The decision by the European Court of Justice to declare the Safe Harbour arrangements between the US and EU invalid will have interesting repercussions not only for European citizens and companies such as Facebook and Google, but also for countries that increasingly rely on selling services overseas like Australia and New Zealand.
The decision was made as result of a case brought by Austrian citizen Maximillian Schrems on the use of his data by Facebook and in particular the practices of the US government as revealed by Edward Snowden.
This judgment has the consequence that the Irish supervisory authority* is required to examine Mr Schrems’ complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data. http://curia.europa.eu press release 6 October
*Facebook European HQ is in Ireland
Safe Harbour, is an agreement that had been in place since 2000. It was supposed to give the protections to private data collected by multinational companies on EU citizens wherever it was stored. This allowed Facebook to store EU citizens’ data in the US or wherever it was most efficient, but required them to treat it to the EU’s standards, rather than the more relaxed US standards.
The judgement is an indication of the deep unhappiness in Europe with the US’s cavalier approach to non-US citizen’s data. The US’s binary approach to citizen rights makes many non-US citizens bristle. It is like the Pax Romana of the Roman Empire 2000 years ago.
This decision will not ‘destroy cloud’ in Europe or elsewhere. However, it will require some reorganisation. In this, it will hurt second and third tier players more than Facebook, Amazon and Google.
Moreover, the decision will not seriously curb mass surveillance. The dirty little (not so) secret is that all countries spy on their citizens for mostly good reasons, including the Europeans. It’s just that the US is better at it than most others.
When the big players jostle, smaller countries feel the waves.
For Australian organisations, not only those who hold EU citizens’ data, this decision should cause them pause for thought. Organisations that do not take privacy seriously, or only respect the privacy of a subset of their stakeholders, need to rethink their approach, if only in terms of the reputational damage of a breech in markets like the EU.
The Internet becomes less than one – Time for an International Law of Cyberspace
The Internet has never been one network for all, As much as some might wish, it is a motley collection of many nets with a very minimal governance. The main effect of this decision is to further balkanise the Internet in a similar way to content geo-blocking and country firewalls.
Smaller countries like Australia and New Zealand should be concerned. We need to be able to trade on an even playing field in services. And that means having an Internet that is common to us and our competitors, both in terms of technology and policy. We need common laws governing cyberspace as much as we need trade barriers on physical goods like rice to be reduced.
This is the time that Australia, New Zealand and similar countries should be pushing hard diplomatically for an international ‘Law of Cyberspace’ which achieves the equivalent that the conventions on the Law of the Sea achieved for maritime commerce. It took 300 years for the Law of the Sea to come to pass and it’s still being updated – let’s hope that the law of cyberspace takes much, much less time.
The loss of 4 million records reminds agencies that good Cybersecurity is repetitive and boring
The US Government announced on 4 June that the private information of at least four million current and former government workers had been compromised.
The intrusion occurred in systems owned by the US Office of Personnel Management (OPM) which handles government security clearances. It was detected in April 2015, but in line with most other such intrusions, may have started in 2014.
The attack drew calls by politicians for legislation to strengthen the USA’s cyberdefences. The US blamed China for the breaches, though it is unclear how good their attribution information is.
The Boring but tremendously important bits
Reports from the New York Times indicated that OPM did not possess an inventory of all the computer servers and devices with access to its networks, and did not require anyone gaining access to information from the outside multifactor authentication. OPM also did not regularly scan for vulnerabilities in the system, and found that one third of computer systems that were supposed to be certified as safe for use last year were not “operating with a valid authorization.”
Let’s be clear here, the answer for Cybersecurity in organisations is good housekeeping!
Assess the business impact levels for your systems
Scan your logs
There are more things like application whitelisting, but get those right and your organisation can do better than the US Government. The Australian Signals Directorate has published a number of guides for government agencies to help them mitigate all but the most targeted intrusions. They are worth checking out. http://www.asd.gov.au/publications/protect/top_4_mitigations.htm
The answer is not more power for intelligence and law enforcement
Let’s keep it simple
Assess the business impact levels for your systems
Scan your logs
If you have to call the guys/girls in dark suits from government agencies, you’ve lost the fight. Just like in the real world, if you have to call the cops, something’s really wrong with your security.
