• Written by Robert Merkel, Lecturer in Software Engineering, Monash University
Hackers exploited a weakness in the web-based booking system of Family Planning NSW to infect the system with ransomware. Shutterstock

Family Planning NSW has taken its website offline for a “security update” after learning that hackers breached its booking system two weeks ago. The organisation notified its clients via email, and journalist Lauren Ingram, who was personally affected by the data breach, shared the notification on Twitter.

The letter stated that:

These databases contained information from around 8,000 clients who had contacted Family Planning NSW through our website in the past two and a half years, seeking appointments or leaving feedback.


Read more: After the Medicare breach, we should be cautious about moving our health records online


Family Planning NSW offers reproductive and sexual health services, and the breach has sparked fears that sensitive personal information about clients could have been compromised.

In this case, the risk to patients is not as severe as it could have been. Medical practices typically keep the actual medical records of patients separate from online booking systems.

However, the information in the booking system is still sufficient to assist with identity fraud. Furthermore, for some patients, there are very serious risks merely in disclosing that they are patients of such services:

Ransomware is a common form of cybercrime

According to the notification, hackers exploited a weakness in the web-based booking system of Family Planning NSW and demanded a Bitcoin ransom.

We don’t know the full details of this particular attack, but the information in the notification letter indicates the attackers may have used some kind of ransomware. Ransomware is malicious software that electronically locks up (encrypts) the data on a computer system. If no backup is available, the only way to access the data is to pay the ransom for the key to unlock (decrypt) the data.


Read more: Defending hospitals against life-threatening cyberattacks


Ransomware authors do not typically attempt to read the contents of the information they hold to ransom – their business model involves denying access to information, not making use of it. However, ransomware that has sufficient access to scramble data, has sufficient access to steal that information. Therefore, while it is more likely than not that no information was actually copied, it cannot be guaranteed.

Technically sophisticated attackers will sometimes use what appears to be one type of attack (such as ransomware) to disguise their real intentions. Security professionals who specialise in “incident response” (IR), are able to assess this risk when an apparent ransomware attack has occurred. I expect that in a high-profile data breach like this, IR specialists have been consulted.

Oversight of medical privacy could be inadequate

It is not feasible for patients of a medical practice to assess the adequacy of the security and privacy processes – and nor should they. Patients aren’t expected to assess the skill of a surgeon to operate, or whether the instrument sterilisation processes are adequate!

Instead it is the legal and ethical obligation of medical practices, and the bodies that accredit them, to ensure their technology and processes are adequate to protect privacy and security. All medical practices are required to implement the Australian Privacy Principles specified in the Privacy Act, regardless of size (most other small businesses are not). Medical practices are also subject to mandatory reporting of data breaches.

Some of the representative bodies of medical specialities attempt to assess privacy and security as part of practice accreditation. In the case of general practitioners, the Royal Australian College of General Practitioners’ accreditation standards require practices to develop privacy and security procedures and policies. They also provide a more detailed information security standard.

Unfortunately, it’s not at all clear how rigorously these policies and procedures are actually checked, both for their adequacy and whether they are actually followed.

My informal inquiries in the sector suggest that at the very least accreditation processes do not focus heavily on the technical aspects of privacy and security. My own general practitioner is fully accredited by the RACGP via one of its approved accreditation assessment partners, but does not even have a privacy policy on its website.

More evidence that the health sector has work to do in this area comes from the new mandatory notification requirement for data breaches. Since its introduction earlier this year, the health sector has had more notifications than any other sector.

What can patients do?

As in many other aspects of healthcare, patients generally have to place their trust in the competence and diligence of the professionals. But patients who believe they face particularly high risks do have some options to protect themselves.

The Australian Privacy Principles require that, where practicable, patients should be able to interact with a medical practice anonymously, or under a pseudonym. The RACGP accreditation material (PDF link) recommends practices set up procedures to support this.

Even if a pseudonym is not for you, it is prudent to consider minimising the amount of information you provide on medical booking services, which are inherently more vulnerable than medical record systems not exposed to the public internet.


Read more: Why has healthcare become such a target for cyber-attackers?


A major change to the way your medical data is managed is on the way – and one with serious privacy implications. The My Health Record is a centralised repository of personal healthcare information, maintained by the Australian government. It is designed to improve healthcare by improving access to patient information for doctors, as well as facilitate research.

However, the combination of improved access to records and less-than-perfect information security practices in the health sector is likely, in my view, to increase the risk of privacy breaches.

