Data breaches are rising across Australia’s healthcare industry faster than many others. Hackers are lured by healthcare’s large attack surface, which includes sensitive and time-critical information.
According to the latest research from Darktrace, cyber-attacks targeting the health and social care sector in Australia doubled in 2021 compared with data from 2020, and the industry is still the most attacked in Australia in 2022.
Over the past month, Australians learned the scale of two major health data breaches, with some patients' private data — including bank details and test results — published on the dark web.
Last week on Thursday, pathology firm Australian Clinical Labs (ACL) disclosed its subsidiary Medlab, which carries out COVID-19 testing and other services, suffered a data breach eight months ago in February and since then it had discovered the data of 223,000 individuals were stolen.
The same week, Medibank Private also revealed had accessed the data of at least 4 million customers, including their health claims.
Why hackers are targeting healthcare?
The goal behind the Optus breach in September was crystal clear as it was a human error. The hack exposed the data of nearly 10 million Australians, including driver’s licenses and passport numbers.
But the data stolen in the Medibank and Medlab hacks is more private and includes test results and diagnostic details.
According to Peter Lewis, director of the Centre for Responsible Technology, whose data was siphoned in both the telco and Medibank Private breaches, health sector criminals are launching attacks to blackmail people, damage the firms’ reputations, or sell on the vast pools of data to other hackers.
"There is the sense that they may try and blackmail people," he says. There is sensitive information out there, but I don’t know if that’s the game. The second is to do damage to the organization that they’ve hacked so it is potential for more damaging to Medibank than it is to any individual. But thirdly, it is true that they’ve captured that entire base of health information; maybe they’ll ... try to find ways to make value out of big pools of data."
I think a breach in the intimacy of health information could also open some people up to blackmail or make them less open with healthcare professionals. It is a smart move by hackers but whether it's going to be a sustained shift or only a shift which we've seen with these most recent cases is unclear, says Dr Rob Hosking, Chairman of the Royal Australian College of General Practitioners' technology committee.
"Nobody wants their personal, private information exposed to the public and that’s one of the risks we run with using the benefits of the internet for other things, for remote access, for transfer of information about people’s health and doing things in a much timelier fashion,” Dr. Hosking stated.
“The worrying thing here is that it [health breaches] creates mistrust if people are fearful of divulging information to their practitioners; that means they may not get the care that they deserve."
Small steps
Healthcare providers need to have an incident response plan following the discovery of a data breach. Educating staff on the common attack vectors, such as malware, viruses, email attachments, web pages, pop-ups, instant messages, and text messages, and how to discern unusual activity is essential.
According to Dr. Robertson-Dunn, health data is expensive and difficult to manage, and sometimes it can be hard to differentiate between what should be kept, and what can be deleted. We need to re-evaluate what has to be held onto.
"The government and organizations need to get more serious about the security of the data that they keep," he stated. They need to question if they need all of it, if it all needs to be online. If you change GP should the old GP keep your records? There’s probably an argument that maybe they should, but it is a risk. Curating health data is not easy because how do you know what you might need in the future?"