Cybersecurity warning on health data

Digital health researchers at Flinders University say there is an urgent need to do more to protect the storage and transfer of private and sensitive personal data.

The national Medibank Private data breach, now overflowing into the SA Health system, is just part of a “bigger silent issue of healthcare data manipulation and corruption that may go unnoticed for months or years,” warns Flinders University Professor of Digital Health Systems Trish Williams.

There is currently no way to guarantee the privacy of information when information systems are becoming increasingly complex and sensitive private health and healthcare information is being stored and shared around the world, she says.

Professor Trish Williams. Photo: Lee Knowles

“It is unfortunate that too often data breaches in healthcare are not detected immediately or the extent of the breach not easily identified.

“The incidents occurring in Australia recently demonstrate that no security, however good, is 100% secure.

“Whilst companies and organisations state that their systems are totally secure, you would be hard pressed to find any cybersecurity expert who would agree.

“The problems stem not from a lack of understanding of what need to be done, nor for the want of putting the right measures in place.

“They stem from the increasing complexity of our information systems and our desire for them to be interoperable and integrated, to share our valuable data so we do not need to re-enter it time and time again.

“Data re-entry is itself another problem with human error a persistent problem.

“The purpose of illegally extracting data is entirely financial – either holding data for ransom or on-selling it for others to perform identity theft.

“The current high profile raft of incidents (including Optus’ customer base), focuses on the access to and extraction of sensitive and personally identifiable information, however there is a bigger silent issue of healthcare data manipulation and corruption what may go unnoticed for months or years.

“While exploitation of financial data is more quickly identified by individuals, as well as the financial institutions who have advanced systems for detecting fraudulent activity in place, healthcare systems do not.

“The impact of this is difficult, if not impossible, to gauge because it only comes to light when a person’s data is used for a healthcare episode (if the change is clearly evident).

“The potential for adverse events to occur is there but to date unidentified because there is no money in such an activity for the attackers.”

Flinders University Digital Protection and Health Law Lecturer Dr James Scheibner says an incredible amount of personal health information is stored in public sector and private company data files, which is always at risk of a leak.

“We need to take a long hard look at how this data is stored and shared and create more protection for the transfer and sharing of this information,” he says.

/Public Release. View in full here.