You have the chance to opt out of the My Health Record system during a three-month window between July 16 and October 15. After this date, a record can be rendered inaccessible but not completely deleted. This data breach, and the rate at which they are occurring throughout the healthcare sector, further reinforces my intention to opt out.

Robert Merkel does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.

Authors: Robert Merkel, Lecturer in Software Engineering, Monash University

Read more http://theconversation.com/the-latest-health-data-breach-is-one-reason-why-ill-be-opting-out-of-myhealthrecord-96644

THINGS TO CONSIDER WHEN CHOOSING A CATERING SERVICE FOR YOUR WEDDING

Catering is a popular and sought-after service. Choosing a banquet hall for a wedding, you cannot compromise, for the sake of a beautiful interior, agreeing to a kitchen that does not suit you. Just...

News Company - avatar News Company

THE BEST DRINKS TO SERVE AT A PARTY

Whoever said throwing a party is a piece of cake probably forgot that the cake is just one thing off of the list for a party planner or a host. Planning a party is no easy feat. It might even take w...

News Company - avatar News Company

The Advantages of Bulk Purchase

Bulk purchasing is the process of buying a certain product in larger quantities to obtain the benefits of lower per-unit prices. Usually, companies buy raw materials in bulk to get economies of scal...

News Company - avatar News Company

Why Australians fell out of love with Holdens

Harrison Broadbent, Unsplash, CC BY-SAThe jingle used to tell us we loved “football, meat pies, kangaroos and Holden cars”. These days we love Japanese utes and small Toyotas, Hyundais ...

Gary Mortimer, Professor of Marketing and Consumer Behaviour, Queensland University of Technology - avatar Gary Mortimer, Professor of Marketing and Consumer Behaviour, Queensland University of Technology

Nearly 80% of Australians affected in some way by the bushfires, new survey shows

James Gourley/AAPLast month, the Australian National University contracted with the Social Research Centre (SRC) to survey more than 3,000 Australian adults about their experiences and attitudes rela...

Nicholas Biddle, Associate Professor, ANU College of Arts and Social Sciences, Australian National University - avatar Nicholas Biddle, Associate Professor, ANU College of Arts and Social Sciences, Australian National University

65,000-year-old plant remains show the earliest Australians spent plenty of time cooking

Researchers May Nango, Djaykuk Djandjomerr and S. Anna Florin collecting plants in Kakadu National Park. Elspeth Hayes, Author providedAustralia’s first people ate a wide variety of fruits, vege...

S. Anna Florin, PhD candidate, The University of Queensland - avatar S. Anna Florin, PhD candidate, The University of Queensland

Coles says these toys promote healthy eating. I say that's rubbish

ShutterstockAs a parent, I find it so frustrating to take my children shopping, reusable bags in hand, only to be offered plastic toys at the checkout. It’s an incredibly confusing message to b...

Carla Liuzzo, Sessional Lecturer, School of Business, Queensland University of Technology - avatar Carla Liuzzo, Sessional Lecturer, School of Business, Queensland University of Technology

Books in a post-f@#^ world. Are we all sworn out yet?

ShutterstockWarning: this piece features frequent coarse language that may offend some readers. Since Adam Mansbuch’s 2011 bestseller, Go the Fuck to Sleep, book titles have been swearing prof...

Donna Mazza, Senior Lecturer in Creative Arts, Edith Cowan University - avatar Donna Mazza, Senior Lecturer in Creative Arts, Edith Cowan University

West Gate Tunnel saga shows risk of 'lock-in' on mega-projects pitched by business

Victoria’s government finds itself in a big hole with its West Gate Tunnel project. As diggers lie idle in a dispute over what to do with contaminated soil, it’s facing long delays and bil...

James Whitten, Ph.D Candidate, Faculty of Architecture, Building and Planning, University of Melbourne - avatar James Whitten, Ph.D Candidate, Faculty of Architecture, Building and Planning, University of Melbourne

Sick and Tired of Your Dead End Job? Try Teaching!

Tired of the same old grind at the office? Want an opportunity to impact lives both in your community and around the world? Do you love to travel and have new experiences? Teaching English is the perfect job for you! All you need is a willingness to ...

News Company - avatar News Company

The Impact of an Aging Population in Australia

There’s an issue on the horizon that Australia needs to prepare for. The portion of elderly citizens that make up the country’s overall population is increasing, and we might not have the infrastructure in place to support this. Australians h...

News Company - avatar News Company