Thursday, March 05, 2020

Health Takes Two Awards For Being Hopeless At Protecting Health Data, Losing It Or Letting It Roam Freely!

This release appeared late last week.

Email highlighted as a key risk for data breaches

28 February 2020
Malicious or criminal attacks including cyber incidents remain the leading cause of data breaches involving personal information in Australia, with almost one in three breaches linked to compromised login credentials, a new report shows.
This includes phishing attacks which caused at least 15 per cent of data breaches notified to the Office of the Australian Information Commissioner (OAIC) from July to December 2019.
The OAIC’s latest Notifiable Data Breaches (NDB) Report warns organisations about the risks associated with storing sensitive personal information in email accounts.
Australian Information Commissioner and Privacy Commissioner Angelene Falk also highlighted the risk of harm to individuals whose personal information is emailed to the wrong recipient (9% of all breaches).
“The accidental emailing of personal information to the wrong recipient is the most common cause of human error data breaches,” Commissioner Falk said.
“Email accounts are also being used to store sensitive personal information, where it may be accessed by malicious third parties who breach these accounts.

“Organisations should consider additional security controls when emailing sensitive personal information, such as password-protected or encrypted files.
“This personal information should then be stored in a secure document management system and the emails deleted from both the inbox and sent box.”
Personal information stored in email accounts can include financial information, tax file numbers, identity documents and health information, which can be exploited by malicious actors who gain access to inboxes.
In other key findings of the report:
  • 537 data breaches were notified to the OAIC during the reporting period, a 19 per cent increase on the previous six months
  • Malicious or criminal attacks (including cyber incidents) accounted for 64% of all data breaches
  • Human error remained a key factor in data breaches, causing 32% of NDBs
  • Health service providers remained the leading source of NDBs over the six-month period, notifying 22% of all breaches. The OAIC has jointly developed an action plan to help the health sector contain and manage data breaches and implement continued improvement
  • Finance is the second highest reporting sector, notifying 14% of all breaches
  • Most data breaches affected less than 100 individuals, in line with previous reporting periods.
Commissioner Falk said the NDB scheme is now well established as an effective reporting mechanism.
“There is now increasing focus on organisations taking preventative action to combat data breaches at their source and deliver best practice response strategies,” Commissioner Falk said.
“Where data breaches occur, organisations and agencies must move swiftly to contain the breach and minimise the risk of harm to people whose information has been compromised.”
Read the Notifiable Data Breaches Report for July-December 2019 at oaic.gov.au/notifiable-data-breaches-report-july-december-2019
The health sector data breach action plan was developed with the Australian Digital Health Agency, Australian Cyber Security Centre and Services Australia. It can be downloaded at oaic.gov.au/data-breach-action-plan-for-health-service-providers

About the OAIC

The Office of the Australian Information Commissioner (OAIC) is an independent statutory agency established to promote and uphold privacy and information access rights. It has a range of regulatory responsibilities and powers under the Freedom of Information Act 1982, Privacy Act 1988 and Australian Information Commissioner Act 2010.
Here is the link:
Looks like the health care system has a way to go on the basis of what is reported here.
Along with this we also see this report of other research:

Business email compromise Australia’s ‘most prevalent’ security threat

Business email compromise (BEC) was the most prevalent security threat in Australia in 2019, accounting for 23.6% of global attempts and placing Australia in the top two countries with the most attempted attacks - and with the healthcare sector globally remaining the most targeted industry.
Australia also landed in the top five countries with the greatest number of malware detections, with over 20 million detections blocked in 2019, according to cybersecurity firm Trend Micro in its 2019 security roundup report released on Wednesday.
Ransomware continued to be a mainstay cyber threat last year, according to the Trend Micro report, with globally the security firm discovering a 10% increase in ransomware detections, despite a 55% decrease in the number of new ransomware families.
The healthcare sector remained the most targeted industry globally, with more than 700 providers affected in 2019 - while in Australia, a number of Victorian hospitals fell victim to ransomware attacks in 2019, forcing the healthcare facilities to go offline entirely.
“The ramifications for the healthcare sector are particularly detrimental as legal constraints come into play. Often medical systems are managed by third parties and upgrading OS/patch systems requires a repeat in clinical trials to remain compliant, which can sometimes take years to complete,” says Trend Micro.
“Digital transformation has been a business buzzword for decades, and the concept has yielded very positive results over time. But security is often an afterthought, which leaves digital doors wide open for cybercriminals,” said Dr Jon Oliver, Director and Data Scientist, Trend Micro.
“Despite the prevalent ideals of digital transformation, lack of basic security hygiene, legacy systems with outdated operating systems and unpatched vulnerabilities are still a reality.
“This scenario is ideal for ransomware actors looking for a quick return on investment. As long as the ransom scheme continues to be profitable, criminals will continue to leverage it.”
Trend Micro’s report notes that to improve the ransomware business process, alliances between ransomware groups were formed in 2019, demanding millions of dollars in ransom.
More here:
Yet again it is the health sector and email that seems to be causing the most problems!
Fixing this has to revolve around awareness and education. To date we have not made much progress so we need to stick at it I guess.
David.

No comments:

Post a Comment