tiero - stock.adobe.com

Norwegian healthcare breach alert failed GDPR requirements

Norwegian healthcare authorities failed General Data Protection Regulation requirements for notifying those affected by a personal data breach by waiting a week before disclosing a breach discovered on 8 January 2018

The handling of the recent breach of healthcare data belonging to about half the population of Norway has been criticised because of the delay in notifying people whose data may have been stolen by hackers.

Some security commentators said the incident should be a wake-up call for organisations planning to comply with the EU’s General Data Protection Regulation (GDPR) by 25 May 2018, while others have called for improved collective defence.

On 15 January 2018, Health South-East RHF, a healthcare organisation that manages hospitals in Norway’s southeast region, confirmed that that healthcare records of 2.9 million citizens may have been exposed, seven days after being notified of the breach by HelseCERT, the country’s computer emergency response team for the healthcare sector.

HelseCERT had identified suspicious traffic coming from Health South-East’s computer network, and an investigation by the IT staff at Sykehuspartner HF – Health South-East RHF’s parent company – revealed evidence of a severe data breach, reports Bleeping Computer.

“This is a serious situation and measures have been taken to limit the damage caused by the incident,” said Health South-East RHF and Sykehuspartner HF in a joint statement.

In a standard face-saving statement, Health South-East RHF said the attacker appeared to be “an advanced and professional player”, and that it has taken measures to limit the impact of the breach, but gave no further details.

“There is close dialogue with the hospitals about this and there is so far no evidence that the burglary has had consequences for patient treatment, patient safety or that patient data has been overlooked, but it is too early to conclude,” said Cathrine Lofthus, CEO of Health South-East RHF, in a statement.

“The best resources in Hospital Partners are now working together with the foremost expertise in the country to get an overview and resolve the situation.”

Norwegian law enforcement and the country’s national Cert, NorCERT, have been notified, while investigations into the breach are reportedly continuing to determine the full extent of the breach.

Norwegian health authorities have yet to confirm whether the cyber attackers were able to access and exfiltrate personal healthcare data.

Read more about healthcare data security

  • Health service accused of a ‘cover-up’ after it came to light that more than half a million documents holding patient data were never delivered to their intended recipients.
  • Health secretary Jeremy Hunt has promised full online access to medical records, a review of data security standards and a new opt-out model for Care.data.
  • The information commissioner is worried that TTP’s GP IT system’s enhanced data sharing function puts patients’ confidential medical records at risk.

Health South-East RHF manages healthcare units in nine of Norway’s 18 counties, including Akershus, which is home to Norway’s capital, Oslo.

Andy Norton, director of threat intelligence at security firm Lastline, said the GDPR requires organisations to notify those affected  by a personal data breach within 72 hours.

“In this particular case, before notifying authorities and affected parties, the actual evidence-gathering and notification has taken much longer than the GDPR requirement,” he said.

According to Norton, automated breach prevention is the only appropriate security mechanism for GDPR notification requirements because of the fairly short notification period allowed by the new data protection legislation.

Healthcare data is a popular target for cyber criminals because it provides all the personal details necessary for ID theft and related fraudulent activity.

A survey published in April 2017 revealed that one in eight consumers in England have had private medical information about them stolen from systems that lack the right level of security.

The survey of 1,000 people in England showed that most (78%) think healthcare providers should be responsible for protecting this information, while only 40% believe they themselves have responsibility.

The findings, from a survey of 7,580 people carried out by Accenture in seven countries, revealed that more than half (56%) of data breaches in England concerned medical identity theft and that people who have experienced a breach lost an average of £172 as a result.

Raj Samani, Chief Scientist and Fellow at McAfee said security breaches affecting hospital’s around the globe now seem to be happening with an alarming regularity, due to the high importance of uptime to deliver essential medical services, as well as the wealth of sensitive data held on its networks. However, despite how it seems, he said the criminals behind these attacks are not invincible.

"The cyber security industry needs to work together to combat the growing rate of cyber crime targeting public services by making threat intelligence sharing compulsory so that they are best equipped to defend against this threat. Once this is in place, every attack will lead us a step closer to finding those responsible, said Samani.

Read more on Data breach incident management and recovery

Data Center
Data Management