I don’t criticise MMH for being hacked. It is hard to be hack proof. There may be legitimate criticism for them not encrypting uploaded documents and/or not having multi-factor authentication.
What I find incredible is that it took them 10 days to e-mail users to tell them if they had been affected or not. And even worse, they got it wrong, and had to do a second lot of e-mails saying you haven’t been affected after all. I’m one of those who got both e-mails. And annoying because I’m overseas, MMH won’t even allow me to log in and see any details.
A well governed and managed health software company should have hacking as one of their major risks in their risk matrix, and they should have a detailed contingency plan setting out what to do if it happens. As far as I can tell, MMH were not prepared in any way, and had to be prompted by the Ministry of Health to call in external advisors to help them manage it.
The MMH software is pretty good. I can book GP appointments with it. I can see all my test results and vaccinations. I can see all the reports from specialists. I’m glad my GP uses them.
But software is only part of it. They need to also be well governed and managed for situations like what just happened. And the evidence to date is they have not been.
While personally I’m not worried if some hacker has the results of my shoulder and ankle ultrasounds and x-rays, there will be many people very concerned about their health records. Bryce Edwards made the point:
A well governed and managed health software company should have hacking as one of their major risks in their risk matrix, and they should have a detailed contingency plan setting out what to do if it happens. As far as I can tell, MMH were not prepared in any way, and had to be prompted by the Ministry of Health to call in external advisors to help them manage it.
The MMH software is pretty good. I can book GP appointments with it. I can see all my test results and vaccinations. I can see all the reports from specialists. I’m glad my GP uses them.
But software is only part of it. They need to also be well governed and managed for situations like what just happened. And the evidence to date is they have not been.
While personally I’m not worried if some hacker has the results of my shoulder and ankle ultrasounds and x-rays, there will be many people very concerned about their health records. Bryce Edwards made the point:
The potential harms are immense. Think about what’s in these files. Psychiatric diagnoses. Sexual health information. Details of domestic violence. Records of abortions. The intimate confessions people make to their doctors believing, as they should, that such information is sacrosanct.
People could be blackmailed over sensitive diagnoses or traumatic histories. Identities could be stolen. As one furious patient told RNZ, she is “one part terrified, one part really angry, like ragingly angry” that details of her past sexual assault – secrets she hasn’t even told some family members – might be made public. This isn’t just a bureaucratic failure. Real people will suffer real consequences.
So this is a very big deal for some.
David Farrar runs Curia Market Research, a specialist opinion polling and research agency, and the popular Kiwiblog where this article was sourced. He previously worked in the Parliament for eight years, serving two National Party Prime Ministers and three Opposition Leaders
1 comment:
It wasn’t “a hack” David.
The term “hack” implies some cunning custom coding to bypass the usual access controls and get into the back-end of the system.
This wasn’t that.
The intruders “walked in through the front door”, to quote the CEO.
It wasn’t a case of insufficient security provisions. More a case of not having any.
Mange My Health CAN be criticised for its data being accessed and for not having the slightest provision of any security to prevent what happened.
And after it happened, they can be criticised again for poor and delayed communication with patients, and for wrongly identifying those who were affected.
The government can also be criticised - for having NO regulations or specifications for the handling of digital health data.
It’s not as if there are no accepted standards. The US-based HIPAA regulations governing health-related data are widely accepted around the world.
But the government is little old NZ apparently has not heard of HIPAA and certainly doesn’t legally require system developers or owners to certify compliance.
Which means this will almost certainly happen again.
Post a Comment
Thank you for joining the discussion. Breaking Views welcomes respectful contributions that enrich the debate. Please ensure your comments are not defamatory, derogatory or disruptive. We appreciate your cooperation.