IT Security Management: Australian Red Cross Blood Service
Question
Brief description of assessment task : This task requires you to demonstrate the ability to conduct an investigation of security management issues in corporate organisations based on a real-life case study as outlined in the background information provided below and write a report.
In your report, you will be required to follow prescribed procedures to evaluate risk levels and the potential impact of threats and vulnerabilities for a real-life organisation.
You will be assessed on your ability to analyse the security requirements and objectives of the organisation as well as the efficacy of the risk management strategies that they’ve implemented.
Background information: Your report should be based on the following real-life case study:
The personal data including the addresses of more than half a million blood donors across Australia was compromised in a massive security breach at the Australian Red Cross that has been blamed on human error.
Following an Australian government enquiry, your security company has been hired to undertake a security analysis in relation to the incident and write a report about cyber security risks.
You can find details of the enquiry at:
https://www.oaic.gov.au/privacy-law/commissioner-initiated-investigation-reports/donateblood-com-au-data-breach-australian-red-cross-blood-service
https://www.oaic.gov.au/privacy-law/commissioner-initiated-investigation-reports/donateblood-com-au-data-breach-precedent-communications-pty-ltd
Based on the findings of the enquiry, your task is to write a report that includes the following:
Assessment 2: individual problem-solving task 2
- A security risk assessment that addresses future cyber security risks, threats and vulnerabilities to the Australian Red Cross blood donor system (these can be technical or business risks).
- A business requirements analysis that assesses future business requirements of the Australian Red Cross, which may include technical, policy, human and governance aspects.
Answer
Executive summary : On the 5th of September 2016, near about 550,000 potential blood donor’s information was leaked to a public webpage server, where the details were entered previously into the website, and this is known as a data breach. The file was unknowingly placed on the website by an employee of the third-party provider. Later, that file was discovered as well as accessed by an unknown user on the date of 25th October 2016. And on that day, the individual has declared to the Blood service organization through some intermediaries. After knowing the consequences, the blood service organization immediately took some steps in order to stop the data breaches actions. On 26th October 2016, the organization temporarily closed the website, then notified the individuals who had registered their names as well as personal information, and also provided them assistance and assurance to resolve the matter soon. Later, Australian Information Commissioner has opened up a new investigation file and took the incident under the Privacy Act 1988 (Cth).
Security risk assessment: On the 26th October 2016, the Red Cross society declared that their services have been hacked about which they were completely unaware of, and that file has contained all the details of the donor information, which was placed on an insecure environment by some third-party website developer. The file has included all the necessary information, which has collected in between the years 2010 to 2016. The information is such as date of births, names, addresses as well as other personal information. Later, with the pace of time, the Red Cross society gets huge help from the Australian Cyber Emergency Response Team who has addressed the issue perfectly and provides them evidence regarding the matter (Bernroider, Margiol & Taudes, 2016).
The blood service didn't stop there; rather they start to invest more and more, and also took strong approaches for the cyber safety so that the donors, as well as Australian public, can feel confident about the process and access the data as well. As per Chmielecki et al (2014), the blood services have tried a lot in making some connection with the donors, whose information were stored in the server, and has informed them regarding the potential data breach (Chmielecki et al., 2014). Furthermore, the firm has also set up a hotline website as well as email address to provide the information to the donors. Some of the commentators have praised the idea and the way in which the organization has responded to the breach, where rest of the members criticized the lax attitude of the firm that led to the breach issues in the first place.
Security risks and vulnerabilities: In the past three decades, the revolution in the information system has deeply changed the life of a person in almost every respect. The tremendous potentials that are enabled by the computers, as well as the software, have significantly reshaped the aspects of technology and capabilities of the system in the modern communication system, healthcare systems, military, aerospace industry, financial sectors and much more. Meanwhile, the software becomes the key infrastructure in most of the domains, whereas, the software security failures cause severe damage as well as losses to the systems (Carroll & Richardson, 2016).
Similarly, a few days back, the Red Cross society in Australia has faced some major issues in their security system, where an unknown user secretly hacked the website and breaks all the information of the donors. According to Cook & Block (2017), the root cause behind this act was a one-off human fault on account of the precedent employee. This data breach issues happened without any direct involvement or any authorization of the blood service, and it was due to an outside scope of the precedent's contractual accountability for the blood service (Cook & Block, 2017). Moreover, due to the absence of the contractual measure and other responsible steps to ensure the security measures for the personal information, data were lost and were accessed by the third-party contractor.