Attribution is so so hard in the cyber, you have to be very lucky and have deep pockets to go after the crims.
Better to build your fence higher than those around you, but encourage your partners to build their fences higher too, because security is only as good as the weakest link.
Where might government focus its resources?
Rather than spending money on dealing with hacked systems after they happen. Government would be far better off providing good advice, encouraging education of cyber professionals and encouraging software and hardware developers to manufacture secure code and systems.
Some commentators are complaining about how long it took the US to disclose the breach. At least the US has fessed up. In Australia, where there are no mandatory disclosure rules, it seems unlikely that a government agency would admit to this, despite the obvious importance of this to the victims who lost their personal data.
I repeat my call for mandatory data breach notification for all public and private organisations in all OECD countries.
Many Australian state and territory governments have created shared services functions for their ICT and human resources functions. The issue is that if the wrong people get access as they did in the US OPM, then they potentially have access to everything.
Much has been made of the potential savings available to governments from centralising their data functions. Whilst this may be the case in the short term, like outsourcing, the return on investment over the long term is very much unproven. Shared services ICT functions aggregate data and create honeypots for organised criminals and national espionage groups. It is true that with shared services, ICT functions are able to afford more staff, the question is whether this advantage truly outweighs the dependencies on data that are created and the increased attractiveness of the target.
It is a question as to whether decreasing the value of a system by decreasing its attractiveness ie by decentralising, can be used to affect business impact levels. However it certainly makes intuitive sense, in that you should be able to maintain the relative risk of a system by splitting it into multiple separate systems whilst giving the organisation its operating requirements in terms of integrity of system and availability – see everybody’s happy!
When I was running Protective Security Policy, my team and I tried to address this with policies about aggregation of data and Business Impact Levels. Business impact levels are an excellent way of approaching agency cybersecurity on a holistic and strategic basis. The reason is that they take into account not only the confidentiality of information, but also its availability and accessibility. This allows the whole organisation to have a discussion about what they are willing to live with.
Human Resources information like that compromised in the OPM hack becomes useless if the right people can’t access it easily and keep it up to date. In the case of OPM, the organisation faces a significant problem in trying to do its job in managing clearances, which requires the information to have good availability against the traditional security argument, to lock things down.
Organisations need to fulfil their function, the confidentiality of information is always secondary to the primary mission in the minds of the executive.
Agency security advisers often find that they lose arguments on the basis of $$$, particularly in these times of shrinking government budget.
The way to make the argument is to do so on the basis not of security, but finance.
Accountants understand risk, they just talk about it differently. Any CISO worth their salt needs to talk in terms of value, efficiency and reputation for the organisation they represent. Otherwise, they might as well be talking Cantonese to a Mandarin speaker.
Here’s a collection of links, which might be useful
The IAPP announced at the 2014 IAPP Privacy Summit “Privacy at Play” held at the Westin on 17 November in Sydney that Alex Webling had won the 2014 award for best article published in the association’s journal “Privacy Unbound”.
The iappANZ is the pre-eminent forum for privacy professionals in Australia and New Zealand. We are affiliated with the International Association of Privacy Professionals (IAPP) which is the largest privacy body at the global level with a membership approaching 20,000. We work with public and private entities across all industry sectors in Australia and New Zealand as well as the Privacy Commissioners in both countries.
The iappANZ Privacy Unbound Journal provides practical thought leadership and case studies along with a popular Q&A with the Australian and New Zealand Privacy Commissioners to keep members in touch with regulators. iappANZ also provides a Weekly and Daily Digest for regular privacy news updates.
In this part, we talk about some approaches to the trusted insider problem.
Organisations are asking “How can we stop employees becoming the next Edward Snowden?”
I think we should question is why aren’t there more people like Edward Snowden? I think it is worth noting that the NSA is huge with an unconfirmed staff count in the order of 30,000-40,000. One or even ten ‘rogue insiders’ is as a percentage very small – even though the damage to the USA and its allies has been very significant.
