Norway was among the latest successful targets for cybercriminals, and this recent attack involved health information.
The victimized organization was Health South-East RHF, which manages hospitals in nine Norwegian counties in the southeastern part of the country.
It received a notification on Jan. 8 when HelseCERT, a computer response team for the health sector, advised the company of suspicious traffic on their network.
Then, IT professionals at Sykehuspartner HF, the parent company of Health South-East RHF, investigated. Their findings confirmed a severe data breach that potentially affects more than half the population of Norway, or just under 3 million people.
Representatives Waited Too Long to Disclose the Issue
Norway is subject to an upcoming European Union legislation called the General Data Protection Regulation (GDPR). Approved and adopted by members of the European Union Parliament in April 2016, it will come into effect on May 25.
Besides applying to EU member countries, all destinations that provide goods and services to people in the European Union or track their behaviors must abide by the GDPR.
Although the standard has many specifications about data use and storage, one of the particulars is that reports of data breaches to regulatory authorities and affected individuals must occur within 72 hours of the initial knowledge.
A 2017 survey from analytics company SAS revealed 58 percent of respondents were not fully aware of what happens for organizations not in compliance by the deadline.
Regardless of whether the team at Health South-East RHF learned about GDPR noncompliance, they didn’t follow the rules for data breach notifications in this instance, and in fact, waited a week to give disclosure.
Health South-East RHF did not provide a reason for the delay in notifying anyone about the breach. Since the GDPR is not in effect yet, the organization will not get fined. However, analysts warn the prolonged period that passed could highlight the problems other companies might have regarding compliance.
The GDPR takes a tiered approach to non-compliance fines. In the most egregious cases of failure to comply, the amount imposed is €20 million, or up to 4 percent of annual revenue. However, the failure to notify regulatory officials in time results in a potential 2 percent fine.
How Should Health Organizations Respond to This Breach?
Content within the GDPR spells out requirements for handling consumer data. Also, it emphasizes organizations must provide a reasonable level of data protection and privacy to EU citizens. However, the standard does not define what “reasonable” means.
Most personal information forms people fill out include fine print that gives details about an individual’s rights and the responsibilities of the service provider. As the GDPR comes into effect, individuals within and outside the European Union can expect those documents to include full disclosures of data use practices. That may require organizations to edit existing forms to add details or make the material more relevant.
The Norwegian incident should also serve as a wake-up call to remind health facilities that they are continually at risk for data breaches.
Hackers consider patient information especially valuable because it’s highly personalized, and parts of it are valid for a long time. Cybercriminals often sell the data on the black market for top-dollar amounts.
That reality is why it’s so important for health organizations to implement best practices in their facilities and keep data as safe as possible. Several groups can help organizations improve their strategies and make recommendations.
Carrying out a detailed risk analysis is the first step. Then, depending on its findings, organizations may realize the need to patch vulnerabilities, start using more robust encryption technologies or adjust an incident response plan to ensure it minimizes the damage caused.
Having a course of action after a breach is crucial because it eases public fears.
A persistent criticism about how Health South-East RHF handled its incident was that the organization has only given vague responses when speaking about the extent of the breach, the kind of data compromised or what exactly they are doing to stop another infiltration.
The incident in Norway reminds everyone no business, industry or type of data is safe from hackers.
The best response is to take decisive preventive measures that make it harder for cybercriminals to gain access to what they want most.