Manage My Health ignored warning about lax security system - cyber-security expert - ArkforgeAI.com

Photo: RNZ / Finn Blackwell Cyber-security expert says Manage My Health ignored warning about lax security two years ago Experts criticise "high trust" system of self-regulation Lack of government regulation is result of industry lobbying against "red tape" - political pundit Digital Health Association says "stronger penalties alone" won't stop breaches and what matters most is having a clear, consistent regulatory framework Health NZ considering independent testing of third-party services such as patient portals IT experts allege Manage My Health ignored warnings about vulnerabilities in its cyber-security for years - but the regulatory vacuum meant the company was not required to take action. About 127,000 New Zealanders have had their information stolen in the ransomware attack after hackers were apparently able to obtain a password giving them access to part of its database containing more than 430,000 documents. Auckland University cyber-security expert Dr Abhinav Chopra said he discovered the holes in Manage My Health's system two years ago when he was trying to find out why it was still holding onto his health records after his GP moved to a new provider. In an email to his GP, Manage My Health and eventually the Privacy Commission, he listed all the problems, including the lack of multi-factor authentication and the fact that multiple administrators had access to unencrypted files. "This is the same pattern. They should have invested. They've had two years and these are the exact same areas that have caused them the issue." The company did not respond to him, he said. Manage My Health has said it is required to hold onto patients' data - even if their GP switches provider - unless patients de-register themselves. However, Chopra believes Manage My Health could have another reason for holding onto patient records. Its own website proudly notes its database of "1.8 million Kiwis" and its ability to get its customers' message to them "when they're thinking about their health". "If this company did not have any commercial gains to make out of this data, then they would not be paying the extra storage costs for this data," Chopra said. Terms and conditions gave company an 'out' A Wellington IT worker caught up in the Manage My Health data breach - whom RNZ has agreed not to name - also questioned the lack of regulatory checks and balances. "Health services that have this information and these functions should be subject to the same scrutiny and compliance requirements and auditing as financial institutions. "If your banking app is down, it's a huge deal and it gets lots of scrutiny." However, Manage My Health's users could not say they were not warned, she said. "The irony is that I actually read their terms and conditions, and they haven't breached them because their entire terms of usage is they can't guarantee their system is any good or that they'll fix it, even if it's foreseeable and they know about it. "It's essentially, 'We can't guarantee our product doesn't suck, but here, give it a go'." Digital specialist Callum McMenamin (who also alerted Manage My Health to its security vulnerabilities six months ago) said the 300-page Health Information Security Framework contained many good things - but entirely relied on "hand-wavy" self-regulation. "It's all just a high trust system where the government sets the standards but then closes its eyes and doesn't check if the standards are actually being met." Industry has opposed regulation - commentator According to political analyst Bryce Edwards from The Democracy Project, the lack of regulatory oversight was "not an accident". The Digital Health Association - the industry body for health software vendors - had lobbied against what it called "overly burdensome privacy laws and regulation", he said. "They have time and time again asked government to keep the rules on privacy quite weak and relaxed so the companies that deal with data are not subject to too much of what they call 'red tape' or essentially costs on them." Successive governments had ignored warnings from three Privacy Commissioners over the last 15 years of the need for stronger penalties, like in Australia, where errant companies faced multi-million dollar fines, Edwards said. The Digital Health Association pushed for the repeal of the Therapeutic Product Act, which would've regulated software as a medical device with surveillance and penalties for non-compliance, he continued. "If you don't have these rules, if you don't have penalties for companies not looking after data, it means they can often be quite lax. They don't have good systems because they don't have those incentives." Industry group advocates for "better" legislation Digital Health Association chief executive Stella Ward said the organisation did not oppose the Therapeutic Products Act (TPA). "Across all our submissions and briefings, we repeatedly advocated for better regulation - not...

Manage My Health ignored warning about lax security system - cyber-security expert

Continue Reading on RNZ

How do you feel about this article?

📝 Article Information

Author

Original Publisher

Published Date

Disclaimer