Organisations, including intelligence organisations, develop very rigorous and reliable procedures to ensure that people who shouldn’t be trusted don’t join their organisations. Good recruitment practices which exclude people who won’t fit and don’t let people become insiders in the first place are the best defence. However, one of the hardest issues to manage is to deal with people who gradually become disgruntled after they’ve been working in an organisation for a while.
Of course, organisations can use infosec procedures such as internal surveillance mechanisms and information compartmentalisation. These can reduce the consequences wrought by trusted insiders. However these mechanisms can inhibit the rest of the employee body from working at their full potential. It also can affect staff morale if not carefully marketed. Interestingly SIG attendees were told that the Attorney-General’s Department was considering the possibility of a continuous disclosure regime for security clearances which would in real or near real time provide information to security officials about whether employees were undertaking activities which might raise eyebrows.
A Sharing economy model?
Considering an organisational ‘sharing economy’ model when considering the trusted insider threat might help. The employee/employer relationship is one of mutual benefit. It can be also one of mutual harm.
Employees work for their organisation and their identity becomes entwined in the reputation and identity of that organisation. As mentioned previously, the trusted insider that does the wrong thing by their organisation does so for a number of reasons. The most dangerous reason has always been those who are motivated not by money or greed, but by a grievance or revenge.
If we extrapolate using the NSA/Snowden example…. The NSA has built up an impressive reputation over many years for technical excellence. But maybe some of its employees believed the propaganda of their employer. More importantly, it would seem that NSA’s management failed to completely disabuse their employees of the fact that intelligence agencies live in a grey world and do things that are morally grey. Consequently people working inside the NSA seem to have been surprised when they found that some of the things it was doing were dark. Unfortunately for the NSA, brilliant people became disillusioned and turned against it.
This explanation is probably not the whole answer. However a couple of thoughts arise both of which may help to prevent future events:
is it possible to develop an internal organisational market for the reputation of the organisation?
A meaningful alternative chain of reporting to vent frustrations is vital.
A market of organisational reputation
Many private and public organisations organisations spend significant sums to monitor their public relations posture. There is benefit in understanding what the organisation thinks about itself as well. An anonymous reporting mechanism can allow an organisation to get some information about whether it is ‘on the nose’. Such data might also be combined with metrics such as the number of relevant social media postings.
An alternative chain of reporting
Both USA and Australia now have whistle-blower mechanisms for their intelligence services. In Australia, the Inspector-General of Intelligence and Security performs this role.
Many organisations both in the private and public sector could consider the benefits of taking on aspects of this system. It obviously doesn’t work perfectly, but it certainly contributes to the protection of the intelligence agencies from trusted insiders.
Mr Snowden has claimedthat “he had raised alarms at multiple levels about the NSA’s broad collection of phone, email and Internet connections.” However, this is disputed by the USA. Whatever the truth of the matter, it seems that Snowden felt he wasn’t being listened to. So maybe the take-home from this aspect is that the ‘alternate chain’ of reporting needs to have big teeth to make changes where there are real problems identified. Balancing natural justice against the consequences of a breach is incredibly important. Not only for the individual concerned, but for the organisation itself, because you know people in organisations gossip about each other!
This is of course a governance issue, and this makes it very tricky to get right – this is where Resilience Outcomes Australia can help your organisation, because resilience and longevity of organisations is what we do.
Helping organisations protect themselves against trusted insiders
I attended the Security in Government (SIG) conference in Canberra earlier this month. I am somewhat biased, but I think that SIG is probably the best annual security related gathering in Australia.
If you compare it to a lot of international gatherings SIG certainly holds its own. Although, the US and German conferences in particular have glitz and size, the quality of the discussion and the more intimate nature is refreshing. SIG, as you may have guessed is primarily targeted at government, but there are good lessons for all organisations to be had there. Ok, enough of the fanboy …
The 2014 SIG theme was the ‘trusted insider’. Whilst the discussions were often very good, I wondered whether there are additional approaches to reducing the problem of the trusted insider. These approaches focus more on the relationship between employees and their organisations.
Who are the trusted insiders?
A trusted insider is somebody who uses their privileged access to cause harm to their employer or their interests. I’ll be a bit controversial here and note that, whether these people are traitors, spies or whistle-blowers depends somewhat on perspective. In any case these people evoke strong almost visceral emotions in many people.
