The latest compromise of a dot-Gov system shines a light on the constant barrage government systems are faced with on a daily basis. Read on to discover just how bad it gets.
Just days ago, HealthCare.gov was hit with a sophisticated cyber attack that saw the data of up to 75,000 individuals compromised. This data included, according to CNBC “the last four digits of the Social Security number, immigration status and employer name”, which was confirmed by the Department of Health and Human Services.
This is a world-wide problem that requires both world-wide recognition, as well as a redefinition of best practices when it comes to what constitutes acceptable security processes. In Australia, France, Germany and here in the US, we’ve seen world leaders condemn actions largely stemming from Russian cyber attacks on political and commercial institutes and enterprise, but condemnation is only the beginning of the story here… Dot-Gov systems are arguably the most attractive prospect for an attack for hackers, and as the founder of Patient Privacy Rights based in Austin, Texas, Dr. Deborah Peel says: “the breaches will keep happening because the [government-legislated] healthcare industry has built so many systems with thousands of weak links.”
Just under three years ago, the U.S. felt the sting of a self-inflicted wound that hit just under 200-million people when the national voter database was compromised. This saw 191-million have their data – including names, date of birth, party affiliation, address and email address – of all registered voters in 50 States and the District of Columbia. While this wasn’t a typical breach involving a third-party with nefarious intentions, it does illustrate the fact that a set of robust and painstakingly-accurate processes need to be in place when dealing with personal data. This could have set a dangerous precedent, with those third-parties now realising that government systems are by no means fool-proof in terms of their security procedures.
This comes to the forefront when we look at the problem in the context of the healthcare industry. According to a new study from the Journal of the American Medical Association, the number of health data breaches has increased 70% over the past seven years, equating to around 132,000,000 user’s data. The scope of the problem here certainly extends to contractors that governments work with, particularly insurance providers that are given access to protected health information (PHI), which is an attractive prize for any hacker, due to the sensitive nature of the personal information they’re able to access.
In the European context, the recently enacted GDPR – General Data Protection Regulation – has introduced legal obligations to report data breaches, and financial penalties for ignoring these requirements. In Germany, it seems to be working. According to Härting, who reported that “in the first month only, the supervisory authorities have received more complains that in the whole year before… they received most of the complaints right after the implementation of the GDPR.” France and the UK have too seen a significant rise in the reporting of data breaches, which gives authorities a sturdier foot-hold in terms of analysing the data and organising their findings. When enterprise – and government institutions alike – are dishonest in the reporting of data breaches, it harms both the company itself, their current clients, but also future stakeholders and the wider industry they operate in.
In summing up, no system is perfect, and despite their perceived high levels of security, neither are government systems. The problem is compounded by the fact that government institutions are often hoarding some of the most valuable and desirable data a hacker could hope for; particularly in the case of sensitive protected health information (PHI). In almost every case in the aftermath of a data breach, victims are offered free identity-theft consultations, such is the direct correlation between being the victim of a data breach and having their identity stolen only a short time later. It’s our hope that you never have to go to one of these consultations, and you meet a seemingly imminent threat head-on with a robust set of security processes, a safety-oriented culture in your business, and a proactive attitude in terms of doing business in the 21st century, fully aware of the risks.