Gai Brodtmann (Canberra, Australian Labor Party, Shadow Assistant Minister for Cyber Security and Defence) Share this | Hansard source

The government's implementation of the My Health Record system has been nothing shy of inadequate and nothing short of woeful. In August, the government announced rollout phase 2 of My Health Record, which meant that every Australian's private health information would be stored online unless they chose to opt out. This is not the way the system was originally designed. This was not the way the system was originally intended. Labor's opt-in model was a model based on informed consent. The Australian public had the ability to learn about My Health Record and then choose whether they wanted to be part of the system. This was intended to be a system based on trust, Mr Speaker. As of this morning, My Health Record has lost the trust of nearly 1 million Australians who have opted out. This is significant given that there are still two months left in the opt-out period—although not surprising, given 20,000 opted out on day one.

My Health Record has the potential to be a safe, helpful and trusted tool, but this government has significantly and severely damaged this potential with its woeful implementation and rollout of this system. The rollout of this system has been inadequate. As the shadow assistant minister for cyber security and defence, my concerns about My Health Record immediately turn to the cybersecurity of the data which the system will be holding. My concerns stem from the complete and utter disregard for cybersecurity that the Turnbull-Abbott-Morrison government has shown. This is the government that brought us cyberfails such as the 2016 census, repeated crashes of the Australian Taxation Office website—more than 12 over 12 months—and, who can forget, robo-debt.

Australian government agencies are expected to comply with mandated Australian Signals Directorate top 4 mitigated cybersecurity standards. These are: application whitelisting, patch applications, configuring of Microsoft Office macro settings and user application hardening. In 2014, an audit of seven government agencies found that not one met this criteria. Not one met mandated cybersecurity standards that are mandated by the Australian Signals Directorate for government agencies. Seven government agencies were audited and not one was found to be considered cyber-resilient. How did the coalition government respond? With a very stern letter from the then Minister Assisting the Prime Minister for Cyber Security asking agency and department heads to take cybersecurity very seriously. It was a letter that was sent to these department heads and these agency heads. They were mandated government agency and ASD endorsed standards on cybersecurity, yet the government's response when these agencies weren't complying was to send them a very stern letter asking them to take cybersecurity very seriously.

Despite assurances to the Joint Committee of Public Accounts and Audit that they would be compliant by 2016, the latest Australian National Audit Office report revealed that two out of the three agencies audited again still had insufficient protections against cyberattacks from external sources. In the latest report, a total of 14 government entities were reviewed and just four were found to comply with those mandated top four cybersecurity standards by the Australian Signals Directorate. They were the Department of Human Services, Treasury, AUSTRAC and the Department of Agriculture and Water Resources. The government entities that have not complied with these mandated standards include the Australian Federal Police, the former Department of Immigration and Border Protection, the Australian Bureau of Statistics, the Australian Taxation Office, the Australian Financial Security Authority and the Department of Foreign Affairs and Trade.

At a time when significant data breaches and cyberattacks are an almost daily occurrence, the revelation that our own government entities continue to fail to meet mandatory cybersecurity standards should be a cause for great and immediate concern. But the response from the government was to send a letter saying,' Please take this very seriously.' These are the government entities that collect and store the information of Australians. They protect our borders. They run our national security operations. Continuing to overlook this lack of compliance is continuing to put this data at risk with potentially significant consequences for Australians, and this includes our digital health data.

The Department of Health was responsible for the 2017 Medicare data breach, which allowed a darknet vendor to sell Medicare card details using the Australian Department of Human Services logo. At the time, Nigel Phair, former AFP investigator into high-tech crime, described the coalition government's response to this breach as 'disappointing, confusing and often contemptible'. It is alleged the Department of Health and the Digital Health Agency have been independently audited, but this is yet to be confirmed by the government and the results of this audit have not been released. Although I am heartened to know that the Digital Health Agency has a cybersecurity centre, I still have a number of concerns, particularly about their cybersecurity compliance.

In August, I raised my concerns in parliament. I asked the then Turnbull government: 'Is the Department of Health cyber resilient? Is the Australian Digital Health Agency cyber resilient? Does the Department of Health comply with ASD's mandated top four mitigation strategies? Does the Australian Digital Health Agency comply with those mandated mitigation strategies? Do they comply with the essential eight mitigation strategies, which are mandated? What about access to data? What about the computers in every health professional surgery, clinic and centre across Australia? Are they cyber-secure? Do we know? What audits have been undertaken? What standards have been used?' There are so many questions on this front, and it appears that no-one on the other side of the chamber is taking this seriously. This is serious. This is highly sensitive data and this is serious.

The history of government agency noncompliance with mandated Australian Signals Directorate cybersecurity standards—the fact that we have a track record of that—does not fill this side of the chamber with great confidence that the Digital Health Agency and the Department of Health are cyber-secure, are implementing these mandated standards and are applying some cybersecurity standard to the health professionals to which they engage. I am yet to receive answers from those opposite on my many questions.

