Personal information on almost 20,000 coronavirus patients in Wales was uploaded onto a public computer system in a major data security breach, it was revealed by the Daily Mail.
With modern technology, it\’s easy to collect, process, and store data. This can bring about many business benefits, but there are equally as many risks, and despite technical controls being in place, it is very easy for an individual to accidentally or deliberately expose sensitive data.
Having access to so much data is akin to letting someone drive a bus without prior training. While the basics may appear similar to a car, there are many differences, and there are many more lives at stake.
Therefore, security awareness training is important to build a culture of security, so that all employees know and understand the part they play in keeping sensitive information safe and handle it appropriately. Otherwise, we will continue to see huge breaches which could have easily been avoided.
Despite the unfortunate nature of this event and the obvious worry and the potential harm it will undoubtedly cause to those involved, it is an excellent example of how Public Authorities should deal with data breaches.
The transparent nature and swift approach taken by Public Health Wales is to be commended. They have clearly done everything they can to mitigate the effects of this breach and obviously have a comprehensive Incident Response plan in place.
Anyone notified as victims of the breach should not respond to any unsolicited requests for personal information of any nature; passwords, security information, bank details etc. (even if the request seems unrelated to the incident) on any platform; email, social media or telephone or post.
Cyber criminals are inventive and resourceful and will use any number of methods to use this data to commit more crime.
If anyone is worried or suspicious, they should contact Public Health Wales, or the Police, directly. Don’t reply to any messages under any circumstances and never share any information.
Health information is certainly sensitive and needs to be protected. Unfortunately, technical controls aren’t always perfect, and aren’t always enough. In some cases, human error is the root cause of a breach. Breach response, especially for public entities, has to include appropriate transparency and analysis. Although human error might cause a breach, technical controls can certainly be part of the response. Using a technical control to prevent a human from making an error can be very effective.
Breach fatigue\” and complacency about breaches is a real risk for IT professionals and clearly have significant impact, but on the up side healthcare breaches such as this one can be an opportunity to effect real change in an organisation. Announcing \”immediate measures\” is barely credible, however, since we know that good data security is an ongoing and, frankly, never ending programme. Clearly the processes and privacy measures in place at the NHS need to be reviewed, not just immediately, but also for the medium and longer term. We see most improvements by adhering to principles of least privilege and automated account hygiene processes combined with a focus on the privileged – or highest value – accounts that hackers are targeting. Securing applications and data in the context of a broader IAM programme will help avoid \”individual errors\” of this kind and give organisations a breach-resilient stance that will contain and minimise the impact of any breach.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics