This post is also available in:
עברית (Hebrew)
Health technology provider, e-prescription company MediSecure was recently subject to a severe large-scale ransomware attack affecting people’s personal and health information, which apparently stemmed from a “third-party vendor.” This incident shines a light on the vulnerability of health data specifically within the world of cybercrime.
While this incident is alarming, it is unfortunately not surprising – according to Techxplore, health care is digitizing rapidly, with innovations like patient-accessible electronic health records, remote monitoring and wearable devices. Additionally, electronic prescriptions contain personal information like people’s names, addresses, date of birth, Medicare numbers, details about prescribed medicines, as well as the prescriber’s name, address, and other information.
While such developments increase healthcare efficiency, improve people’s access to care, and mean that information (like prescriptions) is readily available where and when it’s needed, they also mean that digital health data breaches are very common, partly because of the sheer scale of information. But why are hackers so interested in healthcare data?
Contributing factors include the sheer volume of the data and ease of access via system vulnerabilities, historical under-preparedness and under-investment in IT security in the health sector, understaffing leading to human error, as well as high connectivity. Health data is also notably easy to ransom because of the value that is placed on keeping it private.
Following this immense data breach, patients want to know how to protect themselves from harm. Unfortunately, the measures usually taken to protect against hacks of financial and identity data don’t work for health data, as one cannot change their prescription or other medical history like they might change a password or get a new credit card.
So, who is in charge of this conundrum? As organizations holding health data are aware of the looming hacking threat, they must protect themselves and their patients against it, have rigorous cyber-security protections, the capacity to respond rapidly when attacks take place, and resilience measures like backups to restore systems quickly.
Furthermore, patients nowadays are taking measures against companies who did not properly protect their data. Indeed, the introduction of a right to sue for serious invasions of privacy under an amended Privacy Act is an important change that would mean people whose prescriptions and other sensitive health information were hacked could pursue breached companies for damages.
