• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

The first 18 months of Data Breach regulation in Australia: my thoughts

July 30, 2019 By Sylvain LeJeune

Medical Data Records are worth top dollars

 

Since its inception in February 2018, the Notifiable Data Breaches scheme (NDB scheme) in Australia has delivered some very interesting results, which we can all learn from. The NDB is a legal requirement imposed by the OAIC (Office of the Australian Information Commissioner) on organizations of all sizes to notify individuals of eligible data breaches.

In her 12 month report, the OAIC’s Commissioner shares useful insights. A few takeaways include:

Of the 964 data breach notifications during the 12-month period (1 April 2018-31 March 2019), 60% were malicious and 35% were attributed to human error. This goes to show that the human factor is the weakest link in both prevention and mitigation of cyber breaches. Interestingly, of the malicious attacks, phishing and spear phishing are the most common method of compromise.

The report concludes that best practices to minimize cyber breaches include:

  • Employee awareness training
  • Investment in the right IT security technologies, including Multi-Factor Authentication (MFA) & encryption
  • Having a data breach response plan ready to mitigate the impact of a breach

The full report is available at:

https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/notifiable-data-breaches-scheme-12month-insights-report/#report-at-a-glance

From a vertical perspective, the healthcare sector is the #1 industry most targeted by cybercriminals, surpassing the financial sector, professional services, education, and retail. Stolen identities, phishing, and malware (including ransomware) are some of the top attack vectors fraud actors are leveraging to steal medical records.

So why is the health sector so prone to cyber attacks and reporting data breaches so massively as a result?

In healthcare, the stakes are very high. The cost of full medical records on the dark web’s marketplaces vary from 10’s to 100’s of dollars, depending on whether the record includes medical insurance policy details (necessary for lucrative fake insurance claims and fraud). Additionally, compromising healthcare data can lead to gaining access to VIPs’ sensitive private information, as was shown in 2018 when nation state criminals stole the medical records of Singapore’s Prime Minister and other ministers in the SingHealth breach:

https://www.straitstimes.com/singapore/personal-info-of-15m-singhealth-patients-including-pm-lee-stolen-in-singapores-most

Primary attack vectors in healthcare include stolen credentials (40%), phishing (20%), malware and ransomware (20%).

The full Q1, 2019 report provides more granular details:

https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/notifiable-data-breaches-quarterly-statistics-report-1-january-31-march-2019/#comparison-of-top-five-sectors-that-reported-data-breaches-in-the-quarter

The recent hack of 15,000 medical files at Cabrini hospital’s specialist cardiology unit in Melbourne shows the relentless determination of fraud actors in gaining access to sensitive and regulated medical data:

https://www.theage.com.au/national/victoria/crime-syndicate-hacks-15-000-medical-files-at-cabrini-hospital-demands-ransom-20190220-p50z3c.html

The biggest message here is that cybersecurity is not just something for the IT department — everyone in an organization needs to be aware and proactive. It must become a top priority for Board members and Senior Executives. This represents a significant culture and mindset change which must come from the top.

Additionally, the “People-Processes-Technology” triad applies more than ever before when it comes to IT security in the healthcare sector:

  • Good IT processes around patching and backing up data regularly, together with a well thought-out data breach response plan
  • Ensuring employees become “human firewalls”: staff training, induction and policies & procedures must incorporate data security and how to prevent breaches
  • Technologies aimed at stopping known and never-seen-before threats, coupled with encryption and identity protection capabilities (eg MFA)

Sylvain Lejeune

Share This:

Related

Filed Under: Uncategorized

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • An Update on Section 230

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • 3CX Supply Chain Attack
  • The NSA’s Guidance on Securing Authentication
  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use