Why are organisations so concerned about the trusted insider?
Despite fears about rogue hackers attacking organisations from the outside, the trusted insider is still considered the biggest threat to an organisation. In Australia and overseas, trusted insiders ‘going rogue’ have caused the significant damage to national security, government agencies and private organisations. The harm done can be from loss of secrets, money or even life.
Secrets: The most glaring examples in the information security space have probably come out of the USA in recent times. People like Edward Snowden and Chelsea (Bradley) Manning spring to mind in the national security sphere. However, some Swiss banks have also been stung by Bradley Birkenfield whom some in those establishments might call a trusted insider and the US tax agency would call a whistle-blower!
Money: Fraud is probably the most significant threat to private organisations from trusted insiders, particularly those in the finance and insurance industry. Sometimes the size of an event can be enormous, such as when $2billion was lost in 2011 through ‘unauthorised transactions’ in a Swiss bank.
Life and property: Whilst we often focus on loss of information confidentiality, trusted insiders were also responsible for assassinating the Indian Prime Minister Indira Gandhi in the 1980s and shooting fellow soldiers in the USA and Afghanistan in the last decade. There have also been a number of cases of ‘issue motivated’ insiders harming organisations by damaging plant and equipment.
What motivates the trusted insider? C.R.I.M.E.S.
The motivations of trusted insiders are varied, however they broadly fit under the standard drivers of criminal behaviour as described by the mnemonic ‘crimes’.
Coercion – being forced, blackmailed or intimated
Revenge – for a real or perceived wrong, it could be about disaffection and or a grudge
Ideology – radicalisation or advancement of an ideology /religious objective
Money – for cash, profit, dosh, moolah – whatever you call it, and/or
Exhilaration or Ego– for the excitement or because they think that they are in someway cleverer than their compatriots – Christopher Cook seemed driven by the excitement..
The USA’s “worst intelligence disaster” was Robert Hanssen, who might be described as an egomaniac.
Sex and personal relationships. The combination of sex and coercion is a lethal one.
Of course, some are also mentally fragile and may not have a motivation that is exactly clear to others.
End of part 1
In the coming part, we talk about some approaches to the trusted insider problem.
Is it possible to enhance privacy with social login?
The likelihood that any Australian Government is going to create an online identity credential now seems distant with the National Trusted Identities Framework (NTIF) almost forgotten. How quickly the Internet forgets, but maybe that’s a good thing if you’re Mario Costeja González.
But the need that the NTIF sought to fill has not gone away. Governments are trying to work out how to service their citizen/customer/users at lower cost. The Internet offers one possibility, but in taking their services online, government agencies expose themselves and us to different threats and potentially higher risk. However, it seems inevitable that government agencies will follow financial institutions in offering higher value transactions online. In the end, the economic argument is likely to drive government agency migration online with more high trust services. Recent federal and state/territory budget announcements are only likely to spur this movement.
There are a number of threats that need to be mitigated before a government agency could potentially provide its services online. Probably the key issue is for the agency to be sure that a user requesting access to a site is who they say they are. Currently issuing the customer with a username and password mostly does this, but the model is beginning to fail. The problem is that most people don’t interact with government agencies on a regular basis and yet information sensitivity and computer capabilities require users to adopt increasingly complex and non-sensical passwords.
This in turn makes the passwords more difficult to remember even as they are harder to crack. It also means that password resets are much demanded. Yet at the same time, customers are expected to change their passwords regularly, not to write them down or repeat them for other online services.
It seems clear that these password requirements largely force customers to break their user agreements and either, write their passwords down, or worse re-use them for other services/websites.
It also puts government agencies in a bind. They want to provide online access to their services because it could be cheaper to operate than bricks and mortar outlets (if they didn’t have to reset too many passwords), but they also do not want to be embarrassed by privacy and security breaches.
One option is the use of a social login to help secure online authentication. This could enhance user information security and minimise privacy breaches. Social login, also known as social sign-in, is a form of simple sign-on (to web resources) using existing membership of a social networking service such as Facebook, Yahoo, Twitter or Google+ to sign into a third party website in lieu of creating a new login account specifically for that website or service. Social login is designed to simplify logins for end users as well as provide more and more reliable demographic information to website owners. Social login can be used as a mechanism for both identity authentication and user authorisation.
