As we increasingly rely on digital technology to manage our health and personal information, the security of these systems becomes paramount.

Unfortunately, the trust we place in these digital guardians can sometimes be shaken by events like the recent data breach at MediSecure, an electronic prescription provider that many Australians have depended on for the secure transmission of their medical prescriptions.

MediSecure confirmed a ‘large scale’ data breach, which potentially exposed Australians' sensitive medical information.

This breach is a stark reminder of the vulnerabilities that exist within the digital infrastructure of our healthcare system.

The company's website, now largely inactive except for the statement regarding the breach, acknowledged that ‘personal and health information’ has been compromised.

MediSecure, an e-prescription provider, suffered a ‘large scale’ data breach compromising Australians’ personal and health data. Credits: X / @MediSecureAU

The website's statement read, ‘We have taken immediate steps to mitigate any potential impact on our systems.'

‘While we continue to gather more information, early indicators suggest the incident originated from one of our third-party vendors.’

For those unfamiliar, MediSecure offered a system that enabled healthcare professionals, such as GPs, to send prescriptions to patients electronically.

Its service was integral to the healthcare process, promising secure and safe transmission of medical documents with its reassuring tagline: ‘eScripts. Sent. Secure. Safe’.

However, since November 15, MediSecure has not been used for new electronic prescriptions, as the federal Health Department designated eRx as the sole e-script provider.

Despite this, MediSecure's system remained accessible for patients needing to retrieve existing documents.

MediSecure stated that it had contacted government agencies and is aiding them in 'managing the impacts of the incident’.

‘MediSecure understands the importance of transparency and will provide further updates via our website as soon as more information becomes available,’ the company stated.

‘We appreciate your patience and understanding during this time.’

Lieutenant-General Michelle McGuinness, the National Cyber Security Coordinator, reported that MediSecure informed them of the incident on May 15.

‘Yesterday afternoon, I was advised by a commercial health information organisation that it was the victim of a large-scale ransomware data breach incident,’ she said in a statement yesterday.

‘I am working with agencies across the Australian government, states and territories to coordinate a whole-of-government response to this incident.’

‘The Cyber Security Centre is aware of the incident and the Australian Federal Police (are) investigating,’ she added.

Federal Cyber Security Minister Clare O'Neil stated that the government is addressing the data breach.

‘I have been briefed on this incident in recent days and the government convened a National Coordination Mechanism regarding this matter today,’ she said.

‘Michelle McGuinness is leading work across the Australian government to support the company in managing this large-scale ransomware incident.’

‘Updates will be provided in due course. Speculation at this stage risks undermining significant work underway to support the company's response,’ Minister O’Neil continued.

Lieutenant-General McGuinness mentioned that the investigation was in its initial phases, with further updates to follow soon.

‘We are in the very preliminary stages of our response and there is limited detail to share at this stage,’ she explained.’

‘But I will continue to provide updates as we progress while working closely with the affected commercial organisation to address the impacts caused by the incident.’

As Australia grapples with the aftermath of a significant health data breach, concerns over cybersecurity and the protection of sensitive information have surged to the forefront.

The revelation of this breach prompted swift action from government officials, including the National Cyber Security Coordinator, who is actively involved in managing the situation.

Amidst these efforts, a parallel development unfolded as the government identified the alleged perpetrator behind another high-profile cyber intrusion involving Medibank, affecting millions of Australians.

These interconnected events underscore the critical importance of cybersecurity measures and highlight the ongoing challenges in safeguarding personal data in the digital age.

Key Takeaways

• MediSecure, an electronic prescription provider, experienced a ‘large scale’ data breach involving personal and health information.
• The breach, believed to have originated from a third-party vendor, prompted a coordinated response from the federal government.
• MediSecure took immediate steps to mitigate the breach's impact and is working with government agencies to manage the situation.
• The company emphasised its commitment to transparency and legal obligations and will update the public as more information becomes available.

We at the Seniors Discount Club understand the gravity of such breaches, especially for our members who are often the most vulnerable to the repercussions of compromised personal information. We urge you to stay informed and take the necessary precautions to protect your digital footprint.

