Thursday, May 16, 2024

This Is Not Good News!

This just appeared

Federal agencies convene after cyber attack on healthcare data service MediSecure

An Australian healthcare information service which provides electronic prescriptions and a prescription monitoring service has become the latest victim of a large scale data breach that has sent shockwaves across the nation.

The attack on MediSecure, which the company claims may have come through a third-party service, has seen cyber security agencies at the highest level convene to investigate and respond to the issue.

The eHealth business claims it is the only Australian electronic prescription service to be accredited by national eHealth infrastructure and the Personally Controlled Electronic Health Record service. It also provides software for healthcare providers to use while providing services.

Medisecure said it was made aware of a breach as early as Monday, and it began working with federal agencies including the Office of the Australian Information Commissioner.

“MediSecure has identified a cyber security incident impacting the personal and health information of individuals. We have taken immediate steps to mitigate any potential impact on our systems,” the company said in a statement.

“While we continue to gather more information, early indicators suggest the incident originated from one of our third-party vendors.

MediSecure takes its legal and ethical obligations seriously and appreciate this information will be of concern. MediSecure is actively assisting the Australian Digital Health Agency and the National Cyber Security Coordinator to manage the impacts of the incident. MediSecure has also notified the Office of the Australian Information Commissioner and other key regulators.”

The data breach, which officials said they were made aware of on Wednesday afternoon, is being dealt with at the highest levels of government, with the Australian Federal Police, The Australian Signals Directorate and the Australian Cyber Security Centre all working together on the response.

But unlike high profile cyber assaults on Medibank and Optus, the Australian Signals Directorate and Australian Cyber Security Centre did not name the organisation.

“Yesterday afternoon I was advised by a commercial health information organisation that it was the victim of a large-scale ransomware data breach incident,” National Cyber Security Coordinator Michelle McGuinness said in a statement.

“I am working with agencies across the Australian Government, states and territories to co-ordinate a whole-of-government response to this incident. The Australian Signals Directorate Australian Cyber Security Centre is aware of the incident and the Australian Federal Police is investigating,” LtGen McGuinness said.

When The Australian contacted the Department of Home Affairs for further information in the early afternoon on Thursday, it was told the department was unable to share further information at this time.

“We are in the very preliminary stages of our response and there is limited detail to share at this stage, but I will continue to provide updates as we progress while working closely with the affected commercial organisation to address the impacts caused by the incident,” LtGen McGuinness said.

MediSecure’s website and phone lines were down on Thursday afternoon. Around 2.30pm, it updated its website to acknowledge a breach had taken place.

“MediSecure understands the importance of transparency and will provide further updates as soon as more information becomes available. We appreciate your patience and understanding during this time,” the company said.

Online, the company claims its electronic prescription service “gives doctors and pharmacists the certainty of clinical integrity and data security and can help reduce errors in the prescribing and dispensing of medicines”.

Cyber Security Minister Clare O’Neil also said she was aware of the incident and is understood to be assisting.

“I have been briefed on this incident in recent days and the government convened a National Coordination Mechanism regarding this matter today,” she said.

Ms O’Neil had asked that people refrain from speculating on which organisation was affected by the breach. “Updates will be provided in due course. Speculation at this stage risks undermining significant work underway to support the company’s response,” she said.

The attack comes as industry experts criticised the Albanese government’s lack of cyber security investment in the federal budget on Tuesday night.

Chris Sharp, Asia Pacific chief executive of cloud marketplace Pax8, said a lack of attention to cyber defences “sleepwalks over the financial challenges of our small to medium businesses”.

The MediSecure cyber incident comes as a recent US cloud software service Rubrik report found that the typical healthcare organisation has 42 million sensitive data records. Sensitive data in healthcare organisations jumped by 63 per cent in 2023 as the medical professional increasingly digitises patient records and use software services, including AI-powered diagnosis services.

Here is the link:

 https://www.theaustralian.com.au/business/technology/federal-agencies-convene-after-cyber-attack-on-healthcare-provider/news-story/ed65a0cd87c7670a92eece345d618187

Not good at all!

David!

6 comments:

  1. "We take your privacy very seriously" - another one of those empty promises, usually after it has been shown to be wothless.

    ReplyDelete
  2. Imagine if it was the recently announced interoperable e-prescribing solution based on the My Health App at the centre of this ... based on the recent announcement that it would be monitoring and reading your emails and SMS's looking for prescription tokens and probably nothing else.

    ReplyDelete
  3. So if Telstra's eRx was the target what would be the impact? I guess we could all revert back to paper scripts!

    ReplyDelete
  4. Relaxing requirements, self-declare conformance and ever increasing sophistication in the bad actor market. Was always going to happen. Can’t say trying to blame another party is helping Medisecure. You cannot outsource your accountabilities to a supplychain.

    ReplyDelete
  5. If medisecure we operating services under contract from the commonwealth government, surely the Cth Government had a duty of care to ensure all records were disposed off? There is no reason for a commercial enterprise to retain information after a contract has expired?

    Seems if everyone involved in escripts has been accredited to do so by the Cth Government agancy responsible, seems to me that process and assessment criteria needs a review.

    Looking forward to this “third-party” being named, the market is small so there is a likelihood the supplier, supplies similar services to other health organisation’s.

    ReplyDelete
  6. A few items to unpack - I agree with 5:43 AM in that there needs to be a review of the CCA process, is it capturing the supply chain appropriately? And then this:

    Based on the recent announcement that it would be monitoring and reading your emails and SMS's, looking for prescription tokens and probably nothing else - Say whats, that sounds like a skillful deployment of secondary use without consent - except the user is far to busy to bother asking.

    ReplyDelete