At a Health Informatics New Zealand conference on cybersecurity in health last month, Microsoft worldwide health chief information security officer Hector Rodriguez talked about whether New Zealand businesses are prepared against attacks.
Speaking to New Zealand Doctor, he points out practices’ vulnerability lies not just with the technology doctors use but with what patients bring into practices.
Some patients are given their records on USB drives, or receive them online and then post information to social media. The information can be used to create phishing attacks or expose vulnerabilities.
Mr Rodriguez says ransomware has cost businesses US$3 billion in the past few years. That doesn’t always include the costs of lost opportunities and lost care.
Cyber insurance is popular in the US, but that will not help stop attacks, he says. What will stop them is security hygiene – in other words, good habits in the way we share data and create user names and passwords.
Mr Swindley encourages people to choose a long phrase or sentence as their password, rather than change passwords regularly. Having to change often leads people to opt for easy-to-guess passwords, he says.
By Microsoft’s calculations, it costs US$400 to recover from one medical record being compromised.
Mr Rodriguez wants to see prevention replace cure. Microsoft is building artificial intelligence and machine learning into its security systems, to look for patterns across attacks.
New Zealand Doctor knows of several practices that have been hacked but, when approached, the people affected declined to be interviewed.
Mr Swindley says there’s an element of worry and shame in going public, but he emphasises that people can learn from the experience of others.
One very public case was that of the New Zealand Nurses Organisation, targeted by a phishing scam last year.
An email was sent to a staff member, pretending to be from chief executive Memo Musa and requesting the emails of all members. The staff member obliged and sent the information to the address, which turned out to be fake.
Acting chief executive Jane MacGeorge soon realised 47,000 members’ email addresses had been sent to a hacker. The organisation put out a mass email to members straight away, letting them know what had happened, who to contact and how they could protect themselves.
The NZNO’s member support centre was overwhelmed with calls, as was the call centre of idcare, an Australian-based organisation helping the victims of cyber attacks.
Organisations began blocking NZNO emails, which problem almost every day, says Ms MacGeorge, who worked 12-hour days in the aftermath.
Some members were very distressed by the security breach, and NZNO needed to offer them support, she says.
The hacker was traced to Lithuania, but there was also a link to a Swedish company, so it’s suspected identity theft was involved.
It’s not known what happened to the member information. A system has since been set up for members to report any suspicious activity related to their email addresses.
Asked if the NZNO would be ready should something similar happen again, Ms MacGeorge says the experience made the organisation stronger, but the real lesson is that everyone is still vulnerable.
The main cost to the organisation was time.
Mr Swindley says the perpetrators are not teenagers in darkened rooms. Rather, the large organisations that develop the attack software are the ones making the real money.
Gallingly, these big players have hotlines, support centres and help desks for their ransomware victims, whom they call “clients”.
“They want to make the transition for you, their client, as smooth as possible,” he says.
With such big players in place, cyber protection and precaution are vital.
He predicts another big attack making the news by the end of the year, but says the large-scale international examples can make New Zealand small business feel too small to count. That simply isn’t true.
Owners of medical practices here will start taking notice when a friend or neighbour is hit, he suspects.
In his view, the best form of cyber-risk management is to have protective measures in place, and insurance as a safety net, should everything go wrong.
Because, as Judy Gilmour knows only too well, “it’s a scary world out there”.