The health sector continues to lead the way in data security breaches, and experts say pharmacy needs more investment in prevention
Given everything else that has occupied our attention over the past 12–15 months, how many have paid attention to the ever-growing computerising of pharmacy, and indeed healthcare generally?
Obviously there have been the big-ticket items that have gathered attention: the introduction of electronic prescribing and the expansion of the My Health Record program are two examples.
But while these have been introduced amid the distractions of pandemics, natural disasters, economic slowdowns and community pharmacy agreements, how many have reflected enough on the risks of these developments?
A growing number of breaches
The issue of data security in healthcare was highlighted recently by a new report which showed that health service providers were once again responsible for the single greatest number of data security breaches of any industry.
The Office of the Australian Information Commissioner’s (OAIC) latest Notifiable Data Breaches Report revealed there were 539 data breach notifications from July to December 2020, an increase of 5% on the previous six months (512).
Health service providers again notified the most data breaches (23%) of any industry sector, followed by finance, which notified 15% of all breaches.
Malicious or criminal attack accounted for 310 notifications during the period (58%), according to the report, while system fault was responsible for 25 notifications (5%).
Australian Information Commissioner and Privacy Commissioner Angelene Falk said 38% of all data breaches notified during the period were attributed to human error.
“In the past six months, we saw an increase in human error breaches both in terms of the total number of notifications received—up 18% to 204—and proportionally—up from 34% to 38%,” Commissioner Falk said.
“The human factor is also a dominant theme in many malicious or criminal attacks, which remain the leading source of breaches notified to my office.
“Organisations need to reduce the risk of a data breach by addressing human error—for example, by prioritising training staff on secure information handling practices.”
Just over a quarter of breaches (26%) involved health information, while 40% involved financial details, such as bank account or credit card numbers, and 18% involved tax file numbers.
However, the health sector did rate well in terms of reporting incidents—with 88% of health service providers identifying an incident within 30 days of it occurring.
A common finding
Andrew McManus, general manager Managed Services, Fred IT Group said in this and previous reports, health is “consistently the number one reporting industry”.
While the majority of breaches in the health industry were a result of human error, malicious or cyber attacks still accounted for a high percentage, he said, adding that the type of attacks indicated a lack of investment in protection in the health sector.
“Of those malicious or cyber attacks, health was the number one industry falling victim to phishing and ransomware attacks,” Mr McManus said.
“This suggests that the health industry is yet to invest to the same level as other industries in preventing such attacks.”
There were two broad themes to the report’s findings, he said:
- human error plays a big role directly (sending an email to the wrong person) in breaches, but also indirectly by enabling cyber attacks (such as making the mistake of clicking on a malicious link); and
- malicious or cyber attacks overall still account for the majority of breaches.
“My view is there is still much to do in raising awareness of the risks and issues, but more specifically training that helps people combat the threats—practical tips on what to actually do,” Mr McManus said.
“This training needs to be ongoing. Investing in people, process and technology are all important. One alone is not enough.”
A catalogue of concerns
Andrew McManus says the “unfortunate trend we are all seeing, and which is supported by the Australian Cyber Security Centre, is that cyber attacks are increasing, not only in raw numbers but in their efforts to evade detection and prevention”.
“We are seeing more and more spam and phishing emails being sent with estimates over 6 billion per day,” he said.
A worrying trend is the constant evolution of cyber attacks, he says.
“Cyber criminals are constantly looking at new ways to exploit any vulnerability. For example, ‘traditional’ ransomware encrypted your PC or data: if you had a backup you could easily restore from there. So, the hackers went after the backups as well.
“Many backup systems are encrypted at rest and in transit, so the hackers decided to try a different approach. They gain access to your systems the same way (via a phishing email) but instead of launching an attack immediately they download your data.
“They then encrypt your PC/database and demand the ransom be paid or they’ll make public the stolen data. They normally send a screen shot or like evidence of having your data.