Social login is being adopted by private sector organisations for a number of reasons including: Rapid registration; Verified email contacts; and Customer stickiness. However social login also offers three major benefits for government agencies.
– Currency of contact data. Contact data such as email tend to be kept up to date by the user.
– Passwords are less easily forgotten because they are regularly used. At the same time, the social login passwords are not transmitted from the user to the agency website.
– Security. Agencies can leverage security technologies implemented by the social networks that they might never be able to replicate themselves. Because of their resources, social networks such as Google and Facebook are able to detect and patch zero day exploits quickly.
So what are the privacy risks?
A user, when accepting the convenience of a social login, can share a significant amount of their information between a third party website (such as a government agency) and the social network. The social site is informed of every social login performed by the user. Often, it is worth considering whether users understand exactly what they are sharing and whether they are giving informed consent to share. However this risk can be mitigated with the creation of clear and detailed login screens, which explain what the users are sharing.
As an example, the following information is returned when a Facebook user agrees to share their ‘Basic Profile’. Other than the email, the information is not verified and may not be present. However, several organisations claim that the quality of the data returned is in general very good because social network users feel social pressure from their friends to be accurate.
At the same time, it is not necessary for the third party website to collect all the information if it is not required.
Another issue surrounds current sensitivities with the USA NSA’s indiscriminate hoovering of online data. It is important to note that because all the large social networking sites are based in the USA, they are subject to USA’s laws and customs related to security and privacy. Under that regime, Australians are given significantly fewer protections than USA citizens or residents. Effectively, the social networking site itself provides the main protection for reputational reasons. However, readers may be aware that there have been recent moves in the USA to change this approach for what the US charmingly calls ‘aliens’ like Australians and give the same protections for all users irrespective of citizenship.
Can we get the benefits of social login and have citizen privacy as well?
With careful design it seems possible that social login could enhance privacy for users at the same time as providing benefits to government agencies. Considering the social login as an adjunct to agency authentication rather than the whole process could be an answer. If customers nominate their social login at the same time as they were enrolled into a government service, they could later use their social login as the first stage of an authentication process. This would provide an outer layer of defence against hacking. The user could then login to the agency itself using a separate authentication process.
The advantages of this model, beyond defence in depth, are that the user logs into the agency with their authenticated social login username, but does not gain access to sensitive information without providing an agency specific authentication. The social network also does not receive any sensitive information beyond the fact that a user logged in at a website. The use of government portals can be used to obfuscate which agency a user is accessing. At the same time, with consent, contact information from the social login site could be compared with that held by the agency and presented to users so that they can choose to update the information held on them by the agency.
At both the state and federal level, government agencies are starting to actively consider social login. Provided that governments are also prepared to carefully design the user interaction so that the social networks don’t get any more personal information than the user/citizen is prepared to share – by turning off analytics and sharing social network authentication gateways across groups of government agencies, it can provide benefit to users and government alike.
In the longer term, government will be able to verify citizens online when they wish to enrol themselves for services. The possibility arises to use the Document Verification Service (DVS) combined with social history to connect an entity to an identity, but that may be a discussion for another time.
I’d love to hear what you think.
This article originally appeared under the title “Can social login be privacy enhancing” in the May 2014 edition of Privacy Unbound, the journal of the International association of privacy professionals (IAPP) Australia New Zealand chapter and can be found here at this link iappANZ_MayJournal
The Australian Privacy Principles come into force on 12 March. The APPs extend coverage of privacy laws to most business with turnover of $3 million or more.
Fines of $1.7 million are possible for breaches.
Australian Privacy Principles
The Privacy Act now includes a set of 13 new harmonised privacy principles. The APPs regulate personal information handling by the federal government. In addition, the law significantly expands the number of private sector organisations covered.
