Thursday, April 26, 2018
It Rather Looks Like Health Information In Australia Is A Hackers Target – Not Good..
This appeared last week:
By technology reporter Ariel Bogle
In 2016 a Californian hospital desperately paid $US17,000 in bitcoin as ransom to a hacker who had seized control of its computer systems.
But in making the payment, the Hollywood Presbyterian Medical Centre unwittingly helped make the healthcare sector a growing target for hackers, says a leading cybersecurity expert.
"They paid the ransom and they were public about it," said Denise Anderson, president of the US National Health Information Sharing and Analysis Centre.
"It painted a target on the back of healthcare"
Ms Anderson works with health providers to share cyber threat information and techniques for thwarting online attacks.
Speaking at the recent Australian Cyber Security Centre conference in Canberra, she echoed a concern heard many times at the event — as we put more medical information online, healthcare is becoming one of the preferred targets.
The result is very real threats that range beyond privacy breaches to delayed surgery, blackmail and identity theft and other criminal activity.
For Ms Anderson a security breach suffered by the American health insurance provider Anthem in 2015, was also a turning point.
The personal information — including names, birthdays and social security numbers — of about 79 million people was accessed by a hacker.
"Bad actors saw that and realised the value of the data that was there," Ms Anderson said.
"Would they have been able to do that 10 years ago? Probably not."
Australia's healthcare system, like transport or energy, is critical infrastructure.
That's why the WannaCry ransomware attack in 2017 was a wakeup call, said Alastair MacGibbon, head of the Australian Cyber Security Centre.
The malicious software locked up National Health System computers in the UK and demanded a ransom, causing appointments to be cancelled and surgeries delayed.
"That highlighted to some operators of hospital infrastructure that a ransomware attack can actually have life and death implications," he said.
The industry is increasingly aware of cyber risks, added Dr Nathan Pinskier of the Royal Australian College of General Practitioners and an e-health specialist.
"In Australian cybersecurity, there are only two types of healthcare organisations — those that know they've been hacked and those that don't know they've been hacked," he said.
"Everybody's a target."
While large institutions may have systems in place to detect online intrusions and deal with them, smaller general practices may not.
Dr Pinskier said his mantra is "protect, prevent, preserve", and most importantly, "backup".
Hospital systems are not the only target — your own health records could be, too.
These records are incredibly rich, Ms Anderson pointed out.
It's not just names and dates of birth, which can be used for identity theft, but someone's blood type or even the prescription drugs they take.
"If you can get a set of data saying, 'all these people are being prescribed opioids', for example, [you can] harvest their credentials and get their prescriptions," she said.
According to Mr MacGibbon, online criminals are mostly "coin-operated".
"Their preferred ... target is cash itself. If you can't get the cash, then you go for things that can be converted to cash. And personal data is one of those things," he said.
Sensitive health information, for example could be used to blackmail a public figure or extract a ransom from a medical provider.
And health data has what's called a large "threat surface" — many vulnerable points where it could be accessed.
"So, a medical practitioner, my GP, shares information with a specialist, shares information with a hospital ... then it has to be shared with Medicare, my private health insurer in order to pay bills," Mr MacGibbon explained.
Of course, not all security breaches occur as a result of access by hackers.
Figures for the first quarter of 2018 from Australia's data breach notification scheme show that over all sectors, around half of breaches were caused by human error.
The scheme found most breaches came from the healthcare sector.
Ms Anderson also raised concerns about the Australian government's My Health Record project — an online summary of personal health information uploaded by care providers.
According to a report by the Australian Information Commissioner, 113 people were affected by unauthorised access of My Health Records by a third party in 2016-17.
In late 2018, all Australians will have a record automatically created for them if they don't already have one — unless they opt out. People will be given three months to opt out but the dates for this are yet to be announced.
Ms Anderson said she would personally be "nervous" about having such information centralised and accessible in one place.
"No matter how good you say you are at doing stuff like that, and any defensive measures that you put in place, eventually there's going to be some kind of breach," she said.
An Australian Digital Health Agency spokesperson said, "My Health Record balances safety and security with the benefits available to consumers and healthcare providers".
Professor Bronwyn Hemsley, head of speech pathology at the University of Technology Sydney, has researched attitudes to My Health Record.
She said the scheme could make an important difference to patient care by easing barriers to information access between doctors and patients.
"When health information is not shared appropriately ... then we see mistakes happening," she said.
Because the system is opt-out, Australians will have to decide for themselves whether the convenience of having vaccination and medication information in one place outweighs any risk, and act upon it.
"When you connect data up, when you make it mobile, when you make it accessible, by its very nature, that increases the threat surface of that data," Mr MacGibbon said.
"There is no such thing as absolute security."
Here is the link:
It is excellent to see the issue in the mainstream media and a more balanced view of risk and benefits being put.
Posted by Dr David G More MB PhD at Thursday, April 26, 2018