Personal data security, and the 4 lessons we can take from the Medicare data breach

Personal data security, and the 4 lessons we can take from the Medicare data breach

In July 2017, it was revealed that Medicare card details were being sold on the “dark web”, by a vendor who claimed to have access to every Australian’s Medicare card details, and could supply them on request, amounting to a serious data breach. The story was broken by The Guardian Australia, after one of its journalists, Paul Farrell, confirmed this claim by purchasing details of his own Medicare card for the paltry sum of around $30.

Alan Tudge, the Human Services minister at the time (notably, Tudge has recently been replaced by Michael Keenan, who will also serve as the Minister Assisting the Prime Minister for Digital Transformation) quickly jumped to assure the public that this wasn’t in fact “a cybersecurity attack as such”, but rather “traditional criminal activity” – that is, someone had used a legitimate access point for unauthorised purposes. “We’ve had such traditional criminal activity in the past, for example, where someone has literally broken into a doctor’s clinic to seize Medicare card numbers, which they would then try and use for fraudulent purposes,” he said to ABC Breakfast’s Fran Kelly, just two days after the report.

Of course, such data breaches are not limited to the public sector – in fact, both the public and private sectors are plagued by them. Last year, the Queensland Crime and Corruption Commission revealed it had laid 81 criminal charges and 11 disciplinary recommendations for unauthorised access to confidential information by police. And according to SailPoint’s 2017 Market Pulse Survey, a remarkable 67% of enterprises reported that they had been breached in 2016.

Tudge’s claim that this breach was the result of “traditional criminal activity” seems to imply that this is not a cybersecurity issue, but this assertion is very much misplaced. Indeed, access control lies squarely in the realm of cybersecurity – and just a few simple measures could help prevent such data breaches.

Here are the 4 lessons that can be taken away from the Medicare data breach and applied to your own organisations.

1. Have stringent monitoring processes

Tudge openly admitted that the department had been unaware of the darknet vendor, who had been operating since October 2016, until the Guardian broke the story. “We first found out about it yesterday because of the Guardian newspaper article,” he said on 5 July 2017. “Immediately upon hearing this claim, as we always do when there is a claim of criminal activity or fraud, the AFP is alerted and we undertake an internal investigation.”

It’s shocking to think that this had been happening for several months, exposing people to the risk of identity fraud, though it seems the damage was fairly limited, with the Department of Human Services (DHS) reissuing just 165 cards.

It is thought that the breach occurred via a registered account for DHS’ HPOS Medicare verification service, used by healthcare providers throughout the country, but monitoring such a system, which is accessed around 45,000 times per day, is certainly no mean feat. According to deputy secretary Caroline Edwards, there are “163,000-odd potential ways into HPOS”, making it highly difficult to identify the individual responsible.

Now consider your own organisation: how long do you think it would take you to identify a potential breach? Could an individual get away with unauthorised use of information for weeks, or even months?

It’s important to have stringent and regular monitoring processes in place to help you identify unusual activity and quickly locate the source of a breach. Some government agencies and private organisations that handle sensitive information even monitor popular dark web sites, to ensure their information hasn’t been leaked.

2. Have stringent authorisation processes and limit user access

The Medicare data breach revealed several security flaws, particularly with regards to authorisation and the amount of information users are able to access. In September, an independent review of the Medicare data breach was released. Some of the recommendations included:

  • Renewing healthcare provider accounts every 12 months
  • Limiting the number of cards numbers per batch request (currently 500 cards; the review proposes limiting this to 50), and limiting the number of batch requests to one a day
  • Suspending accounts that have been inactive for 6 months
  • Discouraging users from accessing the system via telephone, and strengthening security checks for telephone use
  • Completing the transition from Public Key Infrastructure (PKI) to Provider Digital Access (PRODA) as quickly as possible (although some IT experts have questioned whether PRODA provides sufficient security for such a system).

Such simple measures – regularly renewing accounts, suspending inactive accounts, and having additional layers of authentication on top of usernames and passwords – can help to limit the risk of data breaches at your own organisation. And while advanced measures like tokenisation and encryption may be all the rage, sometimes you just need to ensure you’ve got the basics downpat. “Something as simple as strong and readily enforced password management policies, such as requiring passwords to be long and complex, keeping them unique to certain applications or systems and regularly changing them throughout the year, could save a company from a data breach,” says Kevin Cunningham, president and co-founder of SailPoint.

3. Consider how the data is stored

Another vulnerability that the Medicare data breach exposed was the risk of having sensitive data stored in big, centralised repositories. “The chances of 100 per cent securing a system with 100,000 access points against being hacked is close to zero,” said medical IT specialist Paul Power. “The weakness of the whole system is only as strong as its weakest link.”

My Health Record, which Australians will have to opt out of starting from this year, will similarly be stored in a centralised location, which, says Power, is asking for trouble. “The kind of breach that has evidently happened with the Medicare data can – and almost certainly will – happen with the My Health Record data if we go ahead and host it on this same kind of centralised depository,” he said to the Sydney Morning Herald.

Power recommends following in Germany’s footsteps, and having a decentralised model where people’s master data is stored on personalised cards and backed up on an individual consulting doctor’s computer.

Is your data being put at risk by being stored in a central repository? What is the weakest link in your security system?

4. Communicate any breaches quickly and clearly

In a submission to a Senate inquiry on the Medicare data breach, Nigel Phair, a former detective in the Australian Federal Police and current adjunct professor at the University of Canberra’s Centre for Internet Safety, called the federal government’s response to the breach “disappointing, confusing and often contemptible”.

“Unfortunately, we are plagued by a culture at all levels of government to ‘spin’ the message, including events related to cybersecurity,” his submission said.

“There is nothing good to come from this in the long term. Considered use of language to clearly communicate cybersecurity issues is critical, particularly in response to cyber incidents. Effectively communicating cybersecurity concepts can build confidence, provide assurance and convey opportunity.

“It can be the difference in whether management of a cyber incident, such as the one being investigated by the committee, is perceived as a success or failure.”

If your organisation is unlucky enough to fall prey to a data breach (and, inevitably, many will be), perhaps the worst thing you can do is try to cover it up. Any breaches should be communicated to stakeholders quickly, clearly and honestly, as this will help to restore trust in the system.

The long-ranging consequences of data breaches

The effect that data breaches can have echo long after the initial theft of information, as Ellen Broad, an associate for the Open Data Institute Australia, points out in an article for the Guardian:                                            

“This feeling – this sense emerging of governments just not being very good at handling data – has many follow-on consequences. It erodes public trust. It costs money and time. It deters good people from getting involved to help build robust, intuitive digital services. Good people working on government projects leave.

“It sets a precedent for how future automated systems might be designed and implemented. It makes people suspicious of genuinely useful technologies and tools designed to safeguard our data.

“And it makes positive, powerful interventions with data – like that inclusive, informed digital healthcare system – seem like hopeless dreams.”

Data breaches cannot simply be accepted as an inevitability in today’s digital age. Organisations – public and private – must do all they can to safeguard that most precious commodity: information.

Want to know more about cyber intrusions and hacking? See what Peter Nikoletatos, Executive Director and Chief Information Officer at La Trobe University, had to say on the topic at the CeBIT conference. Check out his presentation now. If you’re interested in hearing more on the topic, register CeBIT CyberSecurity conference today! 

New Call-to-action