Quote Of The Year

Timeless Quotes - Sadly The Late Paul Shetler - "Its not Your Health Record it's a Government Record Of Your Health Information"

or

H. L. Mencken - "For every complex problem there is an answer that is clear, simple, and wrong."

Wednesday, February 13, 2019

The Security Of Computers In The Health Sector Is Looking Like A Bit Of A Joke!

This appeared a few days ago:

The last quarter of 2018 saw more Australian data breaches than ever

Years of investment in security have failed to stem the number of data breaches affecting Australian companies, with new figures bringing to 812 the number of compromises reported since the notifiable data breaches (NDB) scheme went into effect nearly a year ago.
The latest quarterly figures from the Office of the Australian Information Commissioner (OAIC) revealed that 262 data breaches – over 87 per month, on average – were reported to the data-governance watchdog in the final calendar quarter of 2018.
The breaches involved the compromise of at least 1.63m records, up from more than 1.19m records in the first full-quarter report last July.
Contact information was breached in 223 incidents, with financial details compromised in 123 breaches – well up from the 102 breaches of financial information noted in the July report.
Identity information was compromised in 94 cases, while personally identifiable information (PII) related to some 17,746 individuals was leaked in 15 breaches attributed to unauthorised disclosure, unintended release or publication.
Human error was blamed in 33 percent of incidents while malicious or criminal attacks were found in 64 percent of all data breaches, with 114 cases attributed to a cyber incident, 25 cases due to the theft of paperwork or a data storage device, and 20 due to a rogue employee or insider threat.
The most common form of incident was phishing through which credentials were compromised, which was reported in 43 percent of cases. Compromised or stolen credentials through other methods were reported in 24 percent of cases.
“Australian organisations are struggling to see and understand the risks associated with compromised user credentials,” SailPoint chief product officer Paul Trulove said in response to the new figures.
“The report reiterates that an organisations’ users have become the easiest route into an organisation for hackers. This is a trend we do not expect will ease up, as hackers now know that users offer them the keys to the proverbial kingdom, once compromised.”
Ransomware attacks were noted in 10 percent of incidents, with hacking (8 percent), brute-force attacks (8 percent), and malware (7 percent) making up the balance.
As in each past report, the health sector continued to lead the ranks of breaches reported to the OAIC – accounting for 54 (20.6 percent) of the breaches, not including any compromises of the controversial My Health Record (MHR) system. The financial and superannuation industry was also widely compromised, with 40 separate attacks, while legal, accounting and management services and education organisations reported 23 and 21 incidents, respectively.
More here:
There is additional coverage here:

Accidental personal info disclosure hit Australians 260,000 times last quarter

85 cases of human error resulted in 269,621 instances of Australians having their personal information disclosed accidentally.
By Asha McLean | February 7, 2019 -- 01:00 GMT (12:00 AEDT) | Topic: Security
The latest quarterly report on Australia's Notifiable Data Breaches (NDB) scheme has revealed around 269,621 separate cases of individuals having their personal information impacted as a result of a human error.
The report [PDF] says that during the period covering October 1, through to December 31, 2018, 262 notifications of data breaches were received by the Office of the Australian Information Commissioner (OAIC), with 85 being put down to human error.
Data breaches involving human error, that resulted in the unintended release or publication of personal information, was uncovered in 15 cases. For these cases, there was an average of 17,746 individuals affected.
Meanwhile, breaches that caused a failure to securely dispose of records of personal information impacted around 600 individuals, the report added.
The loss of paper work or a data storage device was to blame for around 330 individuals having their information exposed, while 23 individuals had their personal information sent to a "wrong" email address.
Two individuals had their information exposed due to a fax being sent to the wrong recipient.
Malicious or criminal attacks were the largest source of data breaches during the quarter, accounting for 64 percent of all data breaches -- 168 data breaches.
68 percent of these involved cyber incidents such as phishing, malware or ransomware, brute-force attacks, compromised or stolen credentials, and social engineering or impersonation, the report explained.
"Many cyber incidents in this quarter appear to have exploited vulnerabilities involving a human factor, such as clicking on an attachment to a phishing email," it said.
Theft of paperwork or data storage devices from malicious or criminal attacks accounted for 15 percent of the breaches. Other sources included actions taken by a rogue employee or insider threat, which involved 12 percent of the breaches, as well as social engineering or impersonation which was to blame for five percent of the cases.
"System faults" was identified as the reason for three percent of data breaches during the three month period.
The health sector remained in pole position as the most breached, accounting for a total of 54 NDBs. Finance, including superannuation, was the second most breached sector, accounting for 40 notifications; followed by legal, accounting, and management services with 23; education with 21 notifications; and 12 from the mining and manufacturing sector.
Of the health-related notifications, human error was identified as the cause in 29 cases.
More here:
and here:

