more_vert
The MediSecure data breach highlights the health care sector’s susceptibility to such attacks, and it is imperative that the government and health care providers work together to better protect sensitive health data.
MediSecure, an Australian prescription delivery service provider, experienced a ransomware attack in April 2024. This resulted in a breach impacting approximately 12.9 million Australians, releasing sensitive personal and health information to the dark web for sale. It has been reported that the stolen data included names, dates of birth, addresses, health care identifiers, Medicare card numbers and prescription details.
The health care sector’s susceptibility to such attacks is partly due to the high value of health data for cyber criminals, making it a prime target. This incident adds to the growing trend in Australia where health care data breaches have become increasingly common. Between 2019 and 2020, Australia’s health care sector saw an 84% rise in reported cyber security incidents. These large scale cyber security incidents have highlighted the importance of securing confidentiality of health care records as data breaches have potential to cause real harm.
Reports suggest that 64% of Australians lack confidence in the ability of large organisations to keep their personal data safe. Although Australians are concerned about their privacy, many may not be aware of the impact that identity theft or scams can have on them personally. A recent study of individuals’ awareness, perception and responses to data breaches indicated that 73% of participants were affected by at least one breach, and 74% of participants were unaware of breaches affecting them. Although some reported intention to act, most participants believed the breach would not impact them. Moreover, studies have indicated that many are unaware of potential long term consequences, including identity theft and misuse of personal health information. The impacts of these crimes can be severe, highlighting the importance of robust information security governance in health care.
Reform urgently needed
The Office of the Australian Information Commissioner (OAIC) has consistently highlighted the need for comprehensive reforms to the Privacy Act to address the evolving threat landscape and better protect Australians’ personal information.
Reports from the OAIC, such as the Notifiable Data Breaches (NDB) scheme reports, indicate that the health care sector remains one of the most affected by data breaches. These breaches often result from inadequate data handling processes, human error and malicious attacks, pointing to the need for more robust legal frameworks and organisational practices.
The proposed updates to the Privacy Act, supported by the OAIC and the Attorney-General’s Department, aim to ensure that privacy laws keep pace with technological advancements and provide a stronger framework for handling personal data in response to the increasing frequency and severity of data breaches.
There remains a significant evidence gap regarding implementable comprehensive strategies to integrate various aspects of privacy and information security into cohesive organisation-wide governance, specific to the nuances of health care environments. The strategies mentioned in Table 1 align with the Australian Signals Directorate Essential 8, a framework designed to help organisations mitigate cybersecurity risks. However, to truly safeguard sensitive health data, these strategies must be implemented as part of a comprehensive information security governance framework within health care organisations. Most existing evidence focuses either on the technical aspects of cybersecurity or on organisational and behavioural factors in isolation, and organisations, like individuals, may be unaware of the significance of the risks to which they are exposed.
Table 1 illustrates actions for individuals to protect their information alongside the Australian Signals Directorate Essential 8 that is used to enable organisations to mitigate against cyber security risks.
| Individual protections | Organisational protections |
| Be aware as to when you share information and with whom. Do you really need to provide your full name, date of birth, home address or will less identifying information be sufficient (eg, just first name, age, postal address)? | Develop Information Security Policy |
| Know what information you have: your accounts, assets, etc. Check assets regularly to ensure there isn’t any unusual activity or access. | Record organisational information assets |
| Don’t download or click on links or files you aren’t sure are safe. | Application control |
| Secure your email addresses. | Restrict administrative privileges |
| Secure your devices using anti-virus and malware prevention software. | User application hardening |
| Set up multifactor authentication, use secure passwords or passphrases. | Multifactor authentication |
| Update your devices and software regularly. | Patching of applications Patching of operating systems |
| Backup your important files regularly. | Backups |
| If you experience an issue, report and get help. | Reporting |
Our research
We are undertaking a program of research to help bridge this divide by understanding the interdependencies between technical systems, human factors and organisational governance controls for information security. This requires a holistic understanding of information security governance, especially in view of continuing digital transformations, including use of artificial intelligence, and the sensitive nature of health data.
In our research programs, we seek to explore a holistic approach to information security governance, emphasising the integration of both technical and non-technical controls to protect against cyber threats. We are conducting mixed-method studies involving diverse health care stakeholders across Australia. We anticipate this approach will yield new insights into the perceptions of health care professionals regarding current information security practices and barriers to adopting more robust governance mechanisms. This will likely inform more appropriate information security mechanisms, that can be more effectively used for the protection of sensitive and important health care data stored in health care organisations.
Moving forward, it is imperative for the government and health care providers to implement appropriate and effective information security measures, reform outdated legislation and foster a culture of holistic proactive risk management. By doing so, we can work together to better protect sensitive health data and maintain public trust in digital health care systems and associated innovations.
The statements or opinions expressed in this article reflect the views of the authors and do not necessarily represent the official policy of the AMA, the MJA or InSight+ unless so stated.
Subscribe to the free InSight+ weekly newsletter here. It is available to all readers, not just registered medical practitioners.
If you would like to submit an article for consideration, send a Word version to mjainsight-editor@ampco.com.au.