Do you have any concerns or experiences you like to share regarding the MediSecure data breach or digital security in general? We encourage you to reach out in the comments below.

 

[Rob44]

Gor blimey! Another hacker cracks cybersecurity systems! Fancy that! Who would'a thunk it!

 

[Annie Ross]

I can't understand why these so called major government bodies don't use a rolling incription system so these things can't happen.

 

[Vio Kot]

Medisecure, not very secure and they want us to go cashless.

"This breach is a stark reminder of the vulnerabilities that exist within the digital infrastructure of our healthcare system."
and everything else digital across the world. Happening to often, until they are able to be ahead of the hackers it will be a constant issue

 

[JimmyFlatrock]

As a minimum, I would be looking for a comment from Lieutenant-General Michelle McGuinness, the National Cyber Security Coordinator, to re-assure Australians that eRx as the sole e-script provider has superior cyber security than the mis-named MediSecure.

Moreover, Minister O’Neil should be explaining in greater detail what these slack companies are being compelled to do to ensure entrusted data is better protected.

 

[Rob44]

These companies get hacked because they are attached to the internet and we are too damned lazy to travel to the GP to pick up our scripts AND as we no longer write letters but use the internet Australia Post no longer bothers to provide a "next day" postal service AND of course we cannot use fax machines. Whenever and wherever there has been a code, someone has cracked it.

 

[Rob44]

I can't understand why these so called major government bodies don't use a rolling incription system so these things can't happen.

A rolling encryption system; what is that?

 

[JimmyFlatrock]

Rob44,

you may not get a response.

For rolling encryption codes, think keyless entry systems like garage door openers. A more complex security system is needed to try to protect data as described in this article. The following may help more.


The recent ransomware attack on MediSecure, an Australian electronic prescription provider, highlights the importance of robust security measures in healthcare systems. While a rolling code (also known as hopping code) is a valuable security technique, its application in this context may not directly address the specific challenges faced by MediSecure. Let’s explore further:

1. What Is a Rolling Code?:
   • A rolling code system uses cryptographic methods to prevent replay attacks.
   • It generates unique codes for each transmission, making it difficult for attackers to intercept and replicate exchanged codes.
   • Rolling codes are commonly used in keyless entry systems, garage door openers, and other wireless remote control systems.
2. Application to MediSecure:
   • Rolling codes primarily protect against unauthorized physical access (e.g., car doors, garage doors).
   • In the case of a healthcare system like MediSecure, the primary security concerns involve data breaches, privacy, and data integrity.
   • While rolling codes can enhance physical security (e.g., securing access to server rooms), they do not directly address the complexities of securing sensitive medical and personal information stored in databases.
3. Challenges in Healthcare Systems:
   • Healthcare systems require a comprehensive approach that includes encryption, access controls, secure data sharing, and secure data storage.
   • Implementing a rolling code alone would not fully protect against sophisticated cyberattacks or ransomware incidents.
4. Recommended Measures for Healthcare Systems:
   • Strong Encryption: Implement robust encryption algorithms to protect data at rest and during transmission.
   • Access Controls: Use attribute-based access control (ABAC) to manage data access based on user attributes.
   • Blockchain and Distributed Ledgers: Explore blockchain-based solutions for secure and auditable data storage.
   • Regular Backups: Regularly back up critical data to prevent data loss during ransomware attacks.
   • Security Audits and Monitoring: Conduct regular security audits and monitor system logs for suspicious activities.

In summary, while rolling codes play a role in physical security, a comprehensive cybersecurity strategy is essential for healthcare systems like MediSecure. Collaborating with cybersecurity experts, implementing encryption, and adhering to privacy regulations are crucial steps to safeguard sensitive medical data.

Companies that are hacked don't usually talk about it much, but I've often thought that human error plays a big part in some data breaches. Which again lends itself to the 'complacency' theory.

