Health service providers score highest in number of reported data breaches
16 Oct 2018
Organisations that store the personal information of patients are more likely to be a target for cyber attacks because they will have data that includes financial and ID records. So what should aged care providers be thinking about?
The highest number of data breaches reported for the second quarter 2018 happened to health service providers, according to statistics from the OAIC.
Malicious or criminal attacks were the largest source of data breaches overall among all sectors who reported a breach, and many involved a human factor whereby an incident exploited a vulnerability within an organisation’s system. For health service providers however, human error played the larger part in the breaches. Clicking on a phishing email was a likely inroad for an attacker to successfully access data, for example.
Cyber incident data breaches happen in all industry sectors, and yet it’s no surprise that health service providers are a keen target. Personal details and private financial information can be used in identity theft and fraud.
Reviewing cyber security measures, and awareness and training among staff, is an important factor in creating a more cyber resilient environment. It can make the greatest difference in protecting patient records and private information.
CCI’s Kath Young is Chief Information Officer and keeps a close eye on technology risk and cyber matters that are important for clients across all sectors of the Catholic community. Growing cyber security awareness will support Parish, Education and Social Welfare/Community Care sectors of the Church to meet cyber security challenges.
“These are institutions that are more vulnerable to attacks because they are likely to store data that has the personal information of patients or students. This makes them attractive to hackers, unfortunately.”
Young recommends a regular review of cyber security measures to allow for adjustments to lines of defence, or changes to tactical and strategic solutions that address security issues.
“We know that all security measures are fundamentally flawed if staff are unaware of the importance of enforcing habits that protect data. Strong passwords, software upgrades, and vigilance with online mail are a starting point,” she explains.
“Investing in the training of staff is an ongoing concern. Cyber security awareness needs to become the backbone of an organisation’s culture. This ensures an organisation will take data storage protection and privacy seriously. We’ve partnered with experts in the field of cyber security for this reason, and we plan to engage more members of the community in the discussion.”
Peter Graham, from DXC Technology, is a specialist in cyber security planning and was a panel speaker at CCI’s 2018 Cyber Focus Forums hosted by a team that Young oversees. Graham’s experience in helping companies and institutions of various sizes positions him well in helping organisations to review their security standards and to be prepared should an incident occur.
“Building cyber resilience is now integral to broader operational security, and people are thinking differently about data and its value,” he says.
“Cyber incident readiness is such a pressing issue because we can no longer afford to ignore the urgent need for adopting a response plan, and this is especially true for aged care providers, hospitals, and welfare organisations who hold the personal information of their patients,” he explains.
According to Kath, “companies need to understand what different types of data they hold, and where it is held. Often there are multiple locations including “as a service” offerings, so we need to be more vigilant - not just controlling access but also in the use of the data to drive insights and where that might end up. Focus is required to determine the risks and then actively manage and monitor them.”
Data breaches can be costly and take a long time to surface, even before steps are taken to mitigate the impact.
“The average cost of such data breaches faced by Australian base companies is $248,000 and breaches can take up to 200 days to detect. The 2018 Cost of Data Breach Study (Ponemon) looks closely at the impact of data breaches. There are many ways companies can reduce the risk of data breaches which vary in cost and complexity,” she explained.
Young also outlined some common controls as:
• User security awareness training
• Data Loss Prevention systems
• Digital rights management
• Cloud Security Access brokers
• Data classification
But not all cyber insurance cover has the support of technical specialists who can help in real time, in the management of a cyber incident. CCI’s Cyber 360 policy is an example of a comprehensive level of protection that does, because it responds to the challenge that a data breach can happen at any time of the day or night. But even a basic policy is worth considering if there is a possibility of a data breach or security infiltration via a supply chain.
For more information, view Peter Graham's video on Changing the way we think about data.
More about Peter Graham
Peter Graham is an Information Security consultant with over 25 years of experience working across IT Governance, IT Risk Management and Audit/Compliance, Data Protection frameworks, PCI DSS Compliance, IT Security, Business Continuity and Disaster Recovery. He has applied his skills in multiple industry sectors and completed several international assignments and secondments, including a global B2B project implementing IT Security, recovery strategies and infrastructure requirements. He leads IT Governance, IT Security, Assessment and Compliance, Risk Management and Business Continuity projects across a range of industries.
2018 Cost of a Data Breach Study by Ponemon Institute - Sponsored by IBM