Healthcare, POS vulnerabilities will be tested under new privacy laws

Australia's healthcare and point-of-sale (POS) industries will be focal points for efforts to improve privacy protections in the wake of new privacy controls that come into effect this week, the head of security-response firm AusCERT has warned.

The risk comes from the industry's continued reliance on a range of systems with varying security controls that may not all comply with the new amendments to the Privacy Act 1988, which will compel private and public organisations to comply with 13 Australian Privacy Principles (APPs) regulating the handling of personally identifiable information.

The varied nature and format of healthcare data would pose challenges for healthcare companies going forward, AusCERT general manager Graham Ingram told CSO Australia, because "the information they're sitting on is absolute dynamite".

"The health industry has been running over the last 20 years using stock-standard software that nobody has ever looked at for security," he continued.

"I would suggest it was never really designed for the Internet environment; it's all based around a locked system, which assumes that medical provider A only talks to medical supplier B – but now they do it over the Internet and that's not the case."

Endemic design shortcomings had made the sector particularly ripe for targeting by ransomware malware, which locks systems or encrypts data and extorts fees from victims to regain access to their systems.

"Some of the really good ransomware is targeting specific software that is proprietary software made for medical practices," Ingram said. "They worked out where a hole was, and use that hole to get into the practices."

"I think we'll see more of this in 2014," he added. "It will depend on the economics. But at this stage, I can't see anything that's going to stop them. SMEs seem to be the soft spot, because there's not enough awareness and not enough security. They will pay up, and if you can hit them for $4000 a pop, that's a very nice way [for malware authors] to make a living."

Point-of-sale (POS) software was another such vulnerability, with long-used software that is often based on out-of-date and unpatched software and operating systems. Hackers famously exploited these weaknesses to steal credit-card credentials of more than 110m people from the POS systems of US retailer Target, with one in three victims likely to see fraud as a result. That breach recently claimed the scalp of CIO Beth Jacob, who resigned in the wake of the devastating privacy breach.

The situation in Australia is similar, Ingram said, noting that vulnerabilities in POS software "have been popping up over the last five years and we routinely come across a POS that's been compromised."

The shortcomings were often by design: "when you look at it, they have not been designed by security people," Ingram explained.

"They have been designed to do a job. And then we find these huge holes in them that nobody knew about because they're proprietary applications. POS software is and will remain very vulnerable. It's a case of the closer you look, the more you will find."

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags posransomwaremalware

More about CSO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place