Hacks, and healthcare, and blockchains, oh my!

If you’ve been watching the news recently, you would have seen that Australian systems are getting hit hard at the moment.

Since December last year, Australia has seen the Australian Tax Office, Optus and Medibank fall prey to large scale cyber-attacks targeting personal information. On smaller scales, ransomware is also running rampant.

Most recently, you would have seen that hackers were successful in gaining access to private customer information, including private medical data, from one of Australia’s largest private health insurer, Medibank (and subsidiary, AHM).

Information that may have been exposed in these exploits includes:

It’s pretty scary to think that all of this personal information may be leaked in the course of servicing your basic daily needs, with no alternative option for increased data security. The people affected by the Medibank, Optus and ATO systems were not exploited due to any fault of their own, but due to system risk. This system risk also impacts our financial systems, with shares taking a hit (Medibank still in trading halt), and general trust.

To be fair, the scale of the threat is massive. A fun way to visualise these attacks is to check out real-time threat maps, such as this one by Kaspersky.

Often after these attacks, there are post-mortems to try and work out how to prevent future attacks. University of Queensland’s Brendan Walker-Munro says on the issue of hyper-collection of data - “We need to start asking these companies why they need to collect and store this information”. Other topics of contention are governance, and appropriate levels of cyber-readiness and vigilance. The Australian Government recognises this as a large and growing issue, with ongoing discussions on regulations and initiatives to strengthen national and institutional cybersecurity.

But the truth is, as we migrate more of our lives online, we are increasingly vulnerable to attack. 

Personally, I believe Medibank to be one of the most confronting hacks to date. I often speak on the importance of maintaining bioethical principles, and confidentiality. In my opinion, healthcare systems are really only upholding these values if they protect themselves appropriately against threats.

A few decades ago, appropriate protection may have meant monitoring who had keys to access locked patient files. Today, the threats are a lot more sophisticated, so we must also evolve.

As someone with a medical research background, who has worked in the state health department, and is currently a MD student, I am acutely aware of how vulnerable our systems can be. In a recent substack article, and hackathon presentation, I’ve spoken on the importance of blockchain in healthcare systems. 

How can blockchain help?

By maintaining your own data in your own personal wallet, you are the person who controls when it is accessed or edited. You are not relying on centralised servers to hold your data 24/7, you just rely on them for the time that your wallet is connected. By restructuring how data is stored, you assume responsibility for your own data storage, and are less vulnerable to exploit via the companies you interact with.

Emerging ideas on decentralised identity may also contribute to safer experience online.

How does healthcare and medical data fit into all of this?

Patients currently have very low visibility over where their medical records are shared, who is accessing them, who is contributing to them or even being able to access them when they travel between caregivers. That can lead to dangerous errors or close calls in relation to drug dosing, previous medical history or requirements of care. Even end of life preferences.

Electronic medical records systems are gradually trying to solve these issues; however these systems are governed by a central body, meaning that even if access to files is tracked, and data siloing is reduced without sacrificing security, and access is provided to patients – it’s still held and managed by one central point of power. This also may make it more vulnerable to exploit. Using decentralised technologies, we can allow the patient more ownership and oversight of their data.

That’s not to say that exploitation can’t still occur. But risk then comes from interactions with companies. Stringent standards for chains, smart contracts, and operational security would be required. Additionally, in order to expand the functionality of wallets, we have to trust them to be secure, easy to use and recoverable. Luckily, there are lots of people working on these issues. A look through the works of W3C, the Ethereum Foundation, emerging EIPs, and the wider community will show the immense scale of dedicated thought and development to build better systems. My hope is that the community of blockchain-informed cybersecurity specialists continues to grow, to support sustainable development.

Postscript: I’m by no means a cybersecurity professional, so please consult one and read widely before forming your own opinions!