The underlying rational behind the introduction of the Notifiable Data Breach (NDB) scheme was to allow businesses to take the necessary actions to change and/or re-secure themselves in the event that personal information and company data had been illegally accessed, disclosed or lost. To ensure organisations report data breaches, significant penalties exist for non-compliance with the law.
Notifiable Data Breaches Quarterly Statistics Report 1 April – 30 June 2018
The second NDB quarterly report, published by Office of the Australian Information Commissioner, has provided further light on the issue of data breaches in Australia. Immediately what’s evident is a 300% increase in reported data breaches across Australia since April (284.1% to be specific). However, I do accept that the first report covered a shorter reporting period, somewhat accounting for the significant differential.
Whilst a 300% increase is a concern to Australian businesses, it’s also encouraging as it demonstrates Australian organisations, and the wider community, are aware of the legislation and obligation to report on data breaches.
Additionally, it is worth noting some salient points:
- Health maintained rank one for the most reported data breaches
- Malicious or criminal attacks jumped 14.56% to 59%
- The reverse was true for data breaches caused by ‘human error’ – dropping 14.79% to 36%
- In regards to malicious attacks – 77% of cyber incidents were related to compromised credentials of some sort
Why Health Records?
It’s both unsurprising and interesting to see health topping the list for the most data breaches reported. Health data composes of contact information, financial details, sensitive and personal information – it’s a very rich composite and a treasure trove for malicious attackers to hold people to ransom (i.e. blackmail and coercion) and to plan for further attacks. In fact, health care records are more valuable than credit card information on the dark web, with prices reaching to upwards of $100 per record.
This is further correlated when we look at some recognised global reports on data breaches. For instance, Verizon’s Data Breach Investigations Report 2018 also ranks health organisations number one for data breaches, increasing in reported attacks by 9% in 2017. Similarly, the UK Information Commissioner’s Office’s recent quarterly report had health also at number one – up some 21% from the previous reporting period.
It is simple – health data is incredibly valuable! It is the ‘Swiss army knife’ of data.
Why is this happening?
The most recent NDB quarterly report reinforces that data protection for health organisations should be their top priority. This is not a uniquely Australian issue as demonstrated above, we’re seeing independent reports from all around the world revealing health as the number one most breached sector.
Some of the reasons for the spike could be attributed to the health industry’s low level of cyber security maturity. There is everything from insufficient cyber security awareness through to the large extent of shared networks, often involving a vast range of connected devices (many often outdated). Additionally, this is one industry where there are many ‘fingers in the pie’ i.e. so many people have access to health information and vast amounts of data.
Just imagine the number of people have access to your health records.
This industry also has the highest risk from human error and miss-handling issues, such as information sent to wrong patients as well as inappropriate disposal. Misuse most commonly stems from privilege abuse i.e. staff accessing records without having a legitimate need to know.
What can be done?
We can use the report as an indicator when continuing the discussion on My Health Record and how protection needs to be front of mind. Cyber security is about increasing the level of resilience to threats and protecting business risk and assets. There is no perfectly safe and secure system, but we can work to improve things.
Firstly, to improve visibility and clarity around data breaches effecting the healthcare industry in the future, it would be beneficial to aggregate the data from state and territories with the My Health Record statistics. This will allow a more accurate and complete picture of healthcare data breaches.
Next is what I have been referring to for over a half dozen years – basic cyber hygiene. This focuses on the fundamentals – patching, applying updates and creating good cyber awareness. This also includes your backup and restore functions. Ask yourself – when were they last tested?
Then we have the question of whether the usual safeguards for computer-accessible information are adequate?
Integrating multifactor authentication and focusing on building access controls into health IT applications with multifactor authentication can help prevent healthcare data breaches. However, multifactor authentication between the organisation and the person is only one part. We need to think and then plan for a more holistic solution. This means also considering what third parties will need access to the system. If this is the case then we need to look more along the lines of a certificate based authentication and authorisation capability i.e. B2B functionality.
We expect to see an increase in conversations around the adoption of encryption as a means of providing effective data protection. Where cloud hosting is involved, encryption also helps meet the challenges of extra-territorial reach brought on by the legislation of various countries. This is where keeping data on-shore is critical in managing security and protecting Australian data. At RSA, we recently introduced local hosting for our RSA SecurID® Access solution, hosted inside Microsoft Azure’s ‘protected’ level data centres in Canberra, to enhance performance and minimise risk of data breaches.
As for all sectors, incident response capability is mandatory in today’s business environment. All organisations must have the capability to manage and triage incidents. It’s not about ‘if’ you will be compromised but ‘when’. Here ‘visibility’ is the key. If you cannot see, you cannot measure. If you cannot measure, you cannot do i.e. take action. Visibility applies to both the monitoring and prevention phase, as well as the response and investigation phase.
Leonard Kleinman, Chief Cyber Security Advisor – Asia Pacific Japan, RSA