What's Up Doc?

So I am pretty bad at going to the doctor on time, yes I am one of those people who get the overdue notifications on the weekly.

I finally had enough courage to turn up to get my regular medication. Generally, when doctors release scripts it’s one of those situations where you put your script in your bag and run out.

When I needed to return back to the doctor, overdue of course. I realised that when I was consulting my nurse, they asked me my date of birth, which is totally normal. But then I heard this awkward silence, “that is not correct Miss Breen”. I was actually super concerned that I couldn’t remember my date of birth... #awkward.

The Comedy of Errors

The doctor then called me by a different name, and it wasn’t Karissa... it was some randoms name! I then took back the script to realise that the document was actually not my script... it was in fact someone else’s! I perused the document and yep there it was, full name, date of birth, address and phone number, enough to create a fake identity under this person’s name. Things were definitely uncomfortable on both ends by this point.

The part that set me back by this situation was that no one from the doctor's surgery really knew how to handle the situation. After some backwards and forwards, I started to feel pretty bad that I had a random person’s private details in my hands. For someone who is a security person, this raised great concerns as I am not sure if everyone would be honest as I was about this situation.

When you hear on the news around data breaches, this is an example of an accident that could go terribly wrong. My original doctor wasn’t actually in that day, so another doctor had to “make some changes” on my script. I then had to go back to the pharmacy with an “updated” script.

But, what concerns me is that I actually don’t know if this same situation with my details has landed in the hands of some other random in Sydney and is floating about. I think the main problem is the lack of due diligence on both ends. I probably should have checked before leaving the doctor when I was issued with the script. Although, I do believe doctors need to be mindful of ensuring they are not giving away sensitive information to the next person.

Security Troubles in the Healthcare Sector

The Verizon Data Breach Investigation Report is an annual report on data breach trends. Verizon uses questionnaires and hundreds of key industry players to contribute to the report with data and feedback.

dbir

Healthcare is usually one category in the report. Take a look at the 2017 report, you can find the relevant section on page 22. According to the report, the major reason of data breaches in healthcare are: 'Human Errors' (the report calls it 'Miscellaneous Errors') and 'Physical Theft and Loss'.

The paragraph with the heading "A comedy of errors" perfectly shows what Human Errors mean and actually this ties into my current example shared above.

Check out page 50, there is a section dedicated to "Miscellaneous Errors" elaborating this data breach type in detail.

If you open the 2016 report, and look for the similar sections, you see it has not really changed over time. Human Errors in Healthcare is #1. If you go to page 11, the matrix underpins this claim.

Check it out here:

matrix-dbir

What Can We Do

The takeaway from my own experience is that humans make mistakes and training can help prevent these situations from happening. Implementing correct processes in place would have remediated this situation quickly and would limited upheaval.

Here is the example of the script, for privacy reasons, the details have been redacted.

receipt

For Australians, The Australia Privacy Foundation raised the threats of the consolidated patient register called 'My Health Record'.

Human errors are a bad case of things like this going wrong. This is my own personal story and I wanted to share with you that these types of incidents happen on the daily and it is not always an organised crime for these types of events. I would be super keen to hear your own personal stories, with something similar.

Keep on keepin’ on,
KB

This article first appeared in Karissa Breen's blog. Photo courtesy of Hamza Butt

Karissa A. Breen

Karissa A. Breen

Karissa Breen (KB) is a Technologist, who specialising in cyber security and innovation. KB is a writer, speaker and publishes her own blog and vlog.

Read More