The latest large-scale ransomware attack on a health technology provider, electronic prescription company MediSecure, was revealed last week.
MediSecure announced it had suffered a “cyber security incident” affecting people’s personal and health information. Details of the attack are scant. We’ve been told it stemmed from a “third-party vendor”, which suggests an organization that gives services to a different company.
In a general sense, ransomware attacks occur when a hacker gets access to a system, infects and locks up filesafter which demands a ransom – normally in cryptocurrency – for his or her release.
Government agencies including the National Cyber Security Coordinator and Australian Federal Police are investigating the incident.
Cybercrime is big business, generating huge profits. This latest incident shines a lightweight on the vulnerability of health data specifically.
What are e-prescriptions?
E-prescribing works by sending prescriptions to a digital exchange, essentially a secure database of prescription information. From there, patients control which pharmacy can access itby showing pharmacy staff a token similar to a QR code or barcode.
Electronic prescriptions contain personal information similar to people’s name, address, date of birth and Medicare number. They include details about prescribed medicines, in addition to the prescriber’s name, address and other information.
The Digital Health Agency (an agency of the Australian government) reports that over the past 4 years, greater than 189 million e-prescriptions have been issued by greater than 80,000 clinicians.
Until late 2023, MediSecure was one in every of two national e-prescribing services, delivering prescriptions from health-care providers to pharmacies.
Last 12 months, MediSecure was missed in a government tender process to appoint a single national e-prescribing provider. At that point, MediSecure held greater than 28 million scripts.
MediSecure has noted the incident pertains to data held by its systems up until November 2023.
While it’s unclear who has been affected by this breach, the potential pool of patients and prescribers involved is large.
A worrying trend
This incident, which comes lower than two years after the widely publicised Medibank hackis alarming but unfortunately not surprising.
Health care is digitising rapidly, with innovations similar to patient-accessible electronic health records, distant monitoring and wearable devices. These developments could make health care more efficient and effective. They improve people’s access to care, and mean that information – similar to prescriptions – is quickly available where and when it’s needed.
Partly due to the dimensions of digital health data, breaches are quite common. The Office of the Australian Information Commissioner routinely reports that health services suffer essentially the most breaches of any sector, mainly through malicious or criminal attacks.
Why is health data so lucrative?
Health data may be very attractive to hackers due to its volume, and ease of access via system vulnerabilities. Historical under-investment in IT security within the sector, understaffing and overstretched staff (resulting in human error), and high connectivity, all contribute to this risk.
Health data can be easy to ransom due to value patients, clinicians and health organisations place on keeping it private. No one wants a repeat of the Medibank ransomware attackwhere Australians’ most sensitive health information – similar to drug treatment or pregnancy termination details – was published online.
PH888/Shutterstock
Beyond checking out how the MediSecure attack happened, patients need to know easy methods to protect themselves from harm. At present it seems too early to say. The initial advice from the federal government is that no motion is required.
Unfortunately, the same old measures we use to guard against hacks of economic and identity data don’t work for health data. We cannot change our prescription or other medical history like we would change our passwords, get a brand new driver’s licence, or scrutinise our bank statements for fraud.
If someone’s medication history is released it could indicate things about their health status, similar to mental illness, gender transitioning, fertility treatment or look after drug and alcohol addiction. Not much could be done to stop the non-public distress and stigmatisation that will follow. People could also be blackmailed through this information, or suffer harms similar to discrimination.
Data breach notification is a legal requirement on organisations to tell individuals about breaches affecting their data. It was touted as an answer to the issue of hacking when laws were introduced in Australia in 2018, however it doesn’t help affected people very much in this example. Being informed your prescription for an anxiety medication or a treatment for obesity is now public knowledge might simply cause greater distress.
Where does responsibility lie?
Hacking is a serious threat to organisations holding health data, and the onus must largely be on them to guard against it. They must all have rigorous cyber-security protections, the capability to reply rapidly when attacks happen, and resilience measures similar to backups to revive systems quickly.
Patients at the moment are taking steps against firms who don’t protect their data. In the case of Medibank, affected customers have launched several class actions with the national privacy regulator and under Australian corporations and consumer law.
The introduction of a right to sue for serious invasions of privacy under an amended Privacy Act is a vital, impending, change. It would mean people whose prescriptions and other sensitive health information were hacked could pursue breached firms for damages.
Companies facing heightened cyber threats, increased regulatory scrutiny and legal claims by those whose data has been breached find themselves in a decent spot. But so do patients, who watch unfolding news of the MediSecure attack, waiting to search out out what details about their health may soon be on public display.