Health sector tops latest OAIC breach report, yet again

Hafizah Osman | 08 Feb 2019
The health sector has topped the list of notifiable data breaches for the fourth consecutive quarter, as identified by the Office of the Australian Information Commissioner. 
In its latest Notifiable Data Breaches Quarterly Statistics Report, which captures data notification breaches received between 1 October and 31 December 2018, the Office of the Australian Information Commissioner (OAIC) said the private health service provider sector reported the most data breaches, accounting for 54 of the 262 breach notifications received. 
Of these notifications, 54 per cent were the result of human error, including incidents involving communications sent to the wrong recipient, insecure disposal of personal information, or loss of paperwork or a data storage device.   
Malicious and criminal attacks was the second largest source of data breaches from the health sector, at 46 per cent. Cyber incidents were the most common type of attack, accounting for 44 per cent, while theft of paperwork or data storage device was the second most common type of attack (32 per cent). 
The OAIC said these notifications do not include those made under the My Health Records Act 2012 as they are subject to specific notification requirements set out in the act. 
In addition, it stated that most of the health sector notifications in the period involved the personal information of 100 individuals or less (59 per cent of breaches). 
The report also showed that the number of notifiable data breaches are on the rise. Between 22 February 2018 (when the notifiable data breaches scheme commenced) and March 2018, the sector reported 15 cases. 
Between April and June that year, there were 49 cases and between July to September 2018, there were 45 such cases. The latest quarter’s results are the highest to date. 
Lots more here:
Separately we see just what a threat e-mail based fraud is becoming:

‘Dramatic rise’ in email fraud with banking Trojans biggest threat

Fraud attacks on emails continue to grow dramatically, with the number of attacks against targeted companies increased 226% between Q3 2018 and Q4 2018, and a whopping 476% when comparing Q4 2017 and Q4 2018, according to a new global security threat report.
“Email fraud has seen explosive growth and it’s clear that today’s cybercriminals are relentlessly targeting people, rather than infrastructure,” said Tim Bentley, vice president of Asia-Pacific and Japan for cybersecurity and compliance company Proofpoint.
“As these threats continue to grow in volume and sophistication, it is imperative that Australian organisations implement a people-centric security approach that includes a comprehensive email fraud defence and security awareness training. Ultimately, Australians must consider the individual risk each user represents, and understand how they are targeted, in order to better protect them.”
The report from Proofpoint, revealing threats and trends across its own global customer base and in the wider threat landscape, found that banking trojans remained the top email-borne threat in Q4 2018, making up 56% of all malicious payloads.

And of those, 76% were classified as Emotet (advanced, modular banking Trojans). With remote access Trojans accounting for 8.4% of all malicious payloads in Q4 and 5.2% for the year, marking what Proofpoint says was a significant change from previous years in which they were rarely used by crimeware actors.
More here:
All this makes for truly sobering reading.
With the Health Sector such a big participant in the figures it is surely only a matter of time before we have some major compromise of the #myHealthRecord. Unless you really want / need one of these I would be using the new delete function as soon as I could!
David.

3 comments:

Anonymous said...

Answers to these increasing issues is exactly what I am expecting the ADHA interoperability strategy to address. As governments increase and to some extent enforce interoperability how are they going to address the consequences of an interconnected trust model where sharing replaces exchanging?

Anonymous said...

I would suggest you lower your expectations considerably 10:47AM

Andrew McIntyre said...

Hi 10:47am - if you are waiting for the ADHA to deliver a workable inter-operability strategy then you had better be patient. Every national eHealth authority in the last 2 decades has promised this and I see zero evidence they have even a basic grasp of the issues. I suggest you start testing the interoperability at a technical level and identify the actual issues. That is something the ADHA have not done, or perhaps its at to low a level for them to understand. They would rather issue a change management blue print that should deliver by 2050.