company published the personal information of around 734,000 customers online.

The OAIC flagged concerns about the security of register data in its submission to the Parliamentary enquiry, which noted that the wording of the bill appears “to authorise the use of personal information in the Register for research purposes without specifically requiring compliance with” Privacy Act controls around the use of healthcare data for research.

The OAIC submission also postulated that additional controls – including mandatory rules around reporting and handling of data breaches – might need to be applied to the arrangement “since the collection and retention of large amounts of sensitive health information in a centralised database can pose a number of security and privacy risks, particularly if the database can be accessed from many access points”.

Pathology Australia noted in its submission that the for-profit nature of Telstra Health “does not exempt them from the privacy and legislative requirements for the implementation” of the registry. Data breaches – of which “human nature would expect there to be a small number” – should be headed off with a “stronger deterrence effect” as well as penalties for a breach that are “appropriate and of a significant amount”.

Other submissions echoed similar themes, with expectations of strong controls around the privacy of personal data and promotion of strong penalties and reporting requirements around breaches of the register that might occur.

Healthcare information remains a major target for data thieves, with recent half-year figures from security firm Gemalto's Breach Level Index suggesting that healthcare organisations account for 27 percent of all data breaches globally and 5 percent of all records stolen. This was up 25 percent over the previous six months, with some 64 percent of data breaches involving identity and personal data theft, the report warned.

Other recent Gemalto research found that 69 percent of surveyed organisations said they weren't confident their organisation's data would be secure if their perimeter security was breached.