Scott Morrison recently blamed ‘a sophisticated state-based cyber-actor’ for a massive cyber-hit which threatened Australia’s critical infrastructure. The main targets? Government agencies, political organisations, education, infrastructure and health.
The attackers are using known software vulnerabilities to infiltrate network systems, as well as ‘phishing’ — legitimate looking emails with malicious files attached or with links to websites that steal passwords.
If our national infrastructure, with billions invested in security and protection, is vulnerable to these attacks, how prepared are aged care providers?
February 2018 saw the introduction of the Notifiable Data Breaches (NDB) scheme. Established to improve consumer protection and ensure better security standards were in place to protect personal information, the scheme applies to organisations and agencies covered by the Privacy Act 1988.
The NDB scheme requires organisations to notify the Office of the Australian Information Commissioner whenever personal information is accessed or disclosed without authorisation, or is lost and is likely to result in serious harm.
In the six months to December 2019, 537 breaches were reported under the scheme. Malicious or criminal attacks – including cyber incidents – accounted for 64%.
What’s even more interesting is that the health sector — with 117 breaches — was the highest reporting sector with 43% of these breaches caused by human error. That’s opening those malicious emails or allowing unauthorised access to sensitive personal data.
Since the start of the NDB scheme, across all industries, the health sector has consistently reported the most data breaches.
So are these breaches in the health sector happening in larger organisations like our state public hospitals? No. State and territory agencies including hospitals don’t have responsibilities under the Privacy Act 1988 and therefore are not required to report breaches.
Are these breaches the result of unauthorised access to the data of thousands of people? No. Most reported breaches affected less than 100 individuals, with 40% of breaches impacting just one to ten individuals. The most common type of breach: personal information.
Back to the question – how prepared are aged care providers? How prepared is your organisation?
Most aged care providers understand what’s needed. A data governance framework supported by processes and best practices. However few providers actually have appropriate governance procedures in place.
A data governance framework needs to consider a range of areas. The Data Management Body of Knowledge – or DMBOK – specifies 11 areas providers should focus on.
These include architecture; structure of data; data security ensuring privacy, confidentiality and appropriate access to private data; and data quality and storage. Even data storage has its own complexities.
Where’s your data stored? If the cloud – where is it based? In Australia or offshore? And if offshore, does the country have the same or a superior privacy legislation to Australia. If you store data on a local server, do you have offsite back-ups in place?
You also need to consider who can access your data. Most likely your care staff have access to an extensive amount of personal resident data. You need to ensure the relevant data access permissions are in place and that these permissions include who can store and even dispose of this data, and how.
Your governance processes should include updating software with the most recent security patches. Keep abreast of the risks through the advice issued by the Australian Cyber Security Centre. Back-up your data and ensure it is stored elsewhere with a contingency plan should both sites go down. Accessing your back-ups is critical post an attack.
Most importantly, educate your employees so they understand how they can use, access, store, dispose and even protect your data.
Ash Priest is the Managing Partner of Novigi. Novigi is an advisory and technology services firm. Data, integration and automation are core to the solutions Novigi provide clients.