Research suggests best practices for healthcare organisations to consider implementing should be:

1. Employee Training and Awareness:
   • Educate employees on cybersecurity best practices, such as identifying phishing emails, handling sensitive data securely, and reporting suspicious activities.
   • Create a cybersecurity-aware culture within the organization.
2. Data Encryption:
   • Encrypt patient data to add a secure layer around information.
   • Use strong encryption algorithms for data at rest and during transmission.
3. Access Controls:
   • Implement strict access controls based on user roles and responsibilities.
   • Use attribute-based access control (ABAC) to manage data access.
4. Regular Software Updates and Patches:
   • Keep software and operating systems up-to-date to address vulnerabilities promptly.
   • Regularly apply security patches to minimize the attack surface.
5. Endpoint Protection:
   • Deploy endpoint security solutions to protect devices (computers, servers, medical devices) from malware and unauthorized access.
   • Monitor and manage endpoints effectively.
6. Data Loss Prevention (DLP):
   • Implement DLP solutions to prevent accidental data leaks and unauthorized data transfers.
   • Monitor data flows and enforce policies.
7. Regular Backups:
   • Maintain offline, encrypted backups of critical data.
   • Regularly test backups to ensure data integrity and availability during ransomware incidents.
8. Security Audits and Monitoring:
   • Conduct regular security audits to identify vulnerabilities and assess compliance.
   • Monitor system logs for anomalous activity and respond promptly to incidents.
9. Zero Trust Model:
   • Adopt a zero-trust approach by verifying every user and device attempting to access the network.
   • Assume that no entity is inherently trusted, even if internal.
10. Secure System Design:
    • Integrate security into system design from the outset.
    • Consider security requirements during software development and architecture planning.

Cybersecurity is always an ongoing effort trying to stay informed about emerging threats, and adapt security measures accordingly.

 

[Rob44]

Thanks you for your explanation and lengthy description. I appreciate your trouble. In response all I can say is," Gor' blimey; an analogue (cardboard) card-index system is easier to secure against burglars, foot-pads, purse-snatchers and highwaymen."

Who on Earth wants to cart around half a ton of cards from which to read and copy to steal your personal information on a large enough scale to be worthwhile? Even better for historians would be stone or clay tablets, but the building inspector might say that is overloading the attic..........

 

[Knell]

Thanks you for your explanation and lengthy description. I appreciate your trouble. In response all I can say is," Gor' blimey; an analogue (cardboard) card-index system is easier to secure against burglars, foot-pads, purse-snatchers and highwaymen."

Who on Earth wants to cart around half a ton of cards from which to read and copy to steal your personal information on a large enough scale to be worthwhile? Even better for historians would be stone or clay tablets, but the building inspector might say that is overloading the attic..........

" Gor' blimey; an analogue (cardboard) card-index system is easier to secure against burglars, foot-pads, purse-snatchers and highwaymen."" A fire could be effective! Perhaps this could happen due to the EV battery exploding due to the workout it would get from having to travel from the A-Z paper file storage area required? Better use of land than the AFL stadium perhaps?

 

[Rob44]

" Gor' blimey; an analogue (cardboard) card-index system is easier to secure against burglars, foot-pads, purse-snatchers and highwaymen."" A fire could be effective! Perhaps this could happen due to the EV battery exploding due to the workout it would get from having to travel from the A-Z paper file storage area required? Better use of land than the AFL stadium perhaps?

Why would anyone want an EV battery? Filing clerks and copyists with quill pens and inkwells are self-sustaining.........Not one skerrick of electricity required!

 

[JimmyFlatrock]

Thanks you for your explanation and lengthy description. I appreciate your trouble. In response all I can say is," Gor' blimey; an analogue (cardboard) card-index system is easier to secure against burglars, foot-pads, purse-snatchers and highwaymen."

Who on Earth wants to cart around half a ton of cards from which to read and copy to steal your personal information on a large enough scale to be worthwhile? Even better for historians would be stone or clay tablets, but the building inspector might say that is overloading the attic..........

Happy to. The thing is with the help of the ether world it only took me, if not 5, then 6 minutes from wo to go to put it all together.

The real point to highlight is that Minister O'Neil should be compelling those entrusted with the Public's data to have cutting edge cyber-security systems, practices and tests in place to make it difficult in the extreme for even international state-based criminals to breach systems and steal data.

A number of the cyber issues, in my opinion, could be traced back to human failings. From the goose who clicks on a random link to the boardroom where appeasement of any greedy shareholders means that the correct amount of spending is not paid to keep the sensitive data as secure as needs be.

Simply put, it's a total disrespect for the level of protection their customers data needs. Any company not prepared to have high levels of security in place to protect our data, should not be given the privilege of having the data in the first place.

More broadly, I'm not one for going back to ink wells or quills etc. But I also believe it's a smart thing to take history into account so consideration for the future can be given. It's also possible that if one gazes in the rear vision mirror for too long, chances are a crash will happen in front.

It is what it is and we have what we have. It's ok not to like it (one could try and change it), same as it's ok to enjoy it.

 

[Rob44]

Happy to. The thing is with the help of the ether world it only took me, if not 5, then 6 minutes from wo to go to put it all together.

The real point to highlight is that Minister O'Neil should be compelling those entrusted with the Public's data to have cutting edge cyber-security systems, practices and tests in place to make it difficult in the extreme for even international state-based criminals to breach systems and steal data.

A number of the cyber issues, in my opinion, could be traced back to human failings. From the goose who clicks on a random link to the boardroom where appeasement of any greedy shareholders means that the correct amount of spending is not paid to keep the sensitive data as secure as needs be.

Simply put, it's a total disrespect for the level of protection their customers data needs. Any company not prepared to have high levels of security in place to protect our data, should not be given the privilege of having the data in the first place.

More broadly, I'm not one for going back to ink wells or quills etc. But I also believe it's a smart thing to take history into account so consideration for the future can be given. It's also possible that if one gazes in the rear vision mirror for too long, chances are a crash will happen in front.

It is what it is and we have what we have. It's ok not to like it (one could try and change it), same as it's ok to enjoy it.

I would agree with what you say about cybersecurity. It is essential. Full stop and finish. Otherwise, back to carving stone tablets in the attic..........preferably in a language no one understands.

 

[Luckyus]

Here we go again. I think I may as well go back to pen and paper and snail mail, although I doubt that snail mail can be trusted any longer.

 

[Rob44]

Your choice; trust a snail or a scammer?

We humans being humans, generally casual, lazy and doing things on the cheap to make buck, do you really believe that every "service-provider" , private or public, will go to the lengths outlined by jimmyflattrock to secure your personal information?

The snails win!

 

[OzBoz]

"a system that enabled healthcare professionals, such as GPs, to send prescriptions to patients electronically.

I don't know whats going on here, but I do know that where I live (Queensland), GPs have been told by Federal Department of Health/Medicare that repeat prescriptions are not allowed to be written unless the patient has seen the doctor and he confirms that it is safe to prescribe. I have been on two medications now for over twelve years, and will be for the rest of my life, but I still have to make an appointment every six months to obtain a renewal. Seeing as that directive is a Commonwealth requirement, I fail to see how these types of firms get away with this.

As far as cyber security is concerned, I believe every breach of private information should be followed with a $1,000,000 fine, and if it can be shown that the organization was grossly negligent, the fine should be $10,000,000. Hopefully, that would put them out of business and therefore unable to repeat their negligence. There are sufficient safeguards for digital protection available today, so their is NO excuse.

 

[OzBoz]

Your choice; trust a snail or a scammer?

We humans being humans, generally casual, lazy and doing things on the cheap to make buck, do you really believe that every "service-provider" , private or public, will go to the lengths outlined by jimmyflattrock to secure your personal information?

The snails win!

It will if the fine is 10 million dollars. A kick in the goolies is the answer.

 

[Abby2]

A kick in the goolies is the answer.

A kick in the stones ? how is that going to help ???

 

[OzBoz]

A kick in the stones ? how is that going to help ???

I was speaking metaphorically equating it to a 10 million dollar fine. Obviously you have never had such a kick, or you would have seen the connection.