The health sector has topped the list of notifiable data breaches for the fourth consecutive quarter, as identified by the Office of the Australian Information Commissioner.
In its latest Notifiable Data Breaches Quarterly Statistics Report, which captures data notification breaches received between 1 October and 31 December 2018, the Office of the Australian Information Commissioner (OAIC) said the private health service provider sector reported the most data breaches, accounting for 54 of the 262 breach notifications received.
Of these notifications, 54 per cent were the result of human error, including incidents involving communications sent to the wrong recipient, insecure disposal of personal information, or loss of paperwork or a data storage device.
Malicious and criminal attacks was the second largest source of data breaches from the health sector, at 46 per cent. Cyber incidents were the most common type of attack, accounting for 44 per cent, while theft of paperwork or data storage device was the second most common type of attack (32 per cent).
The OAIC said these notifications do not include those made under the My Health Records Act 2012 as they are subject to specific notification requirements set out in the act.
In addition, it stated that most of the health sector notifications in the period involved the personal information of 100 individuals or less (59 per cent of breaches).
The report also showed that the number of notifiable data breaches are on the rise. Between 22 February 2018 (when the notifiable data breaches scheme commenced) and March 2018, the sector reported 15 cases.
Between April and June that year, there were 49 cases and between July to September 2018, there were 45 such cases. The latest quarter’s results are the highest to date.
INDUSTRY RESPONSES
As one of the most data rich and vulnerable sectors when it comes to cybersecurity, the health sector faces a unique challenge of balancing security with accessibility to patient records, while at the same time, coordinating care that supports a patient-centric approach to healthcare.
Zscaler ANZ Country Manager Budd Ilic said it was becoming increasingly clear that traditional security solutions are no longer up to the task when it comes to protecting organisations.
“Our environments and architectures are now so complex it’s difficult, if not impossible for practitioners to effectively monitor their environments and is a contributing cause to incidents like these,” Ilic said.
“The growing usage of mobile devices and cloud-based applications and services means users are not protected, and internet gateways are unable to handle advanced threats.”
[Read more: Is your healthcare ecosystem cyber resilient enough? | "Humans are not the weakest link": Shifting the cybersecurity narrative to fend off healthcare hacks]
Ping Identity Asia-Pacific Chief Technology Officer Mark Perry said balancing security with customer convenience and employee productivity has never been an easy exercise.
“But, there is really no excuse these days as modern authentication solutions provide the means to secure the most common enterprise attack vectors without getting in the way of the employees, partners and customers who need access,” Perry said.
“As a result, IT professionals need to understand the value and effectiveness of the appropriate security controls for their businesses before taking a one-size-fits-all approach to protecting data.”
CQR Consulting Co-Founder and Chief Technology Officer Phil Kernick said the mix of human error and malicious attacks composing the source of majority of data breaches will see an “expensive enforceable judgement” against at least one Australian company which finds itself in breach of the legislation.
“If this should happen, there will be a scramble among businesses to adopt a heightened data security, risk and compliance culture, who until now may have taken a rather laissez-faire approach to their cybersecurity footing,” Kernick said.
"The good news is that Australian businesses will continue their mass migration to the cloud in 2019 and while the cloud is not without its vulnerabilities, the security measures which cloud providers offer as standard will be a positive step forward."
Aura Information Security Australia Country Manager Michael Warnock agreed and added that the healthcare industry should understand the data risk if insecure cloud practices aren’t addressed with robust security measures and ongoing workforce education.
“Many [organisations] will remain a happy hunting ground for cyber criminals as company management continue their reluctance to allocate investment for high-tech protection. At the same time, they don’t expect an attack to happen to them, so they refrain from elevating the issue on their training agendas,” Warnock said.
“The harsh reality is, cyber attacks will continue to grow in both frequency and complexity over the coming year. [Organisations need to] implement ongoing training to teach employees to recognise potential threats, adopt responsible data protection behaviour and allocate sufficient funds to cover protection measures commensurate with their risk profile.”
[Read more: Greg Hunt announces legislative changes to tighten privacy and security protections for My Health Record | Tyde set to become the first digital health company to earn the government’s top cybersecurity accreditation]
LogRhythm Asia Pacific and Japan Senior Regional Marketing Director Joanne Wong addressed the need for healthcare providers to take a more holistic approach to cybersecurity and practice good IT and security hygiene such as patching systems and applications, updating and modernising their systems, applications and infrastructure, and controlling access to only those that need access.
“They also need to be able to validate identities, and encrypt or apply other safeguards to critical business systems and data,” she said.
“There’s no doubt that any company having anything of digital value will eventually be compromised. The question is, how fast can a security operations team detect these compromises and neutralise threats? Businesses don’t stand a chance without sophisticated analytics and modern workflow automation that can drive accurate threat detection.”
LOOKING TO THE FUTURE
SailPoint Chief Product Officer Paul Trulove said with only four OAIC notifiable data breaches reports issued and spanning a period of less than a year, it’s “impossible to determine” if these patterns will continue into the future, especially as Australian businesses continue to learn how to report breaches.
“Health service providers are a gold mine of valuable personally identifiable information for cybercriminals, especially as more health information is digitised,” he said.
Trulove added that the report findings highlight that healthcare has a long way to go to improve its security posture.
“The report reiterates that an organisations’ users have become the easiest route into an organisation for hackers. This is a trend we do not expect will ease up, as hackers now know that users offer them the keys to the proverbial kingdom, once compromised,” he said.
“The most secure path forward for organisations today continues to be taking a comprehensive approach to security, one that puts identity governance at the centre, ensuring visibility and governance over all users and their access to all applications and data.”
WatchGuard Technologies ANZ Country Manager Mark Sinclair said for healthcare organisations to stay out of these quarterly reports, they will need to have in place business continuity plans and a “well-balanced cybersecurity strategy”.
“This strategy will spread funds across threat prevention, detection and response, user education, business continuity and disaster recovery,” he said.
“And why not test that plan in 2019 to see your technology and employee response in the event of a disaster? Prior preparation could be the difference between picking up the pieces and closing your doors.”
