Over the last eight years a lot of things have changed. And amongst all the new gadgets, technical advancement and rise of cloud-based technologies there has been one major shift - the commercialisation of cybercrime. Which makes the government's cluelessness about cyber risk even more confounding. Today, we learn that the Health Professionals Online Services (HPOS) system has not been updated since it was implemented eight years ago.
HPOS is used by healthcare professionals to get access to someone's Medicare number when they don't have their Medicare card with them. It's basically an online inquiry system - that is used by over 200,000 people about 41,000 times a day. This is likely what the Medicare machine thief has been using to sell Medicare numbers for about $30 each.
Tracking down who is actually behind the Medicare machine will take some doing. Anyone who has worked in the healthcare business knows that shared user accounts and passwords, and unsecured machines are commonplace.
We could be dealing with a non-health professional who has discovered someone's workstation is unlocked for all we know.
Ultimately, the government is responsible for securing the personal data of all citizens that is stored in systems they deploy. This recent breach is a sign of the cluelessness that pervades the government when it comes to doing real risk assessments and understanding the sensitivity and value of data they hold.
While the cybersecurity strategy is a great step forward, there is a gap between the goals of this strategy and the implementation of sound risk management today.
The assumptions of 2009, when HPOS was deployed, are no longer relevant to today's world.
Heck, with Medicare rebates paid to doctors being so low, it would not be surprising to me if some are looking for new and innovative ways to supplement their income!