The Times Australia
The Times World News

.
The Times Real Estate

.

why is health data so lucrative for hackers?

  • Written by Megan Prictor, Senior Lecturer in Law, The University of Melbourne
why is health data so lucrative for hackers?

The latest large-scale ransomware attack[1] on a health technology provider, electronic prescription company MediSecure, was revealed last week.

MediSecure announced[2] it had suffered a “cyber security incident” affecting people’s personal and health information. Details of the attack are scant. We’ve been told it stemmed from a “third-party vendor”, which means a company that provides services to another company.

In a general sense, ransomware attacks occur when a hacker gets access to a system, infects and locks up files[3], and then demands a ransom – usually in cryptocurrency – for their release.

Government agencies including the National Cyber Security Coordinator[4] and Australian Federal Police[5] are investigating the incident.

Cybercrime is big business, generating huge profits[6]. This latest incident shines a light on the vulnerability of health data specifically.

What are e-prescriptions?

E-prescribing works by sending prescriptions to a digital exchange, essentially a secure database of prescription information. From there, patients control which pharmacy can access it[7], by showing pharmacy staff a token such as a QR code or barcode.

Electronic prescriptions contain personal information[8] such as people’s name, address, date of birth and Medicare number. They include details about prescribed medicines, as well as the prescriber’s name, address and other information.

The Digital Health Agency (an agency of the Australian government) reports[9] that over the past four years, more than 189 million e-prescriptions have been issued by more than 80,000 clinicians.

Until late 2023, MediSecure[10] was one of two national e-prescribing services, delivering prescriptions from health-care providers to pharmacies.

Last year, MediSecure was overlooked[11] in a government tender process to appoint a single national e-prescribing provider. At that time, MediSecure held more than 28 million scripts[12].

MediSecure has noted the incident relates to data held by its systems up until November 2023[13].

While it’s unclear who has been affected by this breach, the potential pool of patients and prescribers involved is large.

A worrying trend

This incident, which comes less than two years after the widely publicised Medibank hack[14], is alarming but unfortunately not surprising.

Health care is digitising rapidly, with innovations such as patient-accessible electronic health records, remote monitoring and wearable devices. These developments can make health care more efficient and effective. They improve people’s access to care, and mean that information – such as prescriptions – is readily available where and when it’s needed.

Partly because of the scale of digital health data, breaches are very common. The Office of the Australian Information Commissioner routinely reports that health services[15] suffer the most breaches of any sector, mainly through malicious or criminal attacks.

Why is health data so lucrative?

Health data is very attractive to hackers because of its volume, and ease of access via system vulnerabilities[16]. Historical under-investment in IT security in the sector, understaffing and overstretched staff (leading to human error), and high connectivity, all contribute[17] to this risk.

Health data is also easy to ransom because of the value patients, clinicians and health organisations place on keeping it private. No one wants a repeat of the Medibank ransomware attack[18], where Australians’ most sensitive health information – such as drug treatment or pregnancy termination details – was published online.

A female pharmacist hands a customer a box of medication.
Electronic prescriptions offer convenience for patients. PH888/Shutterstock[19]

Beyond finding out how the MediSecure attack happened, patients want to know how to protect themselves from harm. At present it seems too early to say[20]. The initial advice[21] from the government is that no action is required.

Unfortunately, the usual measures we use to protect against hacks of financial and identity data don’t work for health data. We cannot change our prescription or other medical history like we might change our passwords, get a new driver’s licence, or scrutinise our bank statements for fraud.

If someone’s medication history is released it may indicate things about their health status, such as mental illness, gender transitioning, fertility treatment or care for drug and alcohol addiction. Not much can be done to stop the personal distress and stigmatisation that may follow. People may be blackmailed[22] through this information, or suffer harms such as discrimination.

Data breach notification[23] is a legal requirement on organisations to inform individuals about breaches affecting their data. It was touted as a solution to the problem of hacking when laws were introduced in Australia in 2018, but it doesn’t help affected people very much in this situation. Being informed your prescription for an anxiety medication or a treatment for obesity is now public knowledge might simply cause greater distress.

Where does responsibility lie?

Hacking is a major threat to organisations holding health data, and the onus must largely be on them to protect against it. They must all have rigorous cyber-security protections, the capacity to respond rapidly when attacks take place, and resilience measures such as backups to restore systems quickly.

Patients are now taking steps against companies who don’t protect their data. In the case of Medibank, affected customers have launched several class actions with the national privacy regulator[24] and under Australian corporations and consumer law[25].

The introduction of a right to sue for serious invasions of privacy under an amended Privacy Act[26] is an important, impending, change. It would mean people whose prescriptions and other sensitive health information were hacked could pursue breached companies for damages.

Companies facing heightened cyber threats, increased regulatory scrutiny and legal claims by those whose data has been breached find themselves in a tight spot. But so do patients, who watch unfolding news of the MediSecure attack, waiting to find out what information about their health may soon be on public display.

