500000 Patient Health Records – The number I have had the misfortune of encountering while performing open-source research for Bitcrack Cyber Security (where the good stuff happens).
The global health industry has been known to have issues with securing the data of their patients. In fact it is considered an eventuality that a healthcare provider is going to be breached. What distinguishes Zimbabwe and the SADC region from the rest of the world in terms of such breaches? Here are some key points:
- There is no effective or complete policy/legislation governing the industry in terms of how data is handled.
- Breaches and leaks of such data is still considered inconsequential.
- The industry is very fragmented which makes it difficult to provide any reasonable industry wide effort to combat the issue.
Typically data breaches are discovered via a search of the Zimbabwean internet space through common open-source platforms, and one thing we have noticed is that it is usually the result of negligence on the behalf of the Business Partners of the Healthcare providers rather than the Healthcare providers themselves.
The Zimbabwean ICT industry is yet to mature in terms of the integration of ICTs in the operational aspects of Healthcare provision, hence when providers make an attempt at integration it is often poorly configured and insecure. Certainly the software provided may perform the intended operational purpose but it does so in an insecure manner, such as without SSL, directory browsing allowed, database backups left on public web-servers, default passwords and so on.
Another aspect that has a negative impact on information security within the Healthcare industry (if not all industries) is that departments responsible for Information and Technology in these organisations are relegated to non-essential cost centres. A common problem is to assume that as long as every-day systems are working then everything must be fine and there is no need to provide IT with any extra funding expect the bare minimum which in turn means outsourcing their needs to Business Partners who do not deliver adequate cyber security controls. If you have any comments about this please let me know.
When breaches result in personal information, especially sensitive information such as medical records, it is imperative to let the affected users know as soon as possible so that they understand the impact. Companies responsible for the breaches should take ownership of such, and ensure that they patch affected systems.
By Kundai Gwatidzo
Bitcrack Cyber Security