Cybersecurity specialist Centrify has called for Australia to apply the principle of Zero Trust Security to protect the confidential health details of millions of Australians in its new My Health Record database.
My Health Record is an online store of health information, which currently contains records for 5.9 million Australians, for access by doctors, hospitals and other healthcare providers. From Monday this week, people across Australia have just three months to decide if they want to opt out of the system https://www.myhealthrecord.gov.au/.
Centrify, a leading provider of Zero Trust Security through the power of Next-Gen Access, warns that storing health records online risks attracting a lot of unwanted attention by creating a data “honeypot”. Earlier this year, the Office of the Australian Information Commissioner (OAIC) reported that 24 per cent of notified data breaches during the first quarter were from the healthcare sector. Security professionals report that criminals sell health data online at a premium.
Centrify Senior Director APAC Sales Niall King said the My Health Record initiative needed security at its core, both for the online database itself and for the health professionals who access it. “Saying a website is ‘password-protected’ offers about as much reassurance as a ‘beware of the dog’ sign to a postie,” he said.
“While the My Health Record system has a lot of built-in security, such as two-factor authentication and detailed auditing of anyone who accesses your health record, people need to turn on many of these features in the system, which puts the onus on them to apply the appropriate security settings. The risk here is that convenience is put before security.
“Centrify calls for a Zero Trust Security model, which assumes that people inside the network are no more trustworthy than those outside it. In the My Health Record context, this would mean applying full security at the outset and reducing it when needed rather than making security-off the default setting.
“The challenge for My Health Record is that putting vast amounts of confidential health data into a single online database creates a huge ‘honeypot’ to attract the bad guys, so security needs to be at the heart of the entire system.”
Mr King said healthcare providers, including doctors and hospitals, also needed to rethink their security if they were accessing data stored in the My Health Record system. “Reports suggest that the system can be accessed by 12,860 health organisations and as many as 900,000 health professionals, which creates rather a lot of risk,” he said.
“Even putting aside the danger of cyber attacks, data breaches can arise from unauthorised employees accessing the system or a doctor leaving the surgery without logging off the system.
“Regardless of their size, organisations with access to My Health Record need to review how they protect these confidential health records by applying a Zero Trust Security model, which can track who accesses the system, when and where they access the system and from what device.
“While it requires both time and money to apply Zero Trust Security to your computer systems, that resource pales into insignificance compared to the huge financial and reputational costs of suffering a public data breach.”
For media assistance, call John Harris on +61 8 8431 4000 or email firstname.lastname@example.org.
About Centrify Centrify delivers Zero Trust Security through the power of Next-Gen Access. The Centrify Zero Trust Security model assumes that users inside a network are no more trustworthy than those outside the network. Centrify verifies every user, validates their devices, and limits access and privilege. Centrify also utilises machine learning to discover risky user behaviour and apply conditional access — without impacting user experience. Centrify’s Next-Gen Access is the only industry-recognised solution that uniquely converges Identity-as-a-Service (IDaaS), enterprise mobility management (EMM) and privileged access management (PAM). More than 5000 worldwide organisations, including over half the Fortune 100, trust Centrify to proactively secure their businesses. Centrify is a registered trademark of Centrify Corporation in the United States and other countries. All other trademarks are the property of their respective owners.
Email fraud is nothing new, but online criminals have become ever more-effective at spoofing their identities to trick employees into sending them money. The Australian Centre for Cyber Security (ACSC) recorded losses of over $20M to business email compromise (BEC) attacks last year alone, up 230 percent over the previous year – and the full amount is certain to be much larger.
Cybersecurity Insights - Attack
No matter how robust your security, or how diligent your employees, network credentials are a free pass for cybercriminals. This is mostly because employees are relied upon for their own password management. And with more than 4.8 billion sets of stolen credentials said to be available online, odds are that at least a few of your employees’ user IDs and passwords are just waiting to be used by unscrupulous outsiders. Are you ready to stop them?
Cybersecurity Insights - People
Cyber resilience will be particularly important as Australian organisations face increased pressure to quickly detect, respond to, and manage the repercussions of breaches in the wake of 2018’s Notifiable Data Breaches (NDB) scheme.