A report from the Office of the Australian Information Commissioner in July revealed that Australia's health sector is the worst industry affected by data breaches, which is why I am so concerned, and why this side of the chamber is so concerned. It is not only the fact that government agencies aren't complying with mandated standards and not only the fact that this government has an appalling track record with its agencies in terms of cyber breaches—as I said, census fail, 12 ATO breaches over the past 12 months and the robodebt issue, as well as the Medicare issue. Not only am I concerned about past performance but I'm also concerned about the fact that the Office of the Australian Information Commissioner found that across Australia the health sector is the worst industry in terms of data breaches.

Why haven't we seen the results of the independent audit? The Australian Digital Health Agency maintains that it has been independently audited. Well, if so, let us see the results. Release the results. And who also conducted the independent audit? Was it multiple agencies? Was it external agencies? Who actually conducted the independent audit? When was it conducted? And what standards were used as the measure in that independent audit? If the Australian Digital Health Agency is compliant with the ASD's top four mandated mitigation standards, then show us the information; show us the confirmation in order to provide assurance to the Australian public about the safety of their data. I think that's the least we can do, given the fact that the agency has said that it has been independently audited. Well, show us the results. Show us that you are compliant with those standards. Show us that you are cybersecure. Show us that you are cyber-resilient. Show us that you actually have the systems in place for a cyber-recovery.

The reason I'm concerned about that, the reason this side of the chamber is so concerned, is that we are talking about the personal data of every Australian, unless they choose to opt out. And we're not just talking about a cough or a broken bone; this information is highly sensitive. We're talking about pregnancy terminations, we're talking about injuries from assault, we're talking about miscarriages and we're talking about workers compensation injuries. It is highly sensitive data that needs to be protected from falling into the wrong hands, and the Australian people need to be reassured that the cybersecurity arrangements are in place to provide us with some sense of comfort that this agency and the Department of Health and this highly sensitive personal health information is actually cybersecure and cyber-resilient.

Online criminals are not the only ones we should be worried about here. The Office of the Australian Information Commissioner report also revealed that human error accounted for almost 60 per cent of data breaches within the health sector, which is absolutely significant. The insider threat is significant on so many fronts, not just in the health sector but in other sectors as well. Is the government planning on educating the health sector about basic cyberhygiene? If not, why not? This government's past track record in educating the broader community on cybersecurity makes you wonder whether it's actually going to happen in relation to those health professionals. Yesterday in question time the government were talking about their fabulous track record in educating senior Australians on cybersecurity, and the minister went into some rant about border protection. But where is the education program to prove that you've actually done this? Where is the education program to prove that you've done this education and that you've raised awareness about basic cyberhygiene practices amongst health professionals? Where's the universal education program right across Australia that is targeting seniors to improve their cyberhygiene practices?

This government's all talk when it comes to cybersecurity—all talk. It's got this dazzling, huge strategy but no deadlines, no key performance indicators and no targets—just a whole list of activities, and everyone's running around doing those activities and we don't know any outcomes from that strategy, a strategy that has significant funding. One of the key components missing from that strategy is an education program for the broader Australian community, for these people in the health sector, for senior Australians, for small business.

Health data is an increasing target for cybercriminals. Last year in the UK, the healthcare sector suffered more than half of all cyberattacks, and in 2016 a Californian hospital paid US$17,000 in bitcoin as ransom to a hacker who had seized control of its computer systems. A cyberattack on a Singapore health database earlier this year stole details of 1.5 million people, including the Prime Minister, and last year's WannaCry attack proved that the networks that aren't cybersecure, down the supply chain, are the biggest vulnerability of our systems.

Australia is not immune here. If we do not get this right, we will become part of these statistics. Again, I've been calling on the government to actually get some rigour on the cybersecurity front and get some ballast in the critical infrastructure space. There was an act that was passed a few months ago, and it addressed only a few sectors in critical infrastructure, and it failed to even mention the word 'cybersecurity', which is breathtaking in 2018.

In closing, I just want to share some of the feedback I've had from Canberrans about My Health Record. A local medical practitioner wrote to me not long after the opt-out period began. He said, 'It's now been 50 minutes, and I still can't get through to a resolution of my request to opt out—trying to opt out online only to finally get the message, "Unable to process your request." How can the My Health Record system be trusted if they can't manage to deal with a simple online process?' Labor are not the only ones questioning the government's implementation of My Health Record. We've got Canberrans and health professionals doing it too. We must reassure Australians that the Digital Health Agency is cyber-resilient. We must reassure Australians that the networks that access this data comply with minimum cybersecurity standards. The government must reassure Australians that their personal data stored on My Health Record is secure and prove that the Department of Health and the agency are cyber-resilient. Only then can millions of Australians be assured their personal information will be safe.

See this speech in context