Unsuccessful Implementation of the Principle of Least Privilege Looms Over Australia's My Health Record Data Crisis

There is 'no meat in the argument' when it is said that the sole aim of creating digital medical records of the citizens is to ensure that the stored data is only used for educational, clinical and administrative purposes. Whereas the truth is that, a lot of these digital medical records also known as My Health Record Data here in Australia is spilled over everywhere raising an array of privacy concerns among the users. 

Dr. Steve Hambleton from the Australian Digital Health Agency (ADHA) has been repeatedly assuring that they follow strict security safeguards.  However, the recent case of HealthEngine—a booking app service that allows its users to book appointments with doctors, has been allegedly involved in sharing digital medical records with third parties. After the matter was brought into the limelight, Health Minister Greg Hunt has formulated a commission to probe the breach and an ''urgent review'' of the situation has been ordered.  

Lesson Learnt: Successful Implementation of the Principle of Least Privileges

The first step towards securing sensitive data has to do with the fundamental theory of promoting minimal user profile privileges to the database. In the case of My Health Record leak, the sole aim of having a digital health record was to use the data mainly for administrative, educational and clinical purpose. However, it has been revealed that HealthEngine app that partnered with Australian Digital Health Agency (ADHA) leaked out the patient health data of several Australian citizens with compensation lawyers. This helped law firms to generate relevant leads. 

According to information security experts, there is a major flaw in the system when the medical history and ongoing treatment details of patients are made available to multiple medical practitioners. Having the data open to all practitioners also leaves it open to abuse and increases the risk of the database being hacked.  

Speaking about the violation of basic information security principles that affected privacy of patients in the My Health Record case, David Cake, Chair at Electronic Frontiers Australia (EFA) said,  

"It is not just a violation of the principle of Least privilege, a sound engineering principle to design secure system, but when dealing with personal data, and few things are more potentially personal than health information, there is the closely related principle of privacy by design. When the defaults are set to sharing your private data, in many cases without controls beyond very broad agency levels, and your only option is a poorly designed, poorly responsive, opt-out process that in many cases may not fully opt you out, you know that neither security or privacy were considered through-out the design process as they should be. The government should be setting the example in security and privacy as priorities, but here they come across as an afterthought." 

The system that holds the digital medical records hosted by the Australian Digital Health Agency (ADHA) must have a default functionality that enables user's health data to be shared only with the medical practitioner over looking the patient. However, in the present scenario if the user doesn't assign who has access to his/her data then the system shares the data to all practitioners by default. 

Understanding the Principle of Least Privilege—A Great information Security Lesson for Australian Small & Medium Enterprises 

Australian SMEs must build up a strategy that limits access only to what is essential. The principle of least privilege must be adhered here. What needs to be focused upon is granting only a few permissions required for the performance of a task.  

Ensuring minimal permissions assigned to a user ensures strict restrictions on what users are not authorized to do. SMEs must concentrate on leveraging privileges on their networking systems to the extent that just enough access is provided to the users to achieve their objectives without compromising security and privacy.

Don’t leave yourself exposed. Find your vulnerabilities before cybercriminals do. Contact us for Vulnerability Assessment and Penetration Testing.

Date Published
July 18, 2018