The ‘Dark Web’ sounds like something invented by Hollywood; the title of a B grade science fiction movie. Unfortunately, the Dark Web is very real and is a very dangerous place.
It’s a hidden network within the World Wide Web accessed using a special browser. It’s frequented by hacktivists (whistle-blowers seeking to avoid detection), organised crime, criminal hackers, paedophiles, drug traffickers, groups on international terrorist watch lists and many others.
The Dark Web is often used to launder money and trade in illegal narcotics, weapons, child pornography, stolen personal financial data, hacking tools/software, prostitution, illicit goods and services, fake credentials, stolen property, and engage in other illegal activities.
Law enforcement agencies from around the world also have a strong presence on the Dark Web to combat the nefarious activities of the cyber underworld.
It’s a place no law abiding citizen should ever visit. And yet there is a very real possibility that your details could be found there.
That’s because illegally obtained medical records of ordinary Australians have become one of the hottest commodities traded on the Dark Web. Personal medical records, such as Medicare details, are becoming one of the most valuable traded commodities because they can be used to perpetrate identity fraud, insurance fraud and ransomware style blackmail.
A recent screenshot of the Dark Web obtained by news outlets showed the medical details of 110,000 Victorians, among others, for sale on the Dark Web in lots of 100 at $45 a pop.
The reason medical records are so popular is because they are relatively easy to steal. There is currently no mandatory minimum level of cyber-security for organisations that record and store personal medical data. While the new age of providing quick and easy access to personal medical data has helped doctors and other health professionals provide better care, it’s also opened up a smorgasbord of critical, personal information for hackers.
Since the Federal Government’s new mandatory Data Breach Notification laws were introduced in February 2018, 63 data breaches were reported in the first 6 weeks of operation. Of those 63, the largest number of breach notifications were from Health Service Providers; 15 in all. Personal health information was exposed in 33 percent of cases.
This has to change. More needs to be done to better protect our private medical records and as this issue involves breaches of both State and Federal laws, both levels of government are responsible for protecting people’s personal medical data.
A mandatory yearly cyber security audit should be required for all health organisations recording and storing personal data. The minimum target level of security should be 2.5/5 under the National Institute of Standards and Technology Cyber Security Framework.
All health organisations recording and storing personal data should also be required to adopt a minimum level of encryption and multi-factor authentication.
As with any information stored digitally or provided to third parties, there are steps you and I can take to better protect our medical data. For instance, always use strong passwords for any website or app that accesses your medical records. Never re-use passwords or use the same password for multiple apps or systems. Store them safely and change passwords regularly.
As new ways of recording, storing and accessing important data are developed, the ability of hackers in stealing our data to trade online grows. Our authorities need to keep pace with this new digital reality to better protect our sensitive information.
Download the report by Sorin Toma here.