Health data hacks a matter of when, not if
A health insurance lawyer has warned that medical providers must take precautions in anticipation of the My Health Record opt-out deadline, as the medical sector is “vulnerable” to data cyber attacks.
Barry.Nilsson partner Robert Samut said that under current data protection laws in Australia, the burden falls on medical providers to take all “appropriate measures” to protect a patient’s health data.
“A cyber criminal is able to sell personal health information for far more on the black market or the dark web than a credit card,” he said.
“With medical information, cyber criminals are able to gain access to prescription medication, receive medical care, access financial data and steal a person’s identity.”
The warning comes as the deadline to opt out of the “controversial” My Health Record was extended yesterday to 31 January 2019 by Health Minister Greg Hunt.
The largest source of reported data breaches is in the private health sector (20 per cent), according to the Office of the Australian Information Commissioner, followed by the finance sector (15 per cent), legal, accounting and management services sector (8 per cent), the private education sector (8 per cent), and the business and professional associations sector (6 per cent).
Mr Samut said the data showed that it isn’t a matter of “if the data would be hacked but when”.
“Storing records digitally with online access greatly increases the accessibility for criminals and hackers. You cannot cyber proof your systems or your network,” he argued.
“All you can do is put yourself in the best position to avoid a cyber attack or data breach and if one occurs put yourself in the best position to respond to it.”
One of the dangers of the My Health Record access tracking system, he continued, is that it did not track which individuals were accessing records, only institutions.
Personal medical records and Medicare details are valuable because they can be used to perpetrate identity fraud, he said, and they can also be used to redirect medication to alternate addresses.
It is critical, he posited, that any organisation have a coordinated incident response plan in place to respond to cyber security breaches.
“Having a plan in place is a non-negotiable. You must have one. A proper plan will dramatically limit damage, improve recovery time and help safeguard patient’s data,” he said.
“Another upfront issue is knowing what data you have and where it is stored. It’s very difficult to develop a meaningful or effective plan without knowing the answer to both these questions.”