The healthcare sector is still widely vulnerable to cybersecurity issues, even though the overall rate of data breaches in Australia has fallen, according to a report from the Office of the Australian Information Commissioner (OAIC).
While the average volume of 72 breaches per month was down significantly from 242 in the first full quarter of reporting, the report revealed that the healthcare sector – which reported 58 breaches—was well ahead of finance (27), legal (23), education (19) and retail (11).
Overall, the OAIC report found the leading cause of data breaches during the 12-month period was phishing, causing 153 breaches, but more than a third of all notifiable data breaches were directly due to human error.
The largest source of data breaches in the health sector was human error (52 per cent), with examples including sending personal information to the wrong recipient by email (20 per cent of human error data breaches) or mail (23 per cent).
Among the other leading sources of human error included the unintended release or publication of personal information (20 per cent) and the loss of paperwork or data storage device (23 per cent).
Malicious and criminal attacks were the second largest source of data breaches from the health sector this quarter. Cyber incidents were the most common type of attack, accounting for 58 percent, while the actions of a rogue employee or insider threat was the second most common type of attack (23 percent).
“It is very concerning to see health service providers continuing to be targeted and successfully breached by attackers,” Sophos ANZ managing director John Donovan said in a statement. “It goes without saying that this industry is dealing with incredibly sensitive and personal data and, as such, has a huge responsibility to the people of Australia to protect their data effectively.
Donovon commented that the report should serves as a wakeup call to the healthcare industry to implement more robust security practices in order to protect the “extremely sensitive” data with which they are entrusted.
Data breaches involving personal information may be prevented through effective training and enhanced systems, analysis of the first 12 months of mandatory notifications revealed.
“By understanding the causes of notifiable data breaches, business and other regulated entities can take reasonable steps to prevent them,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said in a statement. “Our report shows a clear trend towards the human factor in data breaches, so training and supporting your people and improving processes and technology are critical to keeping customers’ personal information safe.”