Healthcare Sector – Still at risk
Do these numbers surprise us? What can we put this down to? I feel that the finance sector has become a lot more mature in its cyber security approach in recent times, while healthcare still aren’t taking enough notice. It might sound harsh, but seriously we are only just now seeing real budget allocation towards cyber security. A lot of these organisations feel that they aren’t a target, and want to concentrate on providing premium health care services rather than fight cybercrime. Don’t we all? I feel it’s going to take a major breach in our health system for the industry to make serious changes. I guess this applies to a lot of industries; utilities, legal services, insurance, and so on.
We continually see breach reports from various publications, the media and the Office of the Australian Information Commissioner (OAIC) since the implementation of the Notifiable Data Breaches (NDB) scheme in February of this year. The second OAIC report having been issued on the 31st of July 2018.This signals that there is still plenty of work to do in each industry to create better awareness among those responsible for sensitive data protection. It has also highlighted the ongoing risk posed to privacy which in many cases is caused by human error. I have been made aware that personal details have been sent via email, to the wrong recipients on numerous occasions.
Just a week ago we heard of a major breach of Singapore’s health system, with 1.5M records stolen. The Cyber Security Agency of Singapore (CSA) said the attack was “deliberate, targeted and well-planned”. They determined that attackers accessed the network by breaching a front-end workstation, managing to get privileged access to the database over time. Records were then downloaded between 27th June and 4th July and transferred to servers overseas. Victims included several Singaporean ministers, including Prime Minister Lee Hsien Loong.
Perhaps this created the uncertainty among Australians and the frenzy of opt-outs from the My Health record website, which crashed due to overload in the opening days.
Up until only a few days ago, Australian Police and many government agencies would have had access to patient data on My Health Record. Health Minister Greg Hunt met with Doctors from the AMA and RACGP to discuss varying privacy concerns. As a result of these discussions, these agencies will now require a court order in order to access these records. The Government is also now likely to extend the opt-out period for My Health Record beyond the current cut-off date of October 15. It is disappointing that the pros of a digital health system are not currently outweighing the cons and security concerns. Many existing users of My Health Record are closing their accounts, while large numbers are choosing to opt out, to avoid a record being created automatically. By default, all Australians with a Medicare number (including children) unless opted out, will have a My Health record created.
The NDB scheme was certainly a major step in moving towards enforcing a lower tolerance of cyber security breaches, data loss, and leakage of PII data, however I feel it is still a reactive measure that can’t stand on its own. The financial industry is certainly leaps and bounds ahead. The payment card industry is governed by a framework of PCI DSS, which was created by the card issuers to increase controls around cardholder data to reduce fraud. Various levels of compliance are required, dependant on the number of transactions completed by the merchant on an annual basis. This can be reported by the Self-Assessment Questionnaire (SAQ) or by a Report on Compliance which is carried out by a Qualified Security Assessor (QSA). It’s quite clear that the members (card issuers) of the Payment Card Industry Security Standards Council have something to lose (Credibility, cost of the refund to the victims account via the merchant and of course brand reputation). If a merchant is found to be responsible for fraudulent card activity, loss of credit card data, ultimately resulting in loss of funds, hefty fines can be handed out.
Who stands to lose in the event of a data breach of sensitive information in the health sector? Who is ultimately responsible? Doesn’t it make sense that the health sector in Australia is also governed by regulatory compliance, like PCI DSS? If it makes sense for a financial institution to perform penetration testing, report on compliance, and engage with an external assessor on an annual basis (at a minimum) then surely this can be applied to the health sector in the same way as PCI DSS is applied. In the US, the Health Insurance Portability and Accountability Act (HIPAA) was enacted over 20 years ago, in 1996! HIPAA includes policies and procedures for maintaining the privacy and security of personally identifiable health information and establishes numerous offences relating to health care and large penalties for violations. More importantly, it defines standards for the Department of Health Services in the US relating to the use and dissemination of health care information.
Although the Privacy Act regulates the handling of personal information in Australia, the awareness of compliance is low, and these organisations are still not allocating enough funds in their budget to reduce the operational risk and avoid the loss of sensitive data following a breach. Many organisations still do not have a security policy in place, nor understand the process of their reporting obligations to the commissioner.
The most recent report from the OAIC showed that 89 per cent of all breaches involved people’s contact information such as a home or email address, along with a phone number. 39 per cent involved identity information, including passport or drivers’ license numbers, and 25 per cent exposed health information.
A well-managed electronic health record may be of major benefit for individuals’ health care being seamlessly integrated between hospitals, health clinics and practitioners, improving patient safety and reducing medication errors. However, there appears to be a long way to go yet in the development of a secure service that ensures people’s privacy, accountability of record access, and confidence that the data can be kept confidential.