Key Points for Australian Health Records

  • 25% of all data breaches contain Health Data
  • Of Health Sector breaches – 41% were malicious or criminal data breaches
  • Of malicious or criminal data breaches – 40% were cyber incidents
  • 16% of Health Sector Data breaches affected 1,000-25,000 people

The value associated with a person’s health record is different for each person however most people would agree that they would not like their health records to become a matter of public knowledge. This is entirely the fear Australians have surrounding the Australian Federal Government’s My Health Record scheme that is currently a hot subject of debate.

My Health Record allows for authorised third-party applications to access people’s health data. One such application is HealthEngine which recently came under attack in a privacy scandal because HealthEngine’s business model is about data sharing and targeted advertising. HealthEngine currently has 1.5 million monthly users and 15 million annual users. HealthEngine was using patient’s health information that was provided by the patient during the setting of an appointment with a doctor such as “Personal Injury”. This patient’s health information was used for targeted advertising associated with their medical conditions and symptoms. It was also forwarding on this patient’s health information to law firms such as Slater & Gordon as part of a referral partnership pilot. HealthEngine patients that fit the criteria would then receive an email from a law firm for Personal Injury compensation. HealthEngine has stated that it “does not provide any personal information to third parties without express consent of the affected user or in those circumstances described in our privacy policy.” In other words – they put it in the terms and conditions which you agreed with when using the application.

The My Health Record data is shared by My Health Record with authorised third-party applications such as HealthEngine on a “View Only” basis and restricts the applications from storing the data or passing the data onto third parties. This is different than the way HealthEngine passed on health data submitted by the patient during the appointment booking section of the HealthEngine application. However, with changing political trends the policy may change in future with Private Health Insurers already hopeful that the ban on third party data sharing of My Health Record can be overturned.

Cybersecurity Protecting Health Records

Underpinning the protection of health records are the cybersecurity defences of the software and infrastructure that house the health records as well as the defences of the computers that access this software. The Australian Federal Government has declared that there has not been a cybersecurity breach of the My Health Records system since its release for over 6 years and therefore it has trustworthy and reliable defences. With regards to cybersecurity, new vulnerabilities in software are found every day, and credentials for software access are compromised regularly through constant phishing campaigns. Therefore, the cybersecurity defences that have upheld until now are not an indication of future performance. Software applications and infrastructure require regular security assessments of their defences to identify if any vulnerabilities that have recently been found can be exploited to provide attackers with a breach of data.

Another use of vulnerabilities in software by attackers is the prevalence of ransomware. This is when an attacker finds a vulnerability in software and after possibly stealing the data the attacker encrypts the data of the computer with an unknown key and then demands a ransom be paid. This then makes all functions of the systems unusable until the ransom has been paid or the systems have been restored. This has happened to hospital emergency departments which means that lives are at risk by the cyberattack until the ransom has been paid or the systems have been restored. In January 2018 a Greenfield Indiana USA hospital paid a ransom of US$55,000 to get rid of ransomware that was hindering its operations even though it had backups to restore the systems. This came from the Ransomware called SamSam. On ANZAC Day 2018 the Family Planning NSW’s online databases had been breached and held to ransom demanding AU$15,000. The organisation refused to pay, and the cyber criminals disappeared, however it is likely that 8000 patient’s health records had been stolen before the ransomware occurred. With the rising prevenalnce of attacks on the Health industry, it is prudent to perform due diligence before you get hit by a data breach or ransomware. Contacting a Cybersecurity Consultancy like Fort Safe for a Security Assessment is the first step.

Some Statistics focusing on Health Data and the Health Sector:

According to the Office of Australian Information Commissioner in the Notifiable Data Breaches Quarterly Statistics Report covering 1 April – 30 June 2018 there were 242 notifiable data breaches in the quarter up from 63 in the previous quarter covering February and March 2018. The data however does not show how many people were affected by the cyber incidents or how many people were affected by the human error of emailing personal information to the wrong recipient.

  • Of the 242 notifiable data breaches there were 61 (25%) that specifically included health data.
  • The highest number of notifiable data breaches came from the Health Service Provider industry (49)
    • where 20 (41%) of notifiable data breaches were from malicious or criminal activity
      • Of the 20 malicious or criminal activity
          • 8 (40%) notifiable data breaches were from cyber incidents. The breakdown can be seen in the pie chart below.

          • with 9 (45%) coming from theft of paperwork or data storage device.
    • and the other 29 (59%) notifiable data breaches were from human error.
      • Of the 29 Human Error notifiable data breaches in the Health Service Provider industry the largest component was Personal Information was sent to the wrong recipient via email with 6 (21%) notifiable data breach notifications.
    • The number of people affected by the 49 Health Sector notifiable data breaches can be seen in the graph below. The majority are in the 1-10 number of people affected categories with 25 (51%) notifiable data breach notifications however of more concern there are also 8 (16%) notifiable data breaches in the 1000 people or higher affected categories.

In the event of a potential breach or ransomware incident, contact a Cybersecurity Consultancy for immediate triage and investigation of how the incident has occurred to address these points of entry.

References

https://www.myhealthrecord.gov.au/for-you-your-family/howtos/view-my-record-using-app

https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme/quarterly-statistics-reports/notifiable-data-breaches-quarterly-statistics-report-1-april-30-june-2018

https://www.afr.com/business/health/health-insurers-hopeful-of-my-health-record-data-access-20180531-h10t1t

https://www.healthcareit.com.au/article/family-planning-nsw-ransomware-attack-sees-personal-information-8000-people-risk-0

http://www.abc.net.au/news/2018-06-25/healthengine-sharing-patients-information-with-lawyers/9894114