22 May 2018
Family Planning NSW has taken its website offline for a “security update” after learning that hackers breached its booking system two weeks ago. The organisation notified its clients via email, and journalist Lauren Ingram, who was personally affected by the data breach, shared the notification on Twitter.
The letter stated that:
These databases contained information from around 8,000 clients who had contacted Family Planning NSW through our website in the past two and a half years, seeking appointments or leaving feedback.
Family Planning NSW offers reproductive and sexual health services, and the breach has sparked fears that sensitive personal information about clients could have been compromised.
In this case, the risk to patients is not as severe as it could have been. Medical practices typically keep the actual medical records of patients separate from online booking systems.
However, the information in the booking system is still sufficient to assist with identity fraud. Furthermore, for some patients, there are very serious risks merely in disclosing that they are patients of such services:
Ransomware is a common form of cybercrime
According to the notification, hackers exploited a weakness in the web-based booking system of Family Planning NSW and demanded a Bitcoin ransom.
We don’t know the full details of this particular attack, but the information in the notification letter indicates the attackers may have used some kind of ransomware. Ransomware is malicious software that electronically locks up (encrypts) the data on a computer system. If no backup is available, the only way to access the data is to pay the ransom for the key to unlock (decrypt) the data.
Ransomware authors do not typically attempt to read the contents of the information they hold to ransom – their business model involves denying access to information, not making use of it. However, ransomware that has sufficient access to scramble data, has sufficient access to steal that information. Therefore, while it is more likely than not that no information was actually copied, it cannot be guaranteed.
Technically sophisticated attackers will sometimes use what appears to be one type of attack (such as ransomware) to disguise their real intentions. Security professionals who specialise in “incident response” (IR), are able to assess this risk when an apparent ransomware attack has occurred. I expect that in a high-profile data breach like this, IR specialists have been consulted.
Oversight of medical privacy could be inadequate
It is not feasible for patients of a medical practice to assess the adequacy of the security and privacy processes – and nor should they. Patients aren’t expected to assess the skill of a surgeon to operate, or whether the instrument sterilisation processes are adequate!
Instead it is the legal and ethical obligation of medical practices, and the bodies that accredit them, to ensure their technology and processes are adequate to protect privacy and security. All medical practices are required to implement the Australian Privacy Principles specified in the Privacy Act, regardless of size (most other small businesses are not). Medical practices are also subject to mandatory reporting of data breaches.
Some of the representative bodies of medical specialities attempt to assess privacy and security as part of practice accreditation. In the case of general practitioners, the Royal Australian College of General Practitioners’ accreditation standards require practices to develop privacy and security procedures and policies. They also provide a more detailed information security standard.
Unfortunately, it’s not at all clear how rigorously these policies and procedures are actually checked, both for their adequacy and whether they are actually followed.
More evidence that the health sector has work to do in this area comes from the new mandatory notification requirement for data breaches. Since its introduction earlier this year, the health sector has had more notifications than any other sector.
What can patients do?
As in many other aspects of healthcare, patients generally have to place their trust in the competence and diligence of the professionals. But patients who believe they face particularly high risks do have some options to protect themselves.
The Australian Privacy Principles require that, where practicable, patients should be able to interact with a medical practice anonymously, or under a pseudonym. The RACGP accreditation material (PDF link) recommends practices set up procedures to support this.
Even if a pseudonym is not for you, it is prudent to consider minimising the amount of information you provide on medical booking services, which are inherently more vulnerable than medical record systems not exposed to the public internet.
A major change to the way your medical data is managed is on the way – and one with serious privacy implications. The My Health Record is a centralised repository of personal healthcare information, maintained by the Australian government. It is designed to improve healthcare by improving access to patient information for doctors, as well as facilitate research.
However, the combination of improved access to records and less-than-perfect information security practices in the health sector is likely, in my view, to increase the risk of privacy breaches.
You have the chance to opt out of the My Health Record system during a three-month window between July 16 and October 15. After this date, a record can be rendered inaccessible but not completely deleted. This data breach, and the rate at which they are occurring throughout the healthcare sector, further reinforces my intention to opt out.