Early one morning, while waiting for the shuttle bus to this year’s HIMSS conference (the world’s biggest digital health conference), in Orlando, Florida, I found myself sitting next to what looked like a skateboarder. I know them pretty well because one of my sons hangs with a lot of skateboarders.
This one had long hair and a scruffy beard and was sporting long baggy shorts, skate shoes, white socks halfway to his knees with a skate logo and a very loose fitting T-shirt.
But he also had a HIMSS VIP badge around his neck.
Intrigued, I asked him what he was doing at HIMSS.
“Oh, cybersecurity,” he answered.
More intrigued, I asked who he worked for.
And this is what he said, sounding pretty chuffed: “I’m not actually supposed to say, but the NSA.”
That’s NSA, as in, the National Security Agency, the US federal government intelligence agency that is part of the Department of Defence and is managed under the authority of the director of national intelligence (DNI).
“Oh,” I said, not quite knowing what to say next, and thinking, should I talk to him at all, and then, what has defence got to do with health?
He didn’t need me to ask, though. For all his claimed reticence, he enthusiastically started blurting out everything he did. And this may be the most important thing anyone needs to know about privacy and data protection: humans will run their mouths.
What he said was a little shocking. I haven’t written about it before, because it didn’t seem too relevant here – but given what happened this week to Medibank Private, I’m telling you now.
He was part of a dedicated and highly specialised unit set up in the NSA specifically to address a growing plague across the US of health provider data hacks, most of which were originating out of Russia, or Russian-influenced state actors, and usually associated with ransom demands.
In the past year (I spoke to him in late March) the problem had blown up and his group was expanding rapidly. I think he used the words “growing exponentially” referring to the number of hacks.
The US Department of Health has an equivalent cybersecurity unit set up as well, he said, but the two groups more or less compete with each other and don’t really talk much.
(We’ll have to watch that if ASIO ever sets up an equivalent to the DoH’s cybersecurity unit, which works with the Australian Signals Directorate with support from the Australian Cyber Security Centre.)
Why did the NSA feel the need to get involved?
Well, according to my skateboarding friend, healthcare hacking is now virtually a state-sanctioned industry sector in Russia. It sounded from what he said that in Russia it was quite a respectable day job.
If you think about the Facebook debacle of 2016 and how organised that seemed to be via government, then this feels like an entirely plausible claim.
Apparently, the more industrialised and widespread the activity, the better for Russia and its allies, because at scale it can be destabilising of a Western economy (in this case the US), and, my favourite reason, it’s highly lucrative. Who knows, it probably counts towards Russian GDP.
The numbers Sk8ter boi mentioned to me in terms of daily ransomware attacks were astronomical, even for the US.
He said healthcare data was probably the number one target for these state sanctioned ransomware actors because:
- It was usually very valuable, with all the good ID data points but also often including very juicy personal details (aka Medibank claims data), the sort of stuff people on the dark web love to buy
- Healthcare providers, big and small, are not only everywhere in numbers, at every level of society, but they run thousands of legacy software systems, many of them still on premise, poorly protected, and with isolated and often poorly backed up data (that sounds like just about every GP in Australia if you’re feeling a bit worried)
I said to him that I didn’t think the problem was anywhere near this scale in Australia yet.
He just smiled and said “Give it time … these guys are just starting up.”
No one has said the Medibank hack is Russian or a related actor, but the point of my friend’s story is directly relevant in the context of how prepared Australia looks like it might be for such an onslaught.
It’s not.
Not even close.
We have a very big and complex problem here in terms of how we look at and manage health data security. I think the last few weeks provides everyone with a good sense about that.
But there’s a much bigger issue before we even start addressing lax governance and technical oversight and our investment focus on security, which is what we’ve been talking about mostly in the last couple of weeks.
A lot of our major healthcare providers treat their patient’s data with a fair bit of contempt in terms of what they think is OK to do with it.
A lot of them do this via Facebook’s technique of burying the privacy policies and clauses, not so you can’t get to it, but so you will never ever attempt to read it because it’s so dense and boring.
On reading most of the following provider clauses on privacy (TMR took this one for the team) it is apparent that most healthcare providers are giving your data to so called third-party “partners” for dubious and usually commercial reasons.
