Connect with us

Security

My Health Record data misuse penalties raised

Published

on

The Australian government is set to increase the maximum penalties for improper use of My Health Record data, Health Minister Greg Hunt announced on Wednesday morning.

Under the changes, the maximum jail term will increase from two to five years, the maximum fine for individuals will jump from AU$126,000 to AU$315,000, and private health insurers will not be able to access health or de-identified data.

Employers will also not be able to use health information or de-identified data to discriminate against employees or potential employees.

“Importantly, employers or insurers cannot simply avoid the prohibition by asking the individuals to share their My Health Record information with them,” Hunt said.

Parents who have restricted access to a child, or are a potential risk to a child or person associated with the child, will not be allowed to become an authorised representative.

Hunt added that a review will be conducted into whether parents should have default access to the health records of their children aged between 14 and 17.

“Currently, a young person aged 14 and over can take control of their My Health Record at any time by removing their parents’ access to their record,” Hunt said.

The changes arrive in response to a Senate inquiry into My Health Record, which called for access controls to be applied by default, stronger restrictions on using My Health Record data for secondary uses, and the opt-out window extended for another year.

In a dissenting report, government senators said access controls would represent a “serious implementation challenge for many Australians”, particularly those “who did not (or could not) want to receive their PIN online”.

“Asking for a PIN, and requiring consumers to remember their PIN, will interrupt the clinical workflow and impede use of the record … both the clinician’s and the consumer’s time will be wasted while the consumer attempts to remember or locate their PIN,” they wrote.

“The proposal would also in practical terms effectively return the My Health Record to an opt-in participation model.”

The same senators also rejected the call for data to not be made available for secondary use without the individual’s explicit consent.

“We do not support this recommendation, as this would be inconsistent with the government’s general opt-out approach to My Health Record,” they wrote.

Australians who do not want a My Health Record automatically created for them can opt out until November 15. Records will not be created until a month later, due to the need to reconcile paper form opt-outs.

Speaking at Senate Estimates last month, the Australian Digital Health Agency (ADHA) said the opt-out rate is under 5 percent, and 1.147 million Australians had chosen to remove themselves from the system.

Documents obtained under Freedom of Information last month showed that ADHA had no detailed policy or process for releasing My Health Record data to support regulatory and legal requests.

The only internal policy guidance appears to have been the agency’s commitment, stated publicly, not to release data except “where the agency has no discretion”, such as when responding to a court order.

Related Coverage

My Health Record access controls used only 214 times in million record trial

Individual document controls were used only 10 times during the electronic health record trial.

My Health Record opt-outs now sit at over 1.1 million

An additional 200,000 Australians have opted out, but it is sitting under ADHA’s 5 percent target.

Senate inquiry recommends locking down My Health Record by default

A comprehensive review of Australia’s centralised digital health record has recommended extending the opt-out period by another 12 months while privacy controls are significantly tightened.

My Health Record privacy amendments ‘woefully inadequate’: Labor

An Australian senate committee has recommended passing the My Health Records Amendment (Strengthening Privacy) Bill 2018, but Labor senators have lashed out at the government’s “stubborn refusal” to fix further problems.

My Health Record justifications ‘kind of lame’: Godwin

Australia has spent billions of dollars for ‘nothing really useful’, according to leading internet policy commentator Mike Godwin, and the proposed anti-encryption laws are ‘inhumane, wrong, anti-democratic’.

Privacy advocates have failed to engage on My Health Record

Many of the concerns about Australia’s centralised digital health records are real, but the abstract, hand-wavey arguments aren’t persuading people outside the digital privacy bubble.

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Security

Managing Vulnerabilities in a Cloud Native World

Published

on

This free 1-hour webinar from GigaOm Research brings together experts in Cloud Native Vulnerability Management, featuring analyst Iben Rodriguez and special guest from Palo Alto Networks, John Morello. The discussion will focus on optimizing cloud security posture and integration with enterprise tool sets.

We will review platforms delivering Security Posture Management and Workload Protection for Microservice based and Hybrid Cloud Workloads.

Registrants will learn how new customers can benefit from Prisma Cloud to better secure their complex multi-cloud environments. Existing customers will learn about new features they can take advantage of and how to optimize their limited resources.

Register now to join GigaOm and Palo Alto Networks for this free expert webinar.

