95bFM Academic: The how and why of the ManageMyHealth hack
Interview by Alex Fox, adapted by Samantha Watson-Tayler.
During the New Year’s celebrations, patient portal ManageMyHealth suffered a large data breach affecting an estimated 125,000 New Zealanders. The University of Auckland's Ulrich Speidel says the breach could have been caused by negligence, despite the sensitivity of the concerned data.
Over the new year period ManageMyHealth, a portal used by many New Zealanders and their GPs to track their health, make appointments, and request medications, was subject to a major data breach. The compromised data included identifying information that could be used for scams, fraud, identity theft, or harassment.
Senior Lecturer in Computer Science at the University of Auckland, Dr Ulrich Speidel spoke to 95bFM’s The Wire regarding the leak.
Speidel says that the hack was likely carried out due to a weak password, guessed through brute force or acquired with a phishing email. The hackers then get inside the system through the front door, install multiple back doors to get in again, and begin stealing the data.
According to Speidel, responding to these breaches can be difficult. “The more you publicly divulge as to what you know about what's happened to a system like this, the more you assist the hacker to basically know what you know about their activities”.
Speidel suspects the hackers were aware of ManageMyHealth’s poor security, making it an easy target. By looking at the backend of the website, and for example, seeing what system it’s running and how long it’s been since it was last updated, hackers can spot vulnerabilities. After finding the known exploits in the system and using them, they steal the relevant information, then come to the company with a ransom.
The vulnerabilities stem from what Speidel describes as “a lax culture”. He says it's often “possible to kind of sniff culture like this from a distance if you're a professional hacker, and you're doing this for a living.” This issue was exacerbated by the importance and sensitive nature of the data in question. “That's a company that's got literally hundreds of thousands of clients out there, all of whom have skin in the game, and therefore they were probably very, very lucrative targets to go and approach about ransom”.
While the data may be profitable to the hackers, the breach may have much wider reaching consequences for the average New Zealander. Speidel uses the example of a young woman from a very traditionalist background who has had an abortion. She doesn’t want this getting out, so someone with access to the relevant information could use it to extort her, threatening to tell her community and family unless she pays them. And this is just one example, as Speidel says: “This is just one of many, many, many ways in which that sort of thing can be abused”.
“I mean, there'd be other things. Imagine somebody in a professional position consulting a GP about, say, an alcohol dependency or something like this, and that sort of thing coming out that could lead to the person losing their job. So there's lots and lots and lots and lots of potential repercussions from this,” Speidel added.
But Speidel says that even without using the sensitive medical information, there could be negative outcomes for everyday people. Even if the hackers only accessed someone’s date of birth and home address, they could use this information to access someone's bank account and drain it completely.
Speidel argues that the system needs serious change. While the systems for GP to patient communication need to be tightened up, they also need to be limited in the information they can and cannot disclose. By eliminating vulnerabilities and limiting sensitive information, a similar breach becomes more difficult and less appealing.
Speidel also stresses the importance of giving programmers the necessary time and resources to make these changes and to do them right. He says this is the core issue - rushed developers not prioritising security, leaving the perfect opportunity for a hack.
“This is unfortunately something that happens all too often in application development, and this is why we're seeing problems like this.”
