This is the main reason I'm skeptical of central government databases. Not because of the miniscule chance of them enabling a police state, but because of the very great chance that the data will not be properly safeguarded.
You are absolutely right and it will even get worse. The govs log your personal data including fingerprints etc. I'm real skeptical that they are able to store this sensitive data securely, but I guess I'm the exception. The most live after the slogan "I'm a honest citizen, I have nothing to hide".
The health data base is very well protected from what I know. And access is strictly monitored. If patient notes are viewed by someone who does not need to view them, they face harsh discipline. I recall a case from when I used this database a long time ago. In terms of high profile issues with it, the current eel-in-arse story is going to result in action and this is being done via the systems user tracking.
http://m.nzherald.co.nz/nz/news/article.cfm?c_id=1&objec...
If they are monitored and if unauthorized access is prevented by "harsh discipline". then they are not protected. Protection is proactive not reactive.
There are always reasons why unauthorized access may be needed (or, to phrase it better: where authorization should be dynamically extended), however. For instance, if a patient arrives in the ED, then a doctor who has never treated them before and normally should not have access to their records, may need to view them. So long as access is audited correctly, then the issues involved are mitigated.
FWIW, "eel case" aside, I know of clinicians being unceremoniously sacked for breaching patient privacy; and I know of NZ hospitals hiring staff to monitor the audit logs on a daily basis. It's a very big deal, and something that a lot of work is put into getting right.
I'm glad so far the government haven't mentioned bringing charges against the author yet. That probably shows you how much I expect from government these days...
That was my first thought, sadly many other governments would never be as close to open as this in all compass directions of the World. So kudos to the NZ goverment upon that aspect.
Agreed. In fact I would go as far to say that All systems should be deliberately connected to a network physically accessible from the outside world. That way you cannot hide behind the assumption that you have not inadvertently connected.
All security layers have to be based on what you are allowed to do. Cutting abilities in a non-privilege-restriction manner is just asking for people to figure out another way to get through.
Wow, Active Directory Much? There's so many ways to do this correctly using simple groups in AD. Or hell, why do these public kiosks even need to be on the same network?
Why would a public kiosk even be running a consumer OS? They should be running a bare-bones OS with EVERYTHING not necessary to perform their intended functions removed. AND be on their own network.
Why are power plant (and other similar) control systems in any way accessible by the internet?
Why are credit-card processor internal networks in any way accessible by the internet?
Answer: because it's what happens by default, and people are too lazy or too ignorant to configure appropriate safeguards.
Because using some bespoke OS costs a fortune and accomplishes nothing.
Windows is more than capable of providing a secure environment for this sort of thing. Wat you're looking at is some shoddy work that was probably done by some contractor years ago.
I know of one software shop locally where the dev and build machines are on a complete network island. No external access at all. If you need to google something you need to use a different computer connected to the public internet. A bit inconvenient, but not unworkable. Devs have a laptop or tablet for public browsing, and their actual work takes place on the "clean room" network.
We have a handful[1] of secure machines that are allowed to SSH into production systems. No development or other Internet activity takes place on those boxes.
[1] A handful because many of us are remote. Mine is a EeePC.
Except for MAC filters aren't relevant to this situation at all. Private VLANs, however, are.
A VLAN would keep these computers on their own network, and firewalls could be set up on the network side to prevent this stuff from happening.
A MAC filter would do nothing in this situation, because you are using their computer. Even if you had a MAC filter, these computers would be white-listed anyway.
Typical use of a "firewall" to guard what people think of as the external entry points and then leave nothing once you get in. Plus no auditing of permissions. Alas all too common.
That is entering the realm of criminal negligence.
This is not a simple data breach, there is stuff in there covering fraud investigations, suicide attempt documentation. This has got to be the most wide-ranging privacy cock-up I have ever heard of
Plus if this was accessible from a kiosk I HIGHLY doubt they properly segment this information internally either
A large number of heads (Including those going up the chain, supervisors, auditors, privacy managers) should roll over this one.
Current politics in New Zealand are unlikely to see this a terror or hacking issue. This is the agency responsible for the jobless, and they are a very low priority mainly used for political diversion.
This is easily the biggest databreach that I have ever seen. I sincerely hope no one noticed this before, this has the potential to have a severe impact on so many lives in New Zealand.
Sadly you can imagine less honest user would of found this and not alerted anybody of athourity. The level of security being ustilised is at a level that how many years was it like this as it has been that secure since then sadly.
Many people also may have less respectful governments with regards to being alerted to this and could even end up charging you. Some even have laws against even checking if its is secure as it would be deemed hacking a govermental server. When you have that type of law then you can only imagine at the security in some of the offices. You hope they have good security staff and pentesters. This is clearly not the case with this oversight. It is beyond schoolboy error level even of security.
Still least in other countries they just leave all that data on a USB stick, so in that it is had to guage how much data leaked in comparision to others. But the opertunity is large and covers areas that can and could of caused alot of damage.
There is no excuse for some of the security errors we have seen. Especially not government incompetence being equal or greater.
It is true that startups should not concentrate on perfect security, as supplying something the buyers want should be absolute priority number one, but even then there's no reason to not at least get the basics right if there is any kind of sensitive data involved.
Once it was clear that there was was a leak of confidencial information, he should have taken what was required as minimal evidence (a few screenshots?) and then contacted the Acting Privacy Commissioner.
Did he really need to go through files related to Doctors/Radiology, Debt Collectionn, Fraud Investigations, Care and Protection, HCN? Snooping through the servers beyond what was necessary was wrong.
The bigger story is the lack of security on the New Zealand servers. However, what he did was wrong and possible illegal IMHO.
Going that extra mile was necessary to make this a big story instead of having it brushed under the carpet. It seems that the leak was known about as much as a year ago (http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&obj...), MSD were informed, but nothing was done because there was no media firestorm. By showing what was exposed, Keith Ng made the horrific impact of the leak understandable to the public and media and greatly increased the likelihood that something will get done.
This department clearly doesn't value security (multiple levels of deep failure) and the only way to make it important is political pressure via the public and the media.
Only by revealing the breadth of the failure, and doing so publically, could any effective change occur.
It is obvious they could (and did) shut down or secure the kiosks quickly.
If he took a week to consult legal, decide best course of action, make up his mind on risking his neck, or WHATEVER, that is his right and fine by me.
Armchair criticism is easy. Kieth has taken a ballsy action as an individual and he gets my respect.
I thought same thing, but read more and realized it was open for awhile, and no one seem to care. It took the breath of his examples to make everyone shock enough to notice.
The only thing that should be illegal is the way all that information was not secured.
In addition, the author claimed he spent a week preparing the story. Yet he only contacted the Acting Privacy Commissioner yesterday. He blog was published before the government had a chance to fix the issue. I find this irresponsible.