The post Managing Vulnerabilities in a Cloud Native World appeared first on Gigaom.

Continue Reading

Security

Security Tools Help Bring Dev and Security Teams Together

Published

on

Software development teams are increasingly focused on identifying and mitigating any issues as quickly and completely as possible. This relates not only to software quality but also software security. Different organizations are at different levels when it comes to having their development teams and security teams working in concert, but the simple fact remains that there are far more developers out there than security engineers.

Those factors are leading organizations to consider security tooling and automation to proactively discover and resolve any software security issues throughout the development process. In the recent report, “GigaOm Radar for Developer Security Tools,” Shea Stewart examines a roundup of security tools aimed at software development teams.

Stewart identified three critical criteria to bear in mind when evaluating developer security tools. These include:

  • Vendors providing tools to improve application security can and should also enhance an organization’s overall security posture.
  • The prevailing “shift-left” mindset doesn’t necessarily mean the responsibility for reducing risk should shift to development, but instead focusing on security earlier in the process and continuing to do so throughout the development process will reduce risk and the need for extensive rework.
  • Security throughout the entire software development lifecycle (SDLC) is critical for any organization focused on reducing risk.

Figure 1. How Cybersecurity Applies Across Each Stage of the Software Development Lifecycle *Note: This report focuses only on the Developer Security Tooling area

Individual vendors have made varying levels of progress and innovation toward enhancing developer security. Following several acquisitions, Red Hat, Palo Alto Networks, and Rapid7 have all added tooling for developer security to their platforms. Stewart sees a couple of the smaller vendors like JFrog and Sonatype as continuing to innovate to remain ahead of the market.

Vendors delving into this category and moving deeper into “DevSecOps” all seem to be taking different approaches to their enhanced security tooling. While they are involving security in every aspect of the development process, some tend to be moving more quickly to match the pace of the SDLC. Others are trying to shore up existing platforms by adding functionality through acquisition. Both infrastructure and software developers are now sharing toolsets and processes, so these development security tools must account for the requirements of both groups.

While none of the 12 vendors evaluated in this report can provide comprehensive security throughout the entire SDLC, they all have their particular strengths and areas of focus. It is therefore incumbent upon the organization to fully and accurately assess its SDLC, involve the development and security teams, and match the unique requirements with the functionality provided by these tools. Even if it involves using more than one at different points throughout the process, focus on striking a balance between stringent security and simplifying the development process.

Read more: Key Criteria for Evaluating Developer Security Tools, and the Gigaom Radar for Developer Security Tool Companies.

The post Security Tools Help Bring Dev and Security Teams Together appeared first on Gigaom.

Continue Reading

Security

Key Criteria for Evaluating User and Entity Behavior Analytics (UEBA)

Published

on

Cybersecurity is a multidisciplinary practice that not only grows in complexity annually but evolves nearly as quickly. A survey of the security landscape today would reveal concerns ranging from the classic compromised servers to the relatively new DevSecOps practices aimed at securing the rapid deployment of new code and infrastructure. However, some things remain constant no matter how much change is introduced. While technology evolves and complexity varies, there is almost always a human component in
risks presented to an organization.

User Behavior Analysis (UBA) was designed to analyze the actions of users in an organization and attempt to identify normal and abnormal behaviors. From this analysis, malicious or risky behaviors can be detected. UBA solutions identify events that are not detectable using other methods because, unlike classic security tools (an IDS or SIEM for example), UBA does not simply pattern match or apply rule sets to data to identify security events. Instead, it looks for any and all deviations from baseline user activity.

As technology advanced and evolved, and the scope of what is connected to the network grew, the need to analyze entities other than users emerged. In response, entity analysis has been added to UBA to create UEBA or User and Entity Behavior Analysis. The strategy remains the same, but the scope of analysis has expanded to include entities involving things like daemons, processes, infrastructure, and so on.

How to Read this Report

This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding consider reviewing the following reports:

Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.

GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.

Solution Profile: An in-depth vendor analysis that builds on the framework developed in the Key Criteria and Radar reports to assess a company’s engagement within a technology sector. This analysis includes forward-looking guidance around both strategy and product.

The post Key Criteria for Evaluating User and Entity Behavior Analytics (UEBA) appeared first on Gigaom.

Continue Reading

Trending