Tū Ora Compass Health from New Zealand, a primary health organization (PHO) has disclosed a security breach that led to the exposure of medical and personally identifiable information (PII) of roughly 1 million people. The NGO notified the National Cyber Security Centre, Ministry of Health, Police, and other law enforcement agencies of the incident after its discovery on August 5 following the Tū Ora website’s defacement.
"Nearly a million New Zealanders face the risk that their medical data has been accessed illegally after a cyber attack on the website of Tū Ora Compass Health, the company said on Saturday." https://t.co/MSKR5zTNNZ #databreach #security #NewZealand
— Joanne Spruce (@JoanneSpruceC21) October 5, 2019
Commenting on the news are the following cybersecurity professionals:
This latest breach in New Zealand illustrates how third-party healthcare cybersecurity remains a pressing problem throughout the world. Tu Ora Compass Health was connected to 60 different general practice teams and other health providers, amounting to a breach of up to one million New Zealand patients\’ data. Health providers hold some of our most sensitive and confidential data: personal and demographic information, financial statements, health details, and insurance policies. Attackers can use this information for identity theft, insurance fraud, financial gain, or even blackmail. Often the best way for hackers to reach this information is through third parties, who have access to healthcare organizations’ data but lack adequate security to guard it. For this reason, assessing and continuously monitoring healthcare organizations\’ third-party security is critical.
Once data has been stolen, it’s used in a number of ways, including account takeover and identity fraud. More recently, we’ve seen a change in the value of stolen data as more and more intuitions are implementing user authentication solutions that render stolen data valueless. The loss of medical and PII data is a worry for all organizations, not just the targeted company. The data loss has the potential to be lucrative in the hands of cybercriminals, who can use the data to accurately mimic the legitimate customer in order to facilitate further cybercrime. By using security layers with behavioral analytics and passive biometrics, businesses can look across multiple aspects of the user’s interaction, instead of relying solely on the username, password and other static data which could have been stolen. Such techniques devalue phishing attacks and other techniques to extract data from legitimate consumers, as this is not enough to access a victim’s account or make illegitimate purchases. Additionally, it creates a dynamic and intelligent authentication solution that is seamless, frictionless, and un-obtrusive to end-users.
According to the data breach statement, 17 years’ worth of personal data was potentially accessed not once, but four times before detected. Unfortunately, there did not seem to be protections placed on the data itself, which means the personal data was left in clear text form. It’s a good thing that no payment info, tax numbers, passport numbers, nor driver’s license numbers were on the server; otherwise, those data elements would have been exposed as well.
Business leaders at other companies should be asking themselves how long are they keeping personal data in files and databases? More importantly, is that personal data also stored in clear text form?
It seems there may be some technology and business leaders who are still accepting the risk that their data is of no interest to hackers, or their business model is unattractive for threat-actors to access. The PHO data breach and many other breaches reported proves that this is not the case.
There are two simple ways to reduce the possibility of data breaches.
1. Do not collect and store data
2. When Step #1 cannot be avoided, use cryptography to protect data.
Cryptography for data protection most commonly refers to tokenization and encryption. When deployed effectively, both are successfully defending against and reducing the effects of data breaches.
Tokenization, however, has been emerging as a best practice, due to its reduced impact on business processes and operations management. Organizations should research which techniques best fit their environment.