MyHealth hacks mentioned
A federal agency has admitted MyHealth records have been targeted by hackers.
The Australian Digital Health Agency, which runs the MyHealth digital records system, says there were two potential data breaches this year, but claims no personal information was stolen.
The Australian Cyber Security Centre along with the Office of the Australian Information Commissioner were brought in to investigate the first hacking attempt.
“Somebody tried to hack our system, so the external perimeter of our system,” the agency's national health chief information officer Ronan O'Connor has told a parliamentary committee hearing.
“I want to assure the committee that there was no access into the MyHealth record in any way whatsoever, no health information or personal sensitive information was accessed.”
“In effect, it meant that our security monitoring tools identified a potential vulnerability in the system and as a consequence of that we notified the OAIC … and we also worked with the Australian Cyber Security Centre (ACSC) and on that basis they were happy … and there were no further investigations on that.”
The government has failed to identify who was behind the hack.
The second data breach was related to someone who was in fact receiving medical treatment at the facility involved.
“They became aware their system had potentially been hacked, accessed without the healthcare recipient's authority. After investigations that were undertaken, it was confirmed that the individual whose record was accessed was indeed receiving healthcare at that facility at the time of access,” Mr O'Connor explained.
“So there was no compromise.”
When asked about the security of My Health Record, Mr O'Connor said the system has “quite a comprehensive system for security monitoring” that employs specialist real-time monitoring tools to detect any anomalies in the system.
“This activity ranges from system to system activities, relating to endpoints … it monitors and if there's any sort of unusual behaviour or activity, we've got the ability to notify the organisation and in instances where we've got particular concern, we can suspend access to the My Health Record system itself. It's quite comprehensive,” he said.
“We have set up a dedicated cybersecurity centre within the agency.”