[LINK] The "health" record security model

Karl Auer kauer at biplane.com.au
Tue Nov 13 10:23:45 AEDT 2018

On Tue, 2018-11-13 at 09:32 +1100, Jim Birch wrote:
> What are your improved design element?

How often do we have to point them out?

1: Uploaded documents should be inaccessible by default (except to the

2: The user should be able to upload any document.

3: The user should be able to permanently delete any document

4: Others should be unable to delete any document

5: People uploading or accessing documents should be individually

And these should be attributes of a coherent approach; I'm aware that
each has implications to be dealt with.

The legislative changes needed are huge, and even then cannot really
address the intractable problem of all this data being centralised.

> does that work?   These are your health records!  What are they going
> to do: send you spiteful emails about your arthritic elbow to make
> you vote liberal? Make the flu punishable with a two year jail
> term?  Please explain how that might work in actual harms and actual
> mechanisms.

There will be close to a million people with essentially anonymous
read/write access to this system. Systemic abuse is almost a certainty.
That means blackmail opportunities for a start. For Government abuse,
look no further than Alan Tudge using Centrelink information to attack
a citizen; and that was a pretty tame case.

In security, you don't fart about with what people *say* the system can
do, or what the system is *intended* to do. You look at what the system
CAN do, and plan around that.

Regards, K.

Karl Auer (kauer at biplane.com.au)

GPG fingerprint: A0CD 28F0 10BE FC21 C57C 67C1 19A6 83A4 9B0B 1D75
Old fingerprint: A52E F6B9 708B 51C4 85E6 1634 0571 ADF9 3C1C 6A3A

More information about the Link mailing list