Friday, April 29, 2016

This Can't Be Good News! Healthcare The Biggest Target Of Security Issues

This appeared last week

Healthcare Data Breaches Top Reported Data Security Incident

By Jacqueline Belliveau on April 12, 2016

A recent study revealed that healthcare data breaches accounted for 39 percent of data breaches in 2015.

Healthcare data breaches were the most common type of data security incident reported in 2015, according to a recent study by Symantec Corporation.

Researchers found that approximately 39 percent of breaches during the year occurred in the health services sub-sector.

 “This comes as no surprise, given the strict rules within the healthcare industry regarding reporting of data breaches,” explained the authors of the study. “However, the number of identities exposed is relatively small in this industry. Such a high number of breaches with low numbers of identities tends to show that the data itself is quite valuable to warrant so many small breaches.”

There were 120 healthcare data breaches reported in 2015, which was the largest number of data breaches across all industries studied. The next leading industries for data breaches (business and education) only reported 20 incidents each.
Despite the prevalence of healthcare data security events, the study reported only 1 percent of incidents led to exposure of identities. That still accounted for nearly four million individuals who had their identities exposed as a result of a healthcare data breach.

The study attributes the growing volume of data breaches across all industries to a shift in how cybercriminals operate.

Researchers found that more cybercriminals used more zero-day attacks, including phishing scams and ransomware, in 2015.

The number of zero-day vulnerabilities in 2015 increased by 125 percent from a year ago. Meanwhile, 430 million new malware variants were found in 2015.

“Advanced criminal attack groups now echo the skill sets of nation-state attackers. They have extensive resources and a highly-skilled technical staff that operate with such efficiency that they maintain normal business hours and even take the weekends and holidays off,” said Symantec Security Response Director Kevin Haley. “We are even seeing low-level criminal attackers create call center operations to increase the impact of their scams."

Even though cyberattacks are becoming more sophisticated and business-like, the healthcare sub-sector is not being targeted as frequently as other industries.
The study reveals that, in the healthcare field, about 54.1 percent of emails are spam. Cybercriminals typically use spam to execute more advanced cyberattacks.

However, the phishing ratio in the healthcare field was only 1 out of 2,711 emails, which was the second lowest ratio across all industries.

The healthcare industry was also one of the least likely sectors to be targeted for spear-phishing attacks, the study confirmed.

Additionally, the healthcare sector was the least likely to encounter an email containing a virus. The virus ratio was 1 out of every 396 emails.

Here is the link:

There is really little to add. Clearly everyone handling health information needs to be careful given they have a great big target on their back!



Bernard Robertson-Dunn said...

This is the real job advert.

This describes the agency:

"The Agency will have the authority to develop, set and deliver on the National Digital Health Strategy for Australia setting the direction for the digital health eco-system enabling all parties, both public and private, to innovate and deliver complementary products and services to leverage the national digital health infrastructure and deliver the digital health outcomes. Based on collaboration and engagement with key stakeholders, the Agency will provide secure storage and appropriate access to standards based health information in accordance with individuals consent in order to improve health outcomes for all Australians."

I have no idea what sort of government agency model they are following. It is neither a policy agency nor a service delivery agency.

They are critically dependent on the stakeholders mainly (but not only):
GPs, and
Software vendors.

With the really critical ones being GPs.

IMHO it comes down to one single strategic decision:

Should the national digital health eco-system be:
1. Based upon a government owned, central database where patients have access to their data and can choose to opt-out, or

2. A flexible, distributed health information exchange system where patient health data is stored as close to point of care as possible and which is owned by health professionals.

The decision has already been made for them without proper "thinking it through".

My 40 odd years of strategy/architecture experience and the performance of the system thus far strongly suggest that the basic assumptions of the MyHR are totally wrong.

The jobs up for grabs are here:

Anonymous said...

I think this is great, there seems to be just enough cross over of concerns so that accountability is lost. My only hope is they sort out that reference platform ( what is it trying to be?) simplify the CDA to accomodate current software development needs (I really don't need thousands of PDF texts and tens of static documents). Glad to see a recognition of Architecture as a discipline ( however it is not clear what level of architecture)

Overall though through this I hope they break from the past and really look at how they deliver products and services, they will need to, the current products, services and solutions deployed are old and need replacing to meet the modern information and technology needs of health. HIT seems to live in another universe to the rest of IT.