What do we think happens to that data once it is in the hands of third parties and partners and you aren’t privy to what the privacy policy of those partners are?
In addition, the definition of partner is nearly always vague and broad and often loose.
One key feature emerging out of the US situation is that in healthcare, a vast majority of the data that is getting lost is being lost not by the major provider, but by their third parties. Here’s a good article on this phenomenon.
It’s pretty scary to think who might actually be a third party and be working with one of these providers and what their ability or interest in data protection is.
In one respect I think the Russians might want to consider just short circuiting the hacking operations and start setting themselves up as a partner or third-party provider to any of these organisations instead. It might be a lot easier.
If you’re like me, you might now be thinking, “Oh come on … ”
But you probably would not have sat down to read any, or at the very least many, of these privacy statements and policies.
So I thought I’d pull a few highlights out for you to help you make up your own mind.
Here are 10 excerpts, starting with the best first, because the first one comes essentially from this week’s No 1 hacked company, Medibank (actually a subsidiary JV of Medibank. Worryingly, this example involves both federal and state governments who work very closely with this company and provide it with most of its work.
1. Amplar Health Privacy Policy
Before the good folks at Medibank fix this fairly embarrassing admin error (much more embarrassing being there this week still, of course) google “Amplar Health Privacy Policy” and see what the link delivers you. Until yesterday it was the page below:
I can’t read or speak Latin but I’m pretty sure that isn’t actually a privacy policy.
This is no scandal for sure. It’s a dumb mistake by poor sod in charge of the website and maybe the marketing department.
These things happen and this has nothing to do with technical security protocols surrounding how the group actually protects data.
But it does point to a big problem with the overall attitude to data protection, we think.
What does this mistake say about Medibank Private’s overall approach to privacy and patient data if Amplar Health is a major new JV company (with private hospital group Calgary) being built and spruiked by Medibank Private as being a major partner with government in solving community healthcare issues?
If you pull back to the front page you will get the pitch on Amplar.
“At Amplar Health we co-create health solutions with government, businesses, not for profits to deliver on our vision of the best health and well being for Australia,” reads the tag line.
You’re going to wonder, visiting the privacy page of this same company, if that vision involves giving privacy a little more attention than it has so far.
You’re also going to wonder how it is that state and federal governments are up to their necks working with a group (with tens of millions of dollars in contracts already) that doesn’t at least show that their patients’ data privacy is, if not top of mind, pretty high up there.
This is especially so in this last week, of course.
The very fact that this page exists and no one has pointed it out, until now, is testament to just how much healthcare providers are relying on their customers to never ever read their privacy policy.
They know none of their customers read them, and they are almost certainly taking advantage of this major problem.
How?
2. Medibank Privacy Policy – How we hold your personal information
One reason the Amplar mistake above is so dumb is that on every page of the Amplar site, albeit in micro writing at the base of every page, is a link to the Medibank Privacy policy, which, for that poor soul who was in charge of the Amplar Privacy policy page would have made a much better holding page than gobbledygook Latin. The below term would not have made the “spine chilling” level the week before last. But it does this week.
We aim to store your information securely and have a range of security controls in place (including physical, technical and procedural safeguards) designed to protect your personal information. Our employees and contractors regularly receive targeted privacy training. We take reasonable steps to make sure that the personal information about you – that we collect, use and disclose – is accurate, complete, up to date and relevant.
Bit ironic.
