Repercussions from the compromise of Medicare details continue to escalate, but in the longer term the incident serves as yet another reminder that the disconnect between security strategy and execution isn’t limited to Australia’s private sector.
The revelation that a Guardian journalist was able to purchase his Medicare details from a dark-web vendor – who promised a similar service for any Australian – put government security into the forefront this week as the Australian Medical Association raised concerns that the leak could compromise patients’ use of digital medical files such as the government’s My Health Record program.
The government was unaware of the service, called the ‘Medicare Machine’, until the journalist’s report was published.
Healthcare security has already been a long-running concern across the security industry, particularly as more and more sensitive data is moved into digital format. Despite years of talking up the importance of security – and a statement by minister for human services Alan Tudge that “the security of personal data is an extremely serious matter” and that the government “has an ongoing commitment to prioritise cyber security” – the latest breach lends prescience to a 2015 Unisys survey that found half of Australians believed their personal data would be compromised in the next year due to poor security by a government agency.
Similar concerns are tainting the wholesale migration to the cloud by public and private-sector organisations – which, according to recent research by Symantec, are being targeted by cyber criminals that see the new infrastructure as “a potential goldmine”.
Fully 86 percent of the CISOs responding to Symantec’s Chief Information Security Officer Survey said they find ensuring cloud applications comply with regulations as one of the most stressful aspects of their job. It also found that account hijacking, which is one likely vector to explain the existence of the Medicare breach, is seen by Australian CISOs as the top external threat – at a rate exceeding that of CISOs in any of the 10 other surveyed countries.
Forward-looking CISOs are “eradicating exploitable vulnerabilities by deploying proactive, end-to-end solutions,” the report’s authors noted, with a majority adopting technologies like encryption and tokenisation to improve cloud security. Some 95 percent said they were increasing spending on IT staff security training, with new IT employees set to undergo an average of 20 hours of security training – more than any other country except India – during the onboarding process.
Yet despite this level of tech-driven investment, persistent process vulnerabilities and a heightened degree of security introspection threaten organisations with more of the same: by 2020, a recent Gartner analysis predicted, IT-sponsored information security programs will suffer three times as many significant breaches as those sponsored by business leaders.
Greater interest in cybersecurity by boards – which is inevitably stoked by incidents such as the Medicare compromise – has driven boards to take a greater interest in security and risk.
“This means there is a greater onus on security to translate the work they’re doing into a business context,” Gartner advises. “Without the communication there is a misalignment between security and what’s going on in the rest of the organisation.”
In other words, just because an organisation has IT security, doesn’t mean it’s completely secure. And while recent Ponemon Institute-IBM X-Force research suggested the cost of a data breach actually fell globally during 2016 – echoing an Australian reduction in 2015 that had defied global trends.
Ultimately, containing the damage from such breaches – or, ideally, preventing them altogether – will require closer attention from both business leaders and technologists that are better-equipped than ever.
“The data is there,” IBM Australia security services leader Glen Gooding recently told CSO Australia. “Being able to consume it and understand it – and make appropriate use of it in a short timeframe – is what’s going to make people successful in getting on top of any sort of security outbreak within their organisations.”