The new Australian Privacy Principles (APPs) replace both the Information Privacy Principles (IPPs) that applied to Australian Government agencies and the National Privacy Principles (NPPs) that applied to some private sector organisations. The changes do not generally replace existing state of territory privacy legislation (eg Victoria & ACT) which will probably cause some confusion at the edges
A number of the APPs are quite different from the existing principles, including
APP 7 -on the use and disclosure of personal information for the purpose of direct marketing, and
APP 8 – on cross-border disclosure of personal information.
The OAIC gets teeth
The Privacy Act now includes greater powers for the OAIC which include:
conducting assessments of privacy compliance for both Australian Government agencies and some private sector organisations.
accepting enforceable undertakings
seeking civil penalties in the case of serious or repeated breaches of privacy
In some ways Australia is just catching up with Europe, Canada and USA, but its worth noting that breaches can mean organisations get fines of up to $1.7 million. It is probably an understatement to say that this could have a serious impact on company finances as well as reputations.
One thing that is very good about these changes is that there is better alignment with good information security practice. We hope that these changes may help some organisations improve the state of their information security as they become privacy compliant.
A new mandatory credit reporting privacy code (CR code), created by the Australian Retail Credit Association ( OAIC’s Codes Register ) also starts on 12 March 2014.
We can help
We are helping government agencies and businesses assess the privacy impact of their activities in light of these legal changes. In particular, we have recently worked with the health and finance sectors in Queensland, the ACT and Victoria.
Please contact us at Resilience Outcomes for assistance.
Cyber Identity theft service sold personal information on US citizens by compromising multinational consumer and business data aggregators
An identity theft service that sells Social Security numbers, birth records, credit and background reports on millions of US residents has allegedly infiltrated computers at some of America’s largest consumer and business data aggregators, including Dun & Bradstreet according to Krebs on Security.
If you’re Australian or a resident of other countries where these guys operate, you had better hope that these companies didn’t leak information between their subsidiaries and the main office – because you know that would never ever (cross fingers) happen !!
This looks like a solid investigation by the guys/gals at Krebs. The hackers at the back of this identity theft service didn’t exfiltrate data from their targets wholesale, they just compromised the targets and allowed their customers to directly query information and charged them between 50c and $2.50 US for personal records and up to $15 for credit checks – via Bitcoin or Webmoney of course!
Compromised systems accessed through the criminal service seem to include
Dun & Bradstreet – an identity service that also has a presence in Australia as a credit reference agency
Importantly, the compromise was probably targeted as much on gaining information about companies to take out fraudulent loans on them according to a Gartner analyst. If a criminal can masquerade as a large company, they can take out a much larger loan on their behalf than they could on all but the richest people.
This may take a little while to play out, but it is likely to have an impact on legislative requirements for information security by data aggregator firms. By their very nature, they hold aggregated data from millions of customers. Each piece of data requires protections, together the data becomes far more valuable and therefore a greater target for cyber criminals and foreign espionage. How we deal with aggregation remains one of the keys to the risk based handling of big data.
The Four Corners program that aired tonight “In Google We Trust” was interesting if a little alarmist as these things sometimes are. But it did make some good points about privacy in the information age.
There was an interesting piece of information about the NSW Police licence plate tracking technology which has been installed on about 200 police vehicles and has contributed to a database of several million pictures of cars, numberplates and associated metadata.
Whilst the NSW Police were willing to explain what the technology did, they were unwilling to explain how it was being used or what protections were placed on the data.
Comments by Danny O’Brien from the Electronic Frontier Foundation emphasising that data held for non-US citizens by US corporations has none of the protections that one might otherwise expect, despite the protestations of Google, Microsoft, Apple and others.
The assertion that Australian authorities might be using this to circumvent Australian laws by getting the US authorities to ‘retrieve’ Australians’ data and hand it over to Australian authorities.
Revelations that a broad number of agencies including Australia Post and the RSPCA (yes the dog and cat people) were able to access Australians’ metadata with no legal oversight and little administrative control.
The poignant comment by one of the commentators that when information becomes available, people find a way of using it before actually thinking whether they should. This was followed by the question of whether in a democracy the government should know as much about you as it can, or whether there should be limits?
