Speaking at Kickstart 11 this week, Kathryn Kerr, AusCERT’s manager for analysis and assessments, said that to date there was not much information available about the operation of the PCEHR but she believed patients would be able to nominate who would have access to that record, providing access to the record for themselves, health professionals, family members or carers.
“What we don’t know is, are they accessible by patients anywhere and anytime?” which according to Ms Kerr could pose a real security problem.
AusCERT, which is based at the University of Queensland, was until 2010 Australia’s national Computer Emergency Response Team, after which the role was taken over by the Government owned CERT Australia. While no longer the official national CERT, AusCERT’s concerns about a fundamental element of the national e-health strategy should prompt serious consideration.
Until a clearer picture emerges about the operation of the PCEHR, the security issues it may pose remain to some extent a matter of conjecture.
The National EHealth Transition Authority – Nehta – which has the lead on the e-health initiatives has a concept of operations document (the ConOps) which is intended to provide an understanding of how the PCEHR will work. According to Nehta; “Stakeholders had the opportunity to discuss the PCEHR at a number of roundtable forums held in October 2010 preceding the Government’s national eHealth conference in November 2010. These meetings have continued in early 2011.
“Nehta is currently working with the Commonwealth on a package of material based on the Con Ops that can be used in the first round of public consultation on the PCEHR,” according to a Nehta spokeswoman – but to date that ConOps has not been made publicly available.
Even so Nehta is continuing the progress the programme. For example IBM was this week confirmed as the winner of a $23.6 million contract to design and build the system which will allow Australian health professionals to securely access and exchange electronic health information and provide an audit trail detailing who accessed what and when.
Public Key Infrastructure based, the system is expected to deliver health care professionals with a smartcard to allow them to access PCEHRs.
But Ms Kerr this week said “It doesn’t really matter what they use. Even if those health professionals are able to access them via certificates, if the computer us compromised by malware and people use the password on the infected computer then the criminal has the complete access to the system and the record.”
“What we don’t know is the platforms that people will be able to use to access the records – that’s what is important.”
Ms Kerr said that while there was a lot of focus on the privacy threat associated with PCEHRs, there was a security issue also in terms of criminal elements gaining access to the records. “Of course the key is how to monetise the information,” she acknowledged.
“I’m not sure how they would do it – but it is still a concern.”
Certainly the risk of identity theft could be heightened if computer criminals were able to access personal identifying data associated with the PCEHR.
---
Autor(en)/Author(s): Beverley Head
Quelle/Source: iTWire, 02.03.2011