Since its inception in February 2018, the Notifiable Data Breaches scheme (NDB scheme) in Australia has delivered some very interesting results, which we can all learn from. The NDB is a legal requirement imposed by the OAIC (Office of the Australian Information Commissioner) on organizations of all sizes to notify individuals of eligible data breaches.
In her 12 month report, the OAIC’s Commissioner shares useful insights. A few takeaways include:
Of the 964 data breach notifications during the 12-month period (1 April 2018-31 March 2019), 60% were malicious and 35% were attributed to human error. This goes to show that the human factor is the weakest link in both prevention and mitigation of cyber breaches. Interestingly, of the malicious attacks, phishing and spear phishing are the most common method of compromise.
The report concludes that best practices to minimize cyber breaches include:
- Employee awareness training
- Investment in the right IT security technologies, including Multi-Factor Authentication (MFA) & encryption
- Having a data breach response plan ready to mitigate the impact of a breach
The full report is available at:
From a vertical perspective, the healthcare sector is the #1 industry most targeted by cybercriminals, surpassing the financial sector, professional services, education, and retail. Stolen identities, phishing, and malware (including ransomware) are some of the top attack vectors fraud actors are leveraging to steal medical records.
So why is the health sector so prone to cyber attacks and reporting data breaches so massively as a result?
In healthcare, the stakes are very high. The cost of full medical records on the dark web’s marketplaces vary from 10’s to 100’s of dollars, depending on whether the record includes medical insurance policy details (necessary for lucrative fake insurance claims and fraud). Additionally, compromising healthcare data can lead to gaining access to VIPs’ sensitive private information, as was shown in 2018 when nation state criminals stole the medical records of Singapore’s Prime Minister and other ministers in the SingHealth breach:
Primary attack vectors in healthcare include stolen credentials (40%), phishing (20%), malware and ransomware (20%).
The full Q1, 2019 report provides more granular details:
The recent hack of 15,000 medical files at Cabrini hospital’s specialist cardiology unit in Melbourne shows the relentless determination of fraud actors in gaining access to sensitive and regulated medical data:
The biggest message here is that cybersecurity is not just something for the IT department — everyone in an organization needs to be aware and proactive. It must become a top priority for Board members and Senior Executives. This represents a significant culture and mindset change which must come from the top.
Additionally, the “People-Processes-Technology” triad applies more than ever before when it comes to IT security in the healthcare sector:
- Good IT processes around patching and backing up data regularly, together with a well thought-out data breach response plan
- Ensuring employees become “human firewalls”: staff training, induction and policies & procedures must incorporate data security and how to prevent breaches
- Technologies aimed at stopping known and never-seen-before threats, coupled with encryption and identity protection capabilities (eg MFA)
Sylvain Lejeune