Tuesday, May 17, 2016

This Is A Rather Ominous Report With The Same Story Also Happening Globally.

This appeared last week:

Australian health sector an easy target for cyber criminals, says IBM

A push to encourage greater adoption of electronic health records has raised the spectre of online record theft

According to IBM’s 2016 Cyber Security Intelligence Index, there has been a clear shift recently in online targets, essentially away from credit cards and toward health-related data.
IBM has worked with small suburban medical and dental centres in Australia, which have become a particular target for ransomware.
Glen Gooding, an executive from IBM’s Security Services (ANZ), said health records were “an important way to extract money by taking on the persona of someone else”.
He added health-focused organisations were often an easier target than financial sector businesses, many of which have implemented more robust information protection systems.
“In the local medical clinic there’s usually not a large IT component, and there’s a lack of skills. They are an easy target,” said Gooding.
Moreover, there’s going to be a whole lot more such targets as both federal and state authorities ramp up initiatives to encourage the creation of online health records.
The federal scheme, originally dubbed the Personally Controlled Electronic Health Record, has been renamed MyHealth. Currently an opt-in regime, 2.7 million people now have a MyHealth record, but the federal government expects its opt-out trials now underway will net another one million.
Australia’s May budget earmarked A$156m for the Australian Digital Health Agency, which starts operations in July and is charged with encouraging the uptake and use of online health records, and also for managing their security.
While the central database may be locked down, the access points are widespread, and security education will be essential to ensure health records aren’t leaked from the 8,400 connected healthcare entities now using the system, including GPs, hospitals, pharmacies and residential services for the elderly.

Read more about cyber security in Australia:

More here:
In the same week we see this from the US:

Ponemon Institute: Poor state of healthcare cybersecurity causing industry finger pointing

May 12, 2016 | By Susan D. Hall
Criminal attacks continue to be the leading cause of data breaches in healthcare, with ransomware the latest threat, according to a new privacy and security survey conducted by the Ponemon Institute.
The study estimates the cost of breaches for the healthcare industry to be $6.2 billion, with the average cost to an individual organization at $2.2 million. For business associates the cost is more than $1 million. Nearly 90 percent of responding organizations said they experienced a data breach in the past two years, and 45 percent had more than five, though many of those were small incidents.
Ransomware, malware, and denial-of-service (DOS) attacks are the top cyberthreats that healthcare organizations face, the report notes, though they're also concerned about employee negligence, mobile device insecurity and use of public cloud services.
At the same time, organizations don't feel adequately prepared to deal with breaches.
FierceHealthIT spoke with Larry Ponemon, chairman and founder of the Ponemon Institute, and Rick Kam, president and cofounder of ID Experts, which sponsored the report, about the implications of the survey.
FierceHealthIT: These results sounds like what we've been hearing over and over. Is there anything new or surprising?
Kam : It's more of the same. Last year criminal attacks were on the rise. Healthcare data has high value. The thing I find surprising is that Larry has been doing this study for six years now, and we've got the same problems cropping up. Why is that?
One of the nuances that came out of this study is that it seems there's some finger-pointing on among players in the healthcare ecosystem. Healthcare entities are pointing fingers at business associates and business associates are doing the same thing back to covered entities.
In my mind, it boils down to the issue of accountability. Someone has to take responsibility to make sure risk assessments are done and there has to be follow-through on the appropriate investments to make sure data is secure. Organizations are making investments, but they seem not to be making them in a way that's reducing the problem. So there's a problem somewhere.
Lots more here:
I have to say, realistically, it is really a matter of time rather than if, information in the myHR is compromised. It is a great pity the system is not much more distributed to avoid the large single database risk.
Time will tell, but we all need to be careful in the area of patient sensitive information.
David.

No comments: