[LINK] Hacking of medical records

[Tom Worthington]

ABC Radio South East is going to interview me at 8:46am Wednesday, about 
the hacking of medical records. According to the report "hackers" have 
demanded $4,000 to restore the records of a medical centre: 
http://www.abc.net.au/news/2012-12-10/hackers-target-gold-coast-medical-centre/4418676

I did not pay much attention when I first heard the story as it sounded 
like the usual scare story issued by anti-virus software companies to 
promote their products. The ransom amount sounds too low to be credible. 
Also even if the medical practice paid the ransom, there is no way they 
could rely on the records being intact and unaltered.

The obvious reaction to such a story would be to call for medical 
records to be stored offline, on a server not connected to the Internet. 
But Australian state and federal governments are spending billions of 
dollars on ehealth to put records 
online:http://www.tomw.net.au/blog/2008/11/open-source-for-australian-e-health.html

These online systems are intended to no only reduce costs, but 
impressive health, by providing a consolidated and more accurate medical 
record to all of a patients heath care providers. Speaking from 
experience, when you are lying semi-conscious in an intensive care ward 
of a hospital being asked about your medical history you would welcome 
an online record the doctor could access, so they could get on with 
treating you urgently: 
http://blog.tomw.net.au/2008/11/canberra-health-system-first-hand.html

Some guides and standards for cloud use, such as AGIOM's "Privacy and 
Cloud Computing for Australian Government Agencies Better Practice 
Guide" and  IITP's "Cloud Computing Code of Practice" are discussed in 
my presentation "Records in the Cloud?" for the For Transitioning to 
Digital Recordkeeping, conference this year: 
http://www.tomw.net.au/technology/it/cloud_records_management/

Medical centres should have good internal security procedures (attack by 
an employee still remains the biggest threat to an organisation, rather 
than attack from outside), as well as  securing their computer systems, 
using anti-virus software and having a firewall separating the internal 
system from the Internet. Small medical practices might be better off 
with cloud based outsourced services run by companies with the required 
expertise, rather than relying on locally run and maintained systems.

The Australian Computer Society was assisting the Austrlaian Government 
to prepare a Cyber Security White Paper, which was to be released in 
early 2012. I helped prepare the ACS Submission for the Australian Cyber 
Policy White Paper.Unfortunately the Department of Prime Minister and 
Cabinet then canceled the white paper. Perhaps this needs to be renewed: 
http://www.acs.org.au/index.cfm?action=show&conID=201111160944455149


-- 
Tom Worthington FACS CP, TomW Communications Pty Ltd. t: 0419496150
PO Box 13, Belconnen ACT 2617, Australia  http://www.tomw.net.au
Liability limited by a scheme approved under Professional Standards
Legislation

Adjunct Lecturer, Research School of Computer Science,
Australian National University http://cs.anu.edu.au/courses/COMP7310/