Data breaches show health’s ‘soft underbelly’

Cannings Purple 13 Mar 2019
2 mins

If there’s one common theme running through data breach statistics from around the world, it’s that the health care sector is particularly prone to information ending up in the wrong hands.

In each of the four sets of statistics released by the Australian Office of the Information Commissioner as part of the Notifiable Data Breach Scheme, health has “led” the way.

It accounted for 24 per cent of breaches in the first quarterly report in 2018 and 21 per cent in the most recent one. Health’s lowest mark – 18 per cent – is still higher than the percentage recorded by any other sector across any quarter.

Download Data Breach Whitepaper

The result is not unexpected, given similar results reported overseas, but it’s interesting to ponder why the health sector might be so susceptible.

“I think it is due to it being viewed as a soft underbelly with respect to security controls,” Sven Ross, Executive Director of Perth’s Diamond Cyber Security says.

“It’s a generalisation but I think the workforce may be less IT-savvy than others, possibly because there are older people working in these businesses.”

The OAIC definition of the health sector with regards to notifiable data breaches is a curious beast. It includes private sector providers (including, in some cases, local gyms and child care centres) but generally not public hospitals and health services. MyHealth breaches are also governed under a separate act.

While hacking has been identified as a major concern for the health sector overseas, the biggest source of Australian data breaches remains human error – which would tie-in with Sven Ross’ thoughts on savviness.

That said, breaches with malicious intent (including cyber attacks), still account for more than 40 per cent of health breaches. And the information involved in them goes beyond health data, making identity fraud a likely motivation.

Health data was involved in just 27 per cent of breaches, compared to 85 per cent for contact information, 47 per cent for financial details and 36 per cent for identity information.

The takeaway is that when a health sector entity is hacked, those responsible are most interested in collecting data they can put to nefarious use.

“To me there is nothing particularly valuable about the specifics in the patient records,” Sven Ross explains.

“Contact information is significantly more valuable because it is used to conduct fraud.

“Our contact information is how we identify ourselves online, so if you can get enough of this data on someone you can create fraudulent accounts on legitimate services, make fraudulent transactions and generally impersonate a law-abiding citizen.”

Jean Perkins is a health communications expert with more than 20 years’ experience in media, government and public relations, stakeholder engagement, large-scale events and project management. Cannings Purple specialises in pre-emptively preparing businesses to deal with data breaches – you can read more about our capabilities HERE.

More Cannings Purple news: