Story image

Healthcare reports most NDB breach incidents so far - why are they at risk?

16 Apr 18

In less than two months since its February 22 launch, Australia’s Notifiable Data Breaches Scheme has netted 63 breach notifications, most of which were from health service providers – and involved human error.

According to the Notifiable Data Breaches Quarterly Statistics Report (January-March 2018), health service providers reported 15 breaches; followed by legal, accounting, and management services (10); finance (8); education (6); and charities (4).

78% of all breaches involved contact information, including names, email addresses, addresses and phone numbers.

33% involved health information; 30% involved financial details; 24% involved identity information such as driver licence numbers and passports; 14% involved tax file numbers; and 2% involved other sensitive information.

Most of the reported breaches involved personal information of fewer than 100 people, however there were 17 cases where breaches involved more than 100 people. In three cases, breaches involved personal information belonging to 10,000-99,999 people.

Human error seems to be a major problem for organisations that reported data breaches. 32 cases were due to human error such as inadvertent disclosures, 28 involved malicious or criminal attacks; 2 involved system faults; and 1 was caused by other methods.

Commenting on the revelations, Sense of Security CTO Jason Edelstein says that organisations really are their own worst enemy.

“The quarterly results providing some interesting insight into the cyber threats impacting Australian businesses. What’s concerning from the report is human error is currently our top threat, with 51 per cent of reported breaches being caused by human error, such as sending a document containing personal information to the incorrect recipient,” he says.

“The problem is, we’re sending contact information and financial details to these people. If they are malicious, an attacker could use this information to conduct social engineering activity, which can have dire consequences.”

“These errors should not be happening and we need to have better processes and policies in place to prevent this leakage of personal information. This requires us to educate employees on the cyber security risks and their responsibilities in handling data,” Edelstein continues.

He believes that it’s no surprise healthcare was the industry that reported the most breaches.

“This isn’t surprising due to the rise of internet connected medical devices, as part of the growing Internet of Things (IoT) trend. The benefits of these devices has seen many hospitals and healthcare facilities rapidly introduce them with little thought to the security implications of connecting them to the network,” he says.

“Exacerbating the problem is the fact vendors are currently in an arms race to bring products to market, to gain a competitive advantage. This means network connected apps and devices are rushed to market with very limited security protocols in place.”

“Whilst healthcare and hospitals are no more vulnerable than other sectors, the consequences are much more dangerous. Our information, sensitive data and wellbeing are all vulnerable if security is not made a priority. The best thing the healthcare industry can do is to educate its employees about security awareness. After all, they are in the business of saving lives, and getting them cyber-trained can help them do just that,” Edelstein concludes.

Australian businesses get serious about SD-WAN
"SD-WAN is doing to enterprise networks what virtualisation did to enterprise data centres almost a decade ago, but it's happening much faster."
How to keep network infrastructure secure and available
Two OVH executives have weighed in on how network infrastructure and the challenges in that space will be evolving in the coming year.
White box losing out to brands in 100 GE switching market
H3C, Cisco and Huawei have all gained share in the growing competition in the data centre switching market.
Gartner names newcomer Exabeam a leader in SIEM
The vendor landscape for SIEM is evolving, with recent entrants bringing technologies optimised for analytics use cases.
52mil users affected by Google+’s second data breach
Google+ APIs will be shut down within the next 90 days, and the consumer platform will be disabled in April 2019 instead of August 2019 as originally planned.
How Fujitsu aims to tackle digitalisation and the data that comes with it
Fujitsu CELSIUS workstations aim to be the ideal platform for accelerating innovation and data-rich design.
Genesys PureCloud generates triple-digit revenue growth year on year
In Australia and New Zealand, the company boosted PureCloud revenue by nearly 100%.
Symantec releases neural network-integrated USB scanning station
Symantec Industrial Control System Protection Neural helps defend against USB-borne cyber attacks on operational technology.