My Health Record avoids cybersecurity breaches despite dizzying growth in usage

Awargula |

The compromise of Monash IVF marks the latest in a string of cyberattacks on healthcare providers but the government’s controversial My Health Record (MyHR) system escaped compromise during the last financial year, with no malicious breaches recorded despite the addition of more than 550 million documents to the system over the past year.

The figures, contained in the latest annual report by the Australian Digital Health Agency (ADHA), highlighted the rapid growth of MyHR since it was changed from an opt-in program to an opt-out program a year ago.

This rapid growth was driven by the addition of some 480m Medicare documents, 35m prescription and dispensing-related documents, 11.3m pathology reports, 2.45m diagnostic imaging reports and 2.4m documents related to the Australian Immunisation Register – all reflecting the typical volumes of data attributable to the first year of the system being actively used across a broad range of health services.

This growth represented “significant progress” towards delivering on the National Digital Health Strategy, ADHA CEO Tim Kelsey said in announcing the results, with 90 percent of Australians – 22.55m MyHR records – now participating in the system.

Despite early concerns that the growing volume of medical information would present a tempting honeypot of personally identifiable information (PII) for malicious cybercriminals, there had been “no purposeful or malicious attacks compromising the integrity or security of the My Health Record system”, the report noted.

Some 38 specific matters were reported to the Office of the Australian Information Commissioner (OAIC), including 37 data breaches, but most of these “were attributable to administrative errors” such as incidental access by Services Australia staff during Medicare record audits.

Nine breaches eventuated during examination of records for suspected Medicare fraud, while one breach occurred when an incorrect Parental Authorised Representative was assigned to a child’s record.

Healthcare sector under siege

ADHA’s success in preventing cybersecurity breaches was in stark contrast to a growing climate of compromise for healthcare providers, which have this year copped a series of attacks despite the best efforts of struggling industry CISOs and security staff.

Healthcare providers have topped the list of Australian Notifiable Data Breach reports since its inception 18 months ago, and one recent review found that healthcare organisations have suffered 79 percent of recorded ransomware strikes this year.

One such recent ransomware strike hit multiple sites across two regional Victorian healthcare services, bringing down networks, compromised healthcare services and sent health authorities scrambling to recover.

The latest breach, of Monash IVF Group’s internal email servers, flagged a system compromise that saw past patients being spammed with emails containing malicious attachments.

Patient records were reportedly not compromised, but given the concentration of personal information in Monash IVF’s systems Carbon Black ANZ country manager Rob Dooley said the breach “only serves to highlight the vulnerability of Australia’s healthcare sector to cyberattacks.”

“This sector has seen increased attacks over the course of the year,” he continued. “Poor and inadequate security controls, outdated technology and the high quality of healthcare patient data are just some of the reasons why healthcare organisations have been hit so hard by security breaches.”

Healthcare organisations need to “adopt a comprehensive approach to cybersecurity” combining prediction, prevention, detection, and response to attempted attacks, Dooley said.

“Healthcare organisations need to make endpoint protection a top priority and be more proactive about managing cyber risks so as to combat this crime wave.”

That crime wave continues to grow and change, with security firm Tenable recently announcing that it had uncovered more than 100 zero-day vulnerabilities so far this year alone – each representing a new attack vector capable of compromising tens or hundreds of thousands of devices.

Copyright © 2019 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)