whitestorm - Fotolia

Hackers target Australian health sector, selling records for A$1,000

Healthcare records in Australia are a major target for hackers – with fully populated medical records sold to fraudsters for up to A$1,000 each

Hackers are targeting the Australian health sector, with fully populated digital health records sold on the black market for up to A$1,000 each.

Plans to make the personally controlled electronic health record (PCEHR) an opt-out – rather than the current opt-in regime – could significantly expand the range of targets for health hackers.

Carl Leonard, principal security analyst for Websense, said healthcare around the world is now experiencing 340% more attacks than the average industry sector. He said that, in 2014, there was a phenomenal 600% increase in the number of attacks launched against hospitals – and Australia is no exception.

He said ransomware attacks were 450% more prevalent in healthcare globally than in other industries.

He said: “Healthcare offers a very complete dataset that can be used for identity theft or fraud. It holds very up-to-date contact information so you can send targeted mails, and use the information and repurpose it for identity theft.”

Leonard said some fully populated health records are fetching up to A$1,000 on the black market while the prices for credit card details continue to drop in what is considered a saturated market. 

There are now 2.3 million Australians who have signed up for a PCEHR. The records – launched in 2012 – are being used in just under 8,000 healthcare provider organisations.

Health minister Sussan Ley indicated that the PCEHR will be rebranded as MyHealth Record, and that a trial will be conducted of an opt-out rather than the current opt-in model.

Ley said the scheme could save up to A$2.5bn a year delivered by reducing inefficiencies in the healthcare system with a possible $1.6bn additional savings for the States.

Read more about IT security in Australia

Canberra is strengthening its cyber security response – but there is conflicting evidence about where the main threat is coming from.

The Australian Cyber Security Centre wants more organisations to take responsibility for protecting their information resources and computer systems.

Computer Weekly asks six analysts and security experts about the current risk factors in Australia and New Zealand – and how the authorities are addressing them.

Leonard said the challenge for the healthcare sector is to balance its desire to use electronic records to deliver improved patient care against the need to properly protect that information, without making it more difficult for medical professionals to access.

“The environment is challenging. Healthcare providers are trying to understand the fallout from security breaches,” said Leonard.

While Australia’s adoption of electronic health records is still patchy, Leonard said organisations needed to properly protect that data.

“Even if only 10% of the population has an electronic health record, that is still incredibly valuable to an attacker.”

He said that, in terms of security best practice, the financial sector was often held up as an exemplar, often requiring at least two-factor authentication before data access was granted.

Leonard said: “A vulnerability exists because of the relatively new nature of health records and because of the environment they operate, in where the physician needs to access the record easily.

“Right now it’s a perfect storm.”

Read more on Privacy and data protection