Online health records at risk from malware

It's the same problems as banking, but different, says AusCERT

AusCERT general manager Graham Ingram has questioned the wisdom of Australia's National E-Health Strategy plans to make medical records available online, pointing to the difficulty of securing end-users' computers.

"I do not believe that personal health records should be available over the internet to end machines until they can secure them," Ingram told the Security 2011 Expo and Conference in Sydney this week.

"If I had a machine in a Medicare office that I could go into that was dedicated to that function, I'd be happy with that. But popping on my home machine or the Qantas lounge and looking at my health records is not something that I am going to be ecstatic about."

Online banking led to phishing attacks, says Ingram, and that led in turn to more sophisticated malware that relied on social engineering techniques and thence to advanced persistent threats (APTs) or, as Ingram prefers to call them, covert enterprise intrusions (CEIs). He envisages the same evolution playing out in attacks on health records.

One scenario could be noting that someone was allergic to peanuts, and changing that.

"Maybe that's on the paranoia end, and maybe I've no reason to have that paranoia," Ingram said, but nevertheless he is concerned that it would be possible to view someone's health records through simple attacks.

"The e-health people say, 'No, our databases are secure.' That's not what I'm talking about. They don't seem to get that," Ingram said. "They seem to think that if we can secure the back-end databases they've secured the system. No you haven't."

According to Ingram banks now assume that transactions might be compromised, and employ sophisticated algorithms to help detect and prevent fraud. This can include introducing delays in processing to allow time for investigation. That might not be as easy to do with health records that might be acted upon in real-time emergencies with potentially fatal consequences if mistakes are made.

"The successful attack is now almost guaranteed," Ingram said. "How do you then start to say, 'How can I reduce the damage from a successful attack? How can I detect it and mitigate it?"

Security 2011 Expo Conference Slideshow, the best from the day..

Contact Stilgherrian at stil@stilgherrian.com, or follow him on Twitter at @stilgherrian.

More about: CERT, Ingram Micro Australia , Qantas

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the TechWorld comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: advanced persistent threats (APTs), auscert, covert enterprise intrusions (CEIs, ehealth, Graham Ingram, health records, malware, phishing attacks
Whitepapers
All whitepapers

Twitter Feed

  • rohan_p RT @Techworld_AU: Gear and gadgets at @CeBITAUS 2012, Sydney http://t.co/J1Sch1sX #cebit2012
    2 hours
  • Techworld_AU Gear and gadgets at @CeBITAUS 2012, Sydney http://t.co/J1Sch1sX #cebit2012
    2 hours, 18 minutes
  • HamishBarwick CeBIT 2012: Will NBN speed up freight delivery times? http://t.co/gaZyjOlH #cw #cio #tw #CeBIT2012 #nbn
    21 hours, 56 minutes
  • HamishBarwick CeBIT 2012: NAB calls for mobile app security overhaul http://t.co/3Z3ZPUPq #cw #cio #tw #CeBIT2012 #infosec
    1 day, 1 hour
  • rohan_p RT @Techworld_AU: BigPond Games Arena, Games Shop hit by hackers http://t.co/OXNPeDfL #bigpond #infosec #security
    1 day, 3 hours

Whitepapers

- + c

Latest News

- + c
more