3. Medibank Privacy Policy – Third Parties (Using your personal information)
As mentioned, a huge issue in the US in terms of healthcare hacks is that a very large percentage of them result from “third-party relationships” with the healthcare provider. Third-party clauses are in everyone of our chilling top 10 and they all essentially say that your provider can pick and choose any third party they think it is OK to share your data with. Here’s the relevant parts of the Medibank policy on using your personal information that does that:
- partner or work with third parties to improve our membership offering and value [note that they don’t identify who such parties might be or what their policies are]
- conduct marketing – including targeted electronic marketing (such as emails, or advertisements on websites and social media platforms that you access)
- perform other functions and activities relating to our business
4. Pilot Privacy Policy – Our purposes for handling your personal information and disclosure of personal information
In some respects Medibank Private’s privacy policy is one of the better ones, particularly in respect to third party use of data. Have a look at what the telehealth start up for men’s health says they may give your data to and what for, which you will likely never read (Pilot’s parent company has obtained about $80m in venture funding over the last year or so and is going gangbusters):
e (ii) our group companies and business partners and their goods and services, that might be of interest to you, including information about promotional offers, contests, rewards and upcoming events [our emphasis]
f. facilitate third parties communicating with you about our goods or services that might be of interest to you
we disclose personal information for the purposes outlined in this Privacy Policy to:
- Partner Companions;
- Partner Providers;
- our employees, contractors and group companies;
- Government Sources, where we are providing you with a health service;
- cloud service providers;
- payment system operators (such as Shopify or Stripe);
- to third parties, such as our service providers, IT support providers, our professional advisors and our marketing and social media partners;
I’m not sure what you’re thinking after reading this reasonably comprehensive list of just about anyone and everyone but what I thought is that Pilot may as well have thrown in “The Russians” as well at the end so they’d be protected entirely legally in the event of a hack anywhere. It’s that broad. What the heck is a “partner companion” by the way? Sounds like a supplier who is also someone’s girlfriend.
5. CareMonitor Privacy Policy – To whom do we disclose personal information of Patients?
We may disclose personal information for the purposes described in this privacy policy to:
- third party suppliers and service providers (including providers for the operation of our websites and/or our business or in connection with providing our products and services to you);
- professional advisers, dealers and agents;
- payment systems operators (eg merchants receiving card payments);
- our existing or potential agents, business partners or partners for the purpose of improving health care;
- other persons, including government agencies, regulatory bodies and law enforcement agencies
6. Midnight Health privacy policy – disclosure of your personal information
We may disclose your personal information to any of our related group companies. They will only use it for the same purposes that we may under this policy. We may provide personal information to third parties outside our group companies for limited purposes, such as to help us in providing or offering goods and services to customers and patients, where you have provided your consent.
Those persons and businesses may include:
- Organisations who carry out credit, fraud and other security checks;
- Couriers and delivery businesses
- Third parties that carry out market research;
- Third party software providers who store details of customer account for us or who provide other IT services; and
- Marketing businesses engaged by us to disseminate materials to which recipients have consented (if applicable).
7. MedAdvisor privacy policy – Who can access my data?
Only the MedAdvisor employees and approved third party users with a valid business need are granted access
We may, on a confidential basis, also disclose your personal information to your nominated MedAdvisor Network Pharmacy (this includes providing any dispense data from our other MedAdvisor Network Pharmacies that you use to your nominated MedAdvisor Network Pharmacy pharmacy)
8. PenCS privacy policy – who we disclose data to
We will only disclose personal data that we collect to third parties as follows:
- To hosting providers who host our websites and content… [on third-party computer servers in the data centres of our hosting providers]
- To other parties to a commercial arrangement where authorised or is necessary in order to provide our services
- To our resellers, distributors, agents and channel partners
- So that we can obtain assistance from our suppliers and corporate group
The fact is, you’re going to see terms like this in almost every healthcare provider privacy policy statement if it’s a non-government provider and data in the end means more money for that provider in some way.
The point is, once your data is in third party hands, and in all of these examples it can get there easily, and a user is consenting to it – just as a Facebook user consents to absolutely outrageous privacy terms because no one reads those terms either – it’s gone. It may as well be hacked by the Russians. You can’t see the privacy terms of that provider and in most cases you have no idea what their business model is, or their intentions with that data essentially, even if the primary provider is warranting that the terms have been checked.
If our governments work closely with a lot of these providers – they certainly do with Medibank – and they are OK with these providers and their attitude to the privacy of data, it’s a bit rich for government to come out and say they are surprised and upset at how badly some companies like Optus, Medibank and ACL have managed to secure their data.
If you read the privacy policies of all these organisations, in most cases, their data was never very secure anyway. It’s off with so many third parties and partners and partners companions, that no one can possibly guarantee its safety.
This is a much bigger problem than we are being led to believe even after these major hacks of the last few weeks.
We really don’t get it in Australia so far, even at a government level.