The health sector leads the way in data security breaches, with pharmacy expert saying more investment in prevention is needed
Health service providers are once again responsible for the single greatest number of data security breaches of any industry, new data has revealed.
The Office of the Australian Information Commissioner’s (OAIC) latest Notifiable Data Breaches Report reports there were 539 data breach notifications from July to December 2020, an increase of 5% on the previous six months (512).
Health service providers again notified the most data breaches (23%) of any industry sector, followed by finance, which notified 15% of all breaches.
Malicious or criminal attack accounted for 310 notifications during the period (58%), the report revealed, while system fault was responsible for 25 notifications (5%).
Australian Information Commissioner and Privacy Commissioner Angelene Falk said 38% of all data breaches notified during the period were attributed to human error.
“In the past six months, we saw an increase in human error breaches both in terms of the total number of notifications received – up 18% to 204 – and proportionally – up from 34% to 38%,” Commissioner Falk said.
“The human factor is also a dominant theme in many malicious or criminal attacks, which remain the leading source of breaches notified to my office.
“Organisations need to reduce the risk of a data breach by addressing human error – for example, by prioritising training staff on secure information handling practices.”
Andrew McManus, general manager Managed Services, Fred IT Group said in this and previous reports, health is “consistently the number 1 reporting industry”.
While the majority of breaches in the health industry were a result of human error, malicious or cyber attacks still accounted for a high percentage, he said, adding that the type of attacks indicated a lack of investment in protection in the health sector.
“Of those malicious or cyber attacks, health was the number one industry falling victim to phishing and ransomware attacks,” Mr McManus said.
“This suggests that the health industry is yet to invest to the same level as other industries in preventing such attacks”.
There were two broad themes to the report’s findings, he said
- human error plays a big role directly (sending an email to the wrong person) in breaches, but also indirectly by enabling cyber-attacks (such as making the mistake of clicking on a malicious link)
- Malicious or Cyber attacks overall still account for the majority of breaches
“My view is there is still much to do in raising awareness of the risks and issues, but more specifically training that helps people combat the threats – practical tips on what to actually do,” Mr McManus said.
“This training needs to be ongoing. Investing in people, process and technology are all important. One alone is not enough”.
Just over a quarter of breaches (26%) involved health information, while 40% involved financial details, such as bank account or credit card numbers and 18% involved tax file numbers.
However the health sector did rate well in terms of reporting incidents – with 88% of health service providers identifying an incident within 30 days of it occurring.