deepagopi2011 - Fotolia

Australian health sector an easy target for cyber criminals, says IBM

A push to encourage greater adoption of electronic health records has raised the spectre of online record theft

According to IBM’s 2016 Cyber Security Intelligence Index, there has been a clear shift recently in online targets, essentially away from credit cards and toward health-related data.

IBM has worked with small suburban medical and dental centres in Australia, which have become a particular target for ransomware.

Glen Gooding, an executive from IBM’s Security Services (ANZ), said health records were “an important way to extract money by taking on the persona of someone else”.

He added health-focused organisations were often an easier target than financial sector businesses, many of which have implemented more robust information protection systems.

“In the local medical clinic there’s usually not a large IT component, and there’s a lack of skills. They are an easy target,” said Gooding.

Moreover, there’s going to be a whole lot more such targets as both federal and state authorities ramp up initiatives to encourage the creation of online health records.

The federal scheme, originally dubbed the Personally Controlled Electronic Health Record, has been renamed MyHealth. Currently an opt-in regime, 2.7 million people now have a MyHealth record, but the federal government expects its opt-out trials now underway will net another one million.

Australia’s May budget earmarked A$156m for the Australian Digital Health Agency, which starts operations in July and is charged with encouraging the uptake and use of online health records, and also for managing their security.

Read more about cyber security in Australia:

  • Healthcare records in Australia are a major target for hackers – with fully populated medical records sold to fraudsters for up to A$1,000 each.
  • Demand for people with the right mix of skills to keep organisations in Australia safe from cyber attack is far in excess of supply.
  • The relaxed attitude to IT security in Australia is holding back much-needed investment in security technology.
  • The costs associated with a security breach can mount up and it’s difficult to put a number on it, but organisations are increasingly trying to do this as attacks increase.

While the central database may be locked down, the access points are widespread, and security education will be essential to ensure health records aren’t leaked from the 8,400 connected healthcare entities now using the system, including GPs, hospitals, pharmacies and residential services for the elderly.

The New South Wales government in May 2016 released its 10-year eHealth strategy which has online medical records at its heart, and integrates with the MyHealth national system.

For cyber criminals it’s a veritable treasure trove of data – with medical records selling for as much as A$1,000 a pop on the dark web according to Rich Ferguson, country manager for Absolute Software in ANZ. 

A fully populated medical record is a more lucrative grab than credit card data, which can command as little as A$1, he said, and it explains why health businesses are now being targeted.

He said while the concept of having digital medical records, which could streamline the delivery of health services to patients, was attractive, the fact that health-related data might be accessible from PCs or tablets in an unencrypted format was a concern.

Gooding said it was important that all health organisations understood where critical information was held and which systems were able to access that data. He said stout perimeter controls would be essential. 

Read more on Hackers and cybercrime prevention