As an aside, it would seem that the US has been telling fibs when it said that the NSA PRISM system was just used to catch terrorists and that there was no economic espionage undertaken. The Brazilians are rightfully annoyed after the latest Snowden leaks reported in the Wall Street Journal show that the NSA targeted the Brazilian national oil company Petrobas. The article states
In the past, the U.S. has harshly criticized Chinese hackers, for example, for allegedly engaging in industrial espionage. But the new allegations at the very least showed the NSA using corporate targets for training purposes. One of the slides presented on the show listed three reasons for spying—one was “economic.”
Is it possible for health practitioners to achieve information security? Maybe a better question is “How can health professionals balance privacy, information security and accessibility in an online world?” Or even, should the medical profession be bothered with keeping private and sensitive information secure?
Over the last few months, I’ve been working with a number of health practitioners to help them improve their information security. Much of this has been done with a view to the introduction of electronic health records.
I sympathise with hospital administrators, doctors and nurses. They don’t have a lot of time to think about security and privacy. However, the fact is that they have to do better.
Criminals follow the money
According to the Australian Institute of Health and Welfare, the health system costs just under 10% of Australia’s GDP (AUD121.4 billion in 2009/10 according to the AIHW) . In the US, it is around 18% (USD2.6 trillion in 2010 according to the CDC). With this much money involved in the health system, it is a fat series of targets for cyber attack and fraud.
Terrorist vector? Probably not.
The Department of Homeland Security has even gone so far as to suggest that the health system could be targeted by terrorists and activists in the USA. I am not convinced by this or similar suggestions as the no1 aim of terrorists remains to create terror. Terrorists understand this and seek targets and methods along those lines. It matters less how few people a terrorist kills. It is more important for the terrorists that they have an audience that can clearly see a hard link between cause (terrorist attack) and effect (death, destruction etc). The murder of a single UK soldier in May 2013 by allegedly Al-Qaeda inspired terrorists with machetes has created significant community angst, not only in the UK where it occurred but in Australia, Canada and the USA. Yet, it is likely that more people died on that same day on the roads in London. My point is this, that if terrorists discovered some way of causing significant death or maiming from medical equipment, I do not doubt that they would use it. However, it is likely that the effect on the collective public consciousness would not be as great as the machete attack mentioned above.
However, we must accept that it is possible, if not altogether probable. One identified flaw is the chronic inability of many health systems to patch their software and applications.
One high consequence scenario involves hackers attacking defibrillators and insulin delivery systems remotely. I think this comes into the unlikely but possible category. Shodan, was used by a hacker to access the controls of a blood glucose monitor connected to the Internet by WiFi.
Whilst we can probably discount to some extent the terrorist threat, I can imagine the attraction of such attacks as assassination vectors or for the installation of ‘ransomware‘. Thus the high consequence threat from foreign governments and organised crime can’t be as easily discounted.
Beyond the extreme, privacy compromise and fraud
Beyond these extreme events, there is the possibility that patient or staff privacy can be compromised by weak information security. Dr Avi Rubin, a computer scientist and technical director of the Information Security Institute at Johns Hopkins University, talking about the US health system has been quoted . “If our financial industry regarded security the way the health-care sector does, I would stuff my cash in a mattress under my bed.”…. Unfortunately, it is not possible to hide one’s health under the mattress!
I experienced this personally about a week ago when my daughter’s optometrist sent through the results of her recent eye test, only it wasn’t. The attachment data was for somebody I had never met.
We have a tendency to compare the worst case scenario of e-health privacy with the best case scenario of the current system. We all know that it isn’t the case as my example above shows.
Good information security will also help protect healthcare organisations from fraud. Fraud is estimated to be a USD60 Billion impost on US hospitals. Methods that are being used by fraudsters include
Diversion of fee revenue
Diversion of controlled items (eg drugs)
Collusion with suppliers; and
Diversion of accounts receivable.
The same methods are being used in medical practices, albeit on a smaller scale.
What to do
A holistic approach is needed. We have worked with a number of medical practices to implement the key elements of the information security standard ISO 27000. This ensures that the practice has a risk based approach which mitigates threats based on real world experience of consequence and likelihood. Working with practice owners and stakeholders, we determine tolerance to information risk and work with them to implement controls which make sense and meet any regulatory requirements.
If you think this is something your organisation needs, please contact us at [email protected]