My Health Record | Security Controls
There have been plenty of discussions around the My Health Record since the opt out period opened two months ago. There are a lot of concerns and uncertainty around Section 70 of the My Health Records Act 2012, “Disclosure for law enforcement purposes, etc.”, which reportedly would allow the ADHA to “disclose health information when it ‘reasonably believes’ it is necessary to investigate or prosecute a crime, to counter ‘seriously improper conduct’ or to ‘protect the public revenue’”. Initially it was reported that the parliamentary library issued advice that police could access My Health Record information without a court order. Now, it has been reported that the parliamentary library has pulled that advice. Either way, confusion and concerns around the security of the system and the privacy of our health-related data continue on.
For those who already have a record, have chosen not to opt out, or are still undecided, it is important to familiarise yourselves with the security controls present in My Health Record, to control who has access to your information, when, and with what level of monitoring by you. To that end, Dan Maslin has written a very informative article on LinkedIn that is well worth reading.
According to Google Chrome, HTTP sites are no longer secure
With the release 68 of Google Chrome, websites running HTTP will now be marked as Not Secure, along with any sites running HTTPS whose certificates contain errors or are using weak signature or hashing algorithms. According to The Hacker News, 6 reasons why you should enable HTTPS on your website are as follows:
- HTTPS improves Google rankings and SEO;
- HTTPS improves website security and privacy;
- HTTPS increases credibility and improves customer confidence;
- HTTPS improves website speed, as HTTP2 is faster than HTTP;
- HTTPS makes surfing over public Wi-Fi safer; and
- HTTPS is now free!
For those who want to enable their websites with free SSL certificates, take a look at Let's Encrypt's secure site and Google’s tutorial on migrating a website to HTTPS.
Is 2FA too difficult?
In this article from The Register, Rapid 7 have found that only 15% of networks have implemented 2FA (A.K.A, 2-factor authentication, 2-step authentication, multi-factor authentication and MFA), and 20% of networks are missing account lockout configurations to prevent brute-force password attacks. These results were generated from 268 real-world penetration tests carried out since 2017. Properly-implemented MFA is such an important control for preventing credential theft and reuse that the Australian Signals Directorate includes it as one of its Essential Eight technical controls, and Google has reportedly said that there have been “no reported or confirmed account takeovers since implementing security keys at Google”.
In other MFA news, Google announced their own hardware-based security keys at their Cloud Next ’18 convention in San Francisco, in late July. The Titan Security Keys are now available for purchase on the Google Store, supporting authentication over USB and Bluetooth, and being based on the FIDO Alliance’s Universal 2nd Factor (U2F) protocol, which was originally developed by Google and Yubico.
So, is 2FA too difficult? 2FA can be used to access a number of critical services, using a variety of multi-factor solutions, including Google Authenticator and YubiKeys. It can be frustrating, having to pull out your phone, or dig around to find your hardware-based security key, especially when time is of the essence; however, it is a lot less frustrating or inconvenient than having your organisation's critical service accounts compromised!
If you choose to implement 2FA in your organisation, it is important to take the time to understand your user base, the services they need to access to carry out their daily job tasks, and the where/when/how of accessing these services. Once that is understood, you can design a 2FA implementation that is the right fit for your organisation, ensuring that it supports your users in carrying out their daily job tasks securely, rather than being seen as another "security roadblock" that makes their lives more difficult.
Contact Us today to find out how Thomas Duryea Logicalis can support you with your organisation's security concerns and posture.
