Healthcare, POS vulnerabilities will be tested under new privacy laws

Australia's healthcare and point-of-sale (POS) industries will be focal points for efforts to improve privacy protections in the wake of new privacy controls that come into effect this week, the head of security-response firm AusCERT has warned.

The risk comes from the industry's continued reliance on a range of systems with varying security controls that may not all comply with the new amendments to the Privacy Act 1988, which will compel private and public organisations to comply with 13 Australian Privacy Principles (APPs) regulating the handling of personally identifiable information.

The varied nature and format of healthcare data would pose challenges for healthcare companies going forward, AusCERT general manager Graham Ingram told CSO Australia, because "the information they're sitting on is absolute dynamite".

"The health industry has been running over the last 20 years using stock-standard software that nobody has ever looked at for security," he continued.

"I would suggest it was never really designed for the Internet environment; it's all based around a locked system, which assumes that medical provider A only talks to medical supplier B – but now they do it over the Internet and that's not the case."

Endemic design shortcomings had made the sector particularly ripe for targeting by ransomware malware, which locks systems or encrypts data and extorts fees from victims to regain access to their systems.

"Some of the really good ransomware is targeting specific software that is proprietary software made for medical practices," Ingram said. "They worked out where a hole was, and use that hole to get into the practices."

"I think we'll see more of this in 2014," he added. "It will depend on the economics. But at this stage, I can't see anything that's going to stop them. SMEs seem to be the soft spot, because there's not enough awareness and not enough security. They will pay up, and if you can hit them for $4000 a pop, that's a very nice way [for malware authors] to make a living."

Point-of-sale (POS) software was another such vulnerability, with long-used software that is often based on out-of-date and unpatched software and operating systems. Hackers famously exploited these weaknesses to steal credit-card credentials of more than 110m people from the POS systems of US retailer Target, with one in three victims likely to see fraud as a result. That breach recently claimed the scalp of CIO Beth Jacob, who resigned in the wake of the devastating privacy breach.

The situation in Australia is similar, Ingram said, noting that vulnerabilities in POS software "have been popping up over the last five years and we routinely come across a POS that's been compromised."

The shortcomings were often by design: "when you look at it, they have not been designed by security people," Ingram explained.

"They have been designed to do a job. And then we find these huge holes in them that nobody knew about because they're proprietary applications. POS software is and will remain very vulnerable. It's a case of the closer you look, the more you will find."

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Copyright © 2014 IDG Communications, Inc.

The 10 most powerful cybersecurity companies