Quote Of The Year

Timeless Quotes - Sadly The Late Paul Shetler - "Its not Your Health Record it's a Government Record Of Your Health Information"

or

H. L. Mencken - "For every complex problem there is an answer that is clear, simple, and wrong."

Wednesday, March 02, 2022

It Seems That The Heath Sector Is Still Struggling With Data Protection And Security.

This appeared last week:

Wednesday, 23 February 2022 19:37

OAIC report reveals 464 reported breaches 2H 2021, 17% from emailing PII to the wrong person

By David M Williams

The Office of the Australian Information Commissioner (OAIC) has released the latest Notifiable Data Breaches Report, covering July to December 2021. The report shows 464 data breach notifications, up 6%, with almost one in five being due to somebody emailing the wrong person.

Of the 464 notifications, 55% or 256 were due to malicious or criminal attacks, yet this is a decrease of 9% from the previous quarter.

Human error breaches have increased to 190 notifications or 41% of the total - and of those, 43% were from personally identifying information - or PII - being emailed to the wrong recipient. That’s 43% of 41% of the total, meaning over 17% of all data breaches from all sources were due to careless emails. The next highest human error cause was unauthorised disclosure.

Health service providers are the top industry reporting data breaches, followed by finance. 71% of breaches affected 100 people or fewer. However, one data breach notification affected more than one million, but fewer than 10 million people. Two notifications affected 50,001 to 100,000 people.

8% of breaches were identified in under 30 days, while 4% were not identified until a year or more had passed. 1% of data breaches could not be pinpointed as to when the breach actually occurred.

Angelene Falk, the Australian information commissioner and privacy commissioner, calls for organisations to put accountability at the centre of their information handling practices. “Doing so would give individuals greater confidence that their personal information will be handled fairly and securely when they engage with an organisation,” she said.

Falk noted some organisations are falling short of the scheme's assessment and notification requirements. As the risk of serious harm to individuals often increases with time, the OAIC expects organisations to treat 30 days as a maximum time limit for an assessment of a data breach and to aim to complete the assessment in a much shorter timeframe. Of the 464 breaches in the second half of 2021, 75% were reported to the OAIC within 30 days, while 13% took up to 60 days, and the remainder took longer.

The OAIC report received widespread interest from security and privacy experts.

"The fact that the financial services industry is so often the victim of a cyber breach does not indicate a lack of cybersecurity commitment or good practice on their part,” said Steven Armitage, country director, SANS Institute. “The sector’s position as one of the most breached shows how heavily targeted the industry is by cyber adversaries. It also illustrates how cooperatively the FSIs work with regulators under their mandatory breach notification requirements. They take their cyber obligations seriously. The sector has made significant investments and genuine leaps forward in improving its cyber security posture in recent years, investing in its people and technology. Nevertheless, with 42 per cent of data breaches resulting from malicious or criminal attacks and 48 per cent of data breaches resulting from human error, the need for FSIs to remain vigilant and to continue that improvement is clear.”

“Of the 464 notifications, 55% are attributed to malicious or criminal attacks. This figure suggests the sophistication and scale of cyber-attacks are continuing to get the best of Australian organisations. Threat actors are chasing larger paydays and finding new vulnerabilities in a wide variety of targets, while many organisations are struggling to bring their cybersecurity up to standard for hybrid work,” said John Donovan, managing director ANZ, Sophos. “First and foremost, Australian businesses must change their mindsets around cybersecurity and adopt a model wherein they assume they will be breached. Subsequently, it’s crucial that leaders invest in the right technology to build their cybersecurity foundation and focus on resilience and recovery as well as protection. Considering 41 per cent of the data breaches were a result of human error, up 11 per cent from the previous report, organisations need to make staff cybersecurity education a priority; this is essential to creating a cyber-aware culture and addressing this statistic.”

Lots more here:

https://itwire.com/security/oaic-report-reveals-464-reported-breaches-2h-2021,-17-from-emailing-pii-to-the-wrong-person.html

The full report is here:

https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/notifiable-data-breaches-report-july-december-2021

Sadly, while the health sector continues to struggle with data breaches, the linked report does not seem to categorise the nature of the health sector breaches. It would be interesting to know whether the breaches in the health sector were mostly human error or the result of malicious acts. I would suspect the human error component would be fairly high (wrong e-mail addresses of fax number errors).

We do know that 120 of the breaches involved health information. (Chart 4 of the presentation.)

Interesting that many struggled to get the use of ‘blind copy’ right.

Well worth a read to see the types and causes of breaches!

David.

 

No comments: