Peter A Clarke

In Australia under Part IIIC of the Privacy Act 1988 organisations covered by the Privacy Act and Commonwealth Government agencies are required to notify of a data breach in certain circumstances, what is known as an eligible data breach.  It is effectively a self assessment though there are consequences if there is no notification when there should have been one.  It is regime that has been justifiably criticised in the wake of the Optus and Medibank data breaches.  The recent amendments to the regime improve rather than fix its operation.

It is an open secret that there is significant under reporting of data breaches in the United States, United Kingdom and Australia.

In UK Companies Fear Reporting Cyber Incidents, Parliament Told Data Breach today reports that there may be a deep reluctance to report breaches to the UK Information Commissioner.  There is mandatory data breach notification in the United Kingdom and affected entities are supposed to report within 72 hours of becoming aware of the breach.  This reluctance to report can and often does backfire as the story Brooklyn Hospitals Decried for Silence on Cyber Incident.  In that case Brooklyn Hospitals were hit with a ransomware attack on 19 November which necessitated transferring patients to other hospitals. The lack of explanation caused annoyance, at minimum, for other hospitals as well as the patients affected.  This poor practice results in even closer scrutiny by regulators.

The reluctance of UK entities to report a data breach because of additional scrutiny from the Information Commissioner remains poor practice.  It is almost trite to say that organisations that suffer data breaches almost invariably had privacy and data security as a low priority which translated into inadequate training and data handling practices.  When regulators respond to a notification they often find a litany of other issues.  Sometimes those are the issues that cause the organisations the greater difficulty. A common problem is data collection.  Many organisations hold onto personal information long after they have any need for it. Names of long departed or deceased customers/patients, details of people who have unsubscribed to a service and solicited information are commonly held .  Because the cost of storage is relatively inexpensive and data held digitally do not absorb physical space it is not inconvenient to hold that data for whatever reason.

As Medlab discovered once the data affected stolen by a hacker, but not notified to authorities, comes to the attention of a government agency if posted to the dark web or as in other occasions, discovered by the media the difficulties can compound.

The UK Companies fear reporting story provides:

Swathes of the British private sector are reluctant to report cybersecurity incidents to law enforcement for fear of regulatory fallout, U.K. lawmakers heard during a parliamentary hearing on ransomware.

Businesses that experience a breach of personal data and online service providers undergoing a substantial cyberattack must report incidents to the Information Commissioner’s Office within 72 hours.

The possibility of regulatory consequences to disclosing incidents drives a wedge between businesses and law enforcement, said Jayan Perera, head of cyber response at London-based Control Risks while testifying Monday before Parliament’s Joint Committee on National Security Strategy.

“The fear may not be that law enforcement will come and slap the handcuffs on them,” Perera told the committee. Rather, they fear that calling police during a cyber incident “will then lead to, you know, some other broader fallout in terms of the regulatory environment.”

Reporting that allowed businesses to anonymously disclose incidents would result in more data, he suggested. If “it wasn’t sort of handing themselves in to say that we’ve made a mistake, that perhaps there would be more sharing there.”

Perera wasn’t the only one during the hearing to suggest that companies are punished for disclosure.

“The comment is also made … that the Americans tend to support their businesses, whereas the other comment also made is that the U.K. tends to find fault when someone gets into trouble,” said Lilian Pauline Neville-Jones, a Conservative member of the House of Lords.

“I think there’s a dimension of British culture here,” responded Ollie Whitehouse, chief technical officer, NCC Group, a Manchester-based cybersecurity consulting firm. But he contested Neville-Jones’ characterization. “Things get mobilized, and support is provided,” he said.

Monday’s hearing was the first evidence session for the committee’s inquiry into ransomware, which is currently accepting inputs from industry stakeholders on matters ranging from the scope and extent of ransomware attacks to developing a U.K.- wide response.

The committee is expected to hold more hearings in the coming months.

A recent report by the National Cyber Security Agency revealed that ransomware remains the biggest cybersecurity threat. This year alone, 18 attacks in the United Kingdom required national-level coordination to mitigate the malware in its critical infrastructure systems (see: Ransomware Attacks Pose Biggest Threat to UK Organizations).

The Brooklyn Story provides:

Patients and neighboring physicians are frustrated over a lack of transparency from a trio of Brooklyn safety-net hospitals involved in an ongoing cyber incident affecting electronic health records, patient portals and other systems.

Some systems at One Brooklyn Health System’s three hospitals – Interfaith Medical Center, Brookdale Hospital Medical Center and Kingsbrook Jewish Medical Center – were taken offline Nov. 19 following an incident about which little is publicly known.

Sources tell Information Security Media Group that the organization has been tight-lipped with other area hospitals about the cause of the outage, which is suspected to involve ransomware.

One Brooklyn Chief Executive Officer LaRay Brown said in a Wednesday statement that the cybersecurity incident caused a network disruption and that “immediately upon discovering the incident, we took certain systems offline to contain the disruption.”

“Our teams have been successful in restoring access to certain clinical applications, including limited access to electronic medical records and other critical systems for a significant number of our team members. Patient care has not been impacted as a result of this incident,” Brown said.

A One Brooklyn Health System employee tells Information Security Media Group that the incident caused hospital phone systems to randomly call patient and emergency contact phone numbers to inform them broadly that the organization is dealing with a “network outage” but that appointments have not been canceled.

In a follow up email sent after this story was published, Brown tells ISMG those calls were not flukes. “The automated calls were intentional calls arranged by One Brooklyn Health to keep our patients – current and former – informed and to advise that we continue to be available for outpatient services,” she says.*

The New York Post reported Tuesday that the hospitals are sending patients to other facilities but that One Brooklyn failed to notify New York Fire Department ambulance services to stop delivering emergency cases.

The hospital system’s lack of transparency has frustrated leaders at other area hospitals, who are experiencing a sudden influx of patients and are fearful of falling for the same, unexplained attack, a New York medical system cybersecurity official told ISMG on condition of anonymity.

Brown tells ISMG in her follow up email that “a small percentage of emergency department patient transfers that have occurred since Nov. 19 because of the IT incident.”

The effect of ransomware and related cyber incidents involving healthcare organizations can last for weeks, or even months.

Facilities affected by an October ransomware attack on Chicago-based hospital chain CommonSpirit were still dealing with IT outages for more than a month after the incident was detected (see: CommonSpirit Systems Still Offline One Month Post-Attack).

Axel Wirth, chief security strategist at security firm MedCrypt, says that one of the top lessons many healthcare sector entities have painfully learned in recent years is that they cannot assume that a cybersecurity event will be limited to a controlled environment – be it a single device, department or hospital.

“We need to consider – and plan and prepare for – impact across multiple clinical services, several departments, and even across regional hospitals. This is true for the technical aspect of the security event as well as the impact of shifting care delivery,” he says.

Lack of Transparency Hurts

Errol Weiss, chief security officer at the Health Information Sharing and Analysis Center, says a lack of transparency by healthcare organizations dealing with ransomware incidents is a common problem.

“Despite being a member of an ISAC, we still see organizations reluctant to share attack details when they are a victim of a cyber incident,” he says.

Senior leaders at those organizations may not trust the anonymity and trust built into information-sharing processes and may be concerned about further exposure and negative reputational impact from unauthorized disclosures, he says.

“Given our incredibly litigious society, internal counsel at the impacted organization may also recommend against disclosure outside the company because it could possibly be used against the firm in future litigation,” he says.

Many organizations do not realize that they have liability protections involving cyber information sharing under the Cybersecurity Information Sharing Act of 2015, he says. “We just need the government and society to create a culture that rewards sharing and does not punish the victim.”

Weiss says that when H-ISAC learns of an incident affecting member and nonmember organizations, it offers them technical assistance and requests that they share the details of the incident.

“Organizations can share securely through Health-ISAC’s Threat Intelligence Portal,” he says. They can share anonymously and instruct Health-ISAC to share beyond the center if they choose, including other ISACs and U.S. government organizations.

“The attack techniques and subsequent information is incredibly useful in protecting corporate networks,” he says.