“This is an impossible position to recover from,” Mr McManus said. “We can restore your PC and get you trading but the hackers have your data and you will need to report a data breach to all customers affected plus the OAIC.
“We’re seeing it becoming easy for almost anyone be a cyber-criminal with hacking tool kits easily available for purchase on the dark web.”
The leadership’s view
The Pharmacy Guild of Australia believes that cyber security is very much on the mind of its members.
Guild executive director, Suzanne Greenwood, told the AJP that: “We believe community pharmacies are very aware of the need for cyber security and that they take appropriate measures.
“The challenge for everyone, including community pharmacists, is to keep up to date with the constantly developing and evolving nature of criminal attempts to attack business and personal systems.”
The Guild alerts members to developments as they are known, Ms Greenwood said, adding that “there is a need for all pharmacy owners to be aware of threats and how attacks are being launched, and also to ensure that all protective measures are current and able to protect systems from attack”.
“The reality is that it’s almost impossible to be 100% protected,” she said.
“The attacks on supposedly highly classified government security installations show that even with almost unlimited resources and skills, determined attackers can still get through.
The state of play
Andrew McManus believes the situation in pharmacy is “improving, but there’s still a long way to go. Raising awareness of the cyber security landscape and associated risks is an important and ongoing process”.
Mr McManus said the majority of attacks seen in pharmacy are still ransomware delivered via a phishing email.
“This shows pharmacy staff are still not able to adequately spot a fake email, and not enough pharmacies have either the technology in place to protect them or have a plan on what to do in the case of an attack.”
He says over 400 customers have signed up to Fred Protect in the last nine months, enabling Fred to gather statistics that “begin to show how prevalent the attempts are to gain unauthorised access”.
- From those 400 plus pharmacies, they block well over 50,000 malicious IPs every month.
- For some pharmacies they’ve seen over 300 IPs from 35 different countries.
- This means known malicious actors are probing your network looking for vulnerabilities in your operating system, remote access tools or IoT devices (such as security cameras).
- In cases where they were not able to block the malicious IP, they have still successfully intercepted the attack once launched and prevented it spreading laterally on to other PCs.
- Many internet facing devices are not secure, with some hackable in as little as three minutes.
What you can do
Mr McManus says there are easy-to-implement and cost-effective steps pharmacies can take to enhance their protection:
- Train your staff regularly to understand the risks and raise awareness.
- Position this as not only protecting the pharmacy but also best practice for them personally. The skills taught are transferable to your own home networks and devices.
- Speak to your IT provider or Fred on what can be done.
- You need to know which PC or Server houses your most valuable data.
“More and more people are allowing staff and customers to connect to their pharmacy network, which is increasing the risk where that network is not adequately protected,” he said.
“BYOD (bring your own devices) will only increase. Balancing ease of use for staff and customers with cyber security is an increasing challenge.
“How you set-up your pharmacy network in terms of isolating and segmenting critical systems will
The impact of e-prescribing
The rapid growth of e-prescribing has only impacted data security in that it has highlighted the need to raise the importance of good cyber security processes and systems overall, Mr McManus said.
Positively, it has meant all pharmacies have had to go through the government process to be certified.
“Like many other online services it highlights the need to be cyber secure—what needs to be done has always been the same, simply the sheer volume of online services means you must invest in your people, process and technology.”
The Pharmacy Guild says it has not yet received a report of any risks to the security of patient data in regard to the introduction of electronic prescriptions in Australia.
The cost of crime
The Australian Cybercrime Online Reporting Network (ACORN) states the average cost of cybercrime to an Australian business is $276,000.
Cyber attacks on small business is now estimated to make up at least 43% of all attacks.
While the average cost to a small business will be less than the amount above, the impact on these businesses can be catastrophic.
Andrew McManus: “This is the major issue. With mandatory data breach reporting laws—to both the OAIC and your customers, the risk of losing access to your computers and valuable data because of a major cyber incident is very costly reputationally and financially”.