Story image

Healthcare reports most NDB breach incidents so far - why are they at risk?

16 Apr 2018

In less than two months since its February 22 launch, Australia’s Notifiable Data Breaches Scheme has netted 63 breach notifications, most of which were from health service providers – and involved human error.

According to the Notifiable Data Breaches Quarterly Statistics Report (January-March 2018), health service providers reported 15 breaches; followed by legal, accounting, and management services (10); finance (8); education (6); and charities (4).

78% of all breaches involved contact information, including names, email addresses, addresses and phone numbers.

33% involved health information; 30% involved financial details; 24% involved identity information such as driver licence numbers and passports; 14% involved tax file numbers; and 2% involved other sensitive information.

Most of the reported breaches involved personal information of fewer than 100 people, however there were 17 cases where breaches involved more than 100 people. In three cases, breaches involved personal information belonging to 10,000-99,999 people.

Human error seems to be a major problem for organisations that reported data breaches. 32 cases were due to human error such as inadvertent disclosures, 28 involved malicious or criminal attacks; 2 involved system faults; and 1 was caused by other methods.

Commenting on the revelations, Sense of Security CTO Jason Edelstein says that organisations really are their own worst enemy.

“The quarterly results providing some interesting insight into the cyber threats impacting Australian businesses. What’s concerning from the report is human error is currently our top threat, with 51 per cent of reported breaches being caused by human error, such as sending a document containing personal information to the incorrect recipient,” he says.

“The problem is, we’re sending contact information and financial details to these people. If they are malicious, an attacker could use this information to conduct social engineering activity, which can have dire consequences.”

“These errors should not be happening and we need to have better processes and policies in place to prevent this leakage of personal information. This requires us to educate employees on the cyber security risks and their responsibilities in handling data,” Edelstein continues.

He believes that it’s no surprise healthcare was the industry that reported the most breaches.

“This isn’t surprising due to the rise of internet connected medical devices, as part of the growing Internet of Things (IoT) trend. The benefits of these devices has seen many hospitals and healthcare facilities rapidly introduce them with little thought to the security implications of connecting them to the network,” he says.

“Exacerbating the problem is the fact vendors are currently in an arms race to bring products to market, to gain a competitive advantage. This means network connected apps and devices are rushed to market with very limited security protocols in place.”

“Whilst healthcare and hospitals are no more vulnerable than other sectors, the consequences are much more dangerous. Our information, sensitive data and wellbeing are all vulnerable if security is not made a priority. The best thing the healthcare industry can do is to educate its employees about security awareness. After all, they are in the business of saving lives, and getting them cyber-trained can help them do just that,” Edelstein concludes.

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.