References

  1. ^ large-scale ransomware attack (www.abc.net.au)
  2. ^ announced (www.medisecure.com.au)
  3. ^ infects and locks up files (www.cyber.gov.au)
  4. ^ National Cyber Security Coordinator (www.homeaffairs.gov.au)
  5. ^ Australian Federal Police (www.abc.net.au)
  6. ^ generating huge profits (www.wired.com)
  7. ^ patients control which pharmacy can access it (www.digitalhealth.gov.au)
  8. ^ contain personal information (www.health.nsw.gov.au)
  9. ^ reports (www.digitalhealth.gov.au)
  10. ^ MediSecure (www.medisecure.com.au)
  11. ^ MediSecure was overlooked (www.accc.gov.au)
  12. ^ more than 28 million scripts (www.accc.gov.au)
  13. ^ up until November 2023 (www.medisecure.com.au)
  14. ^ Medibank hack (www.medibank.com.au)
  15. ^ health services (www.oaic.gov.au)
  16. ^ system vulnerabilities (digileaders.com)
  17. ^ all contribute (www.sciencedirect.com)
  18. ^ Medibank ransomware attack (www.theguardian.com)
  19. ^ PH888/Shutterstock (www.shutterstock.com)
  20. ^ too early to say (www.abc.net.au)
  21. ^ initial advice (www.homeaffairs.gov.au)
  22. ^ blackmailed (www.abc.net.au)
  23. ^ Data breach notification (www.oaic.gov.au)
  24. ^ national privacy regulator (www.oaic.gov.au)
  25. ^ corporations and consumer law (www.allens.com.au)
  26. ^ amended Privacy Act (www.ag.gov.au)

Read more https://theconversation.com/medisecure-data-breach-why-is-health-data-so-lucrative-for-hackers-230301

The Times Features

Australian businesses face uncertainty under new wage theft laws

As Australian businesses brace for the impact of new wage theft laws under The Closing Loopholes Acts, data from Yellow Canary, Australia’s leading payroll audit and compliance p...

Why Staying Safe at Home Is Easier Than You Think

Staying safe at home doesn’t have to be a daunting task. Many people think creating a secure living space is expensive or time-consuming, but that’s far from the truth. By focu...

Lauren’s Journey to a Healthier Life: How Being a Busy Mum and Supportive Wife Helped Her To Lose 51kg with The Lady Shake

For Lauren, the road to better health began with a small and simple but significant decision. As a busy wife and mother, she noticed her husband skipping breakfast and decided ...

How to Manage Debt During Retirement in Australia: Best Practices for Minimising Interest Payments

Managing debt during retirement is a critical step towards ensuring financial stability and peace of mind. Retirees in Australia face unique challenges, such as fixed income st...

hMPV may be spreading in China. Here’s what to know about this virus – and why it’s not cause for alarm

Five years on from the first news of COVID, recent reports[1] of an obscure respiratory virus in China may understandably raise concerns. Chinese authorities first issued warn...

Black Rock is a popular beachside suburb

Black Rock is indeed a popular beachside suburb, located in the southeastern suburbs of Melbourne, Victoria, Australia. It’s known for its stunning beaches, particularly Half M...

Times Magazine

Lessons from the Past: Historical Maritime Disasters and Their Influence on Modern Safety Regulations

Maritime history is filled with tales of bravery, innovation, and, unfortunately, tragedy. These historical disasters serve as stark reminders of the challenges posed by the seas and have driven significant advancements in maritime safety regulat...

What workers really think about workplace AI assistants

Imagine starting your workday with an AI assistant that not only helps you write emails[1] but also tracks your productivity[2], suggests breathing exercises[3], monitors your mood and stress levels[4] and summarises meetings[5]. This is not a f...

Aussies, Clear Out Old Phones –Turn Them into Cash Now!

Still, holding onto that old phone in your drawer? You’re not alone. Upgrading to the latest iPhone is exciting, but figuring out what to do with the old one can be a hassle. The good news? Your old iPhone isn’t just sitting there it’s potential ca...

Rain or Shine: Why Promotional Umbrellas Are a Must-Have for Aussie Brands

In Australia, where the weather can swing from scorching sun to sudden downpours, promotional umbrellas are more than just handy—they’re marketing gold. We specialise in providing wholesale custom umbrellas that combine function with branding power. ...

Why Should WACE Students Get a Tutor?

The Western Australian Certificate of Education (WACE) is completed by thousands of students in West Australia every year. Each year, the pressure increases for students to perform. Student anxiety is at an all time high so students are seeking suppo...

What Are the Risks of Hiring a Private Investigator

I’m a private investigator based in Melbourne, Australia. Being a Melbourne Pi always brings interesting clients throughout Melbourne. Many of these clients always ask me what the risks are of hiring a private investigator.  Legal Risks One of the ...

LayBy Shopping