Identity information remains the holy grail of cybercriminals. Australian organisations across a wide range of industries – including healthcare, government, and financial services – store and manage billions of consumer data records. As such, they are finding themselves under a constant barrage of cyberattacks. Even though investments in information security products and services have been on the rise, with $165 billion invested in 2018, it has done little to deter the persistent activity of cybercriminals.
In a move to increase awareness and accountability around information security practices, the Office of the Australian Information Commissioner (OAIC) made amendments to the Privacy Act which came into effect in February 2018. The legislation requires Australian businesses to disclose any breach that involves personal customer data. Known as the Notifiable Data Breaches (NDB) scheme, it regulates the reporting and notification of eligible data breaches to the OAIC and impacted individuals.
Since the introduction of the scheme, the OAIC has received 1,027 breach notifications. Identity information has been involved in a total of 344 notifications. That’s one in every three notifications. This includes information that is used to confirm an individual’s identity, such as a passport number, driver’s licence number or other government identifier. With unauthorised access to identity information, cybercriminals could trick the victim’s bank or financial institution into giving them access to money and other accounts or claim government benefits in the victim's name.
Healthcare is suffering
It is critical to emphasise that no industry is safe from cyberattacks – yet the healthcare sector is particularly vulnerable. From the period January - March 2019, healthcare was once again the country’s most affected sector with 58 notifications. Finance was a distant second with only 27 notifications. Health service providers are prime targets for cybercriminals because of the wealth of personal data they possess and process, as well as the sensitive nature of their data.
The healthcare industry has traditionally lagged in modernising IT as it is constrained by strict regulatory requirements. Further, focus on usability improvements to drive adoption for non-technical audiences has at times outpaced security measures. Continued breaches among the private health providers will do little to ease concerns over the My Health Record initiative. As of February this year, more than 2.5 million Australians had opted out of the electronic health records system. As connected care becomes more commonplace, the potential for identity theft also increases, especially if comprehensive access control systems aren’t established from the onset. Ensuring privacy and security of patient data means verifying user identity, permissions and consent to ensure that the mantra “no data about me, without me” rings true.
Keeping secure with the help of identity context
Organisations from all industries can protect identity information by implementing a strong customer identity management program. There is an incentive to avoid brand damage and costly breaches, and to use modern identity standards and practices to secure infrastructure, from servers all the way out to client-facing apps and smart devices at the edge. When the necessary steps are taken to safeguard customers' identity information, organisations will build brand trust, ensure compliance and help achieve their objectives. Protecting customer data must be a top priority for enterprises of all types and industry sectors, as the evidence is clear that cybercriminals show no sign of slowing down.