This action leads to exposing all the necessary and personal details of the donors, which is of course not a good thing for the organization and donors as well. Revealing of the personal information could land the concerned person into major problems, out of which, many are associated with the threatening and deaths. Although the blood service organization has immediately took some steps, but data breaches responses and actions are quick and takes much time to overcome the situation.
There were two reasons for the data leak, which were considered as a contributing factor to the data breach. Due to lack of privacy policies and obligations, the organization has failed to measure the contribution of the third-party user in this entire act. There were no reasonable measures with appropriate privacy as well as data security procedures and practices. The Red Cross Society of Australia has never focused on these issues previously, which drives them into major problems (Fraser & Nolan, 2017).
Business requirements analysis of Telstra in relation to Australian Red Cross case study
The way the healthcare services are dealing now has been changed to a great extends. Telstra, one of the leading healthcare organizations in Australia is also embracing changes, which are effective and building solutions for designing as well as for developing better-connected health systems. Telstra is providing the best services in the field of clinical application, business applications, telehealth, secure messaging, informatics, and individual health and services (Kruse et al., 2017).
The telehealth services are the backbone or foundation of the tailored solutions for the workers, patients, hospitals, pharmacies, workers and health funds in order to build a safer as well as more convenient way to control and manage the health. As per Lam & Wong (2018), technology has changed everything and now it's very easy to take the medical appointment online by using the Smartphone. But, these things need secure connectivity and network, so that the personal information will not be leaked into the public arena (Lam & Wong, 2018). No matter what you are and what role you are playing in the healthcare, Telstra always offers ranges of the solution to help the customers in the cost factor and design solutions to manage patient's administrations, stock levels, staff rostering and much more.
Keeping the records up-to-date is one of the critical things in every organization. Recently, in Australia, the Red Cross organization has faced a huge problem regarding the failure in the security system, due to which, all the personal information of near about 550,000 donors has been hacked and the third-party user gets the access of it. So, Telstra has optimum access to the data, and update it easily and quickly. Moreover, they need to keep secure systems in order to ensure patient's confidentiality (Malhotra, 2015).
The organization needs to develop a range of clinical applications, which would help them to store the data securely, to access them as and when they need, and to manage the issues of critical patient's data. Every day, there are thousands of patients, so it becomes difficult to manage the entire things, which begins with gathering the information regarding the patient, about their family and much more. And then capturing and storing the data on the server by analyzing them minutely and turning them into useful insights for upcoming days (Virtanen & Stenvall, 2018). To do all these things, intelligence solutions are required, which could easily solve the issues by optimizing the resources, by improving the patient's flow, as well as by measuring the quality of the care like infection rate, length of stay, mortality rates and much more.
Nowadays, many of the healthcare organization are switching to cloud services due to its huge number of advantages for security control and services. And I think, Telstra should also use the could platform to store the data of the healthcare as it gives the users the accessibility to access the information in variety of electronic devices while reducing and eliminating the technical challenges, cost factors which are associated with the infrastructure and maintenance, and by minimizing the problems linked with the security breaches and fraud cases.
As per my point of view, shifting to the cloud platform could help the organization to focus on what they are performing and how they can securely save the data from the third-party users. Hosting the data on the cloud is therefore easy as it provides more static each year, and this makes the budget simple as well as predictable. Furthermore, cloud services help the healthcare organization to store their data in multiple locations (Wager, Lee & Glaser, 2017). This is important because, it can beneficial for the organization to retrieve the data when there is any abrupt fire, natural disaster or power outage. Cloud platform, in these cases, gives the assurance that the data or the critical functions will be safe without any interruptions. If Australian Red Cross service would have used the cloud services earlier, then they could have saved the data from the third-party user (Virtanen & Stenvall, 2018).
Conclusion : The data breach that had occurred in the Australian Red Cross service was without any direct involvement or authorization of the blood service organization and was only due to the outside scope of the Precedent's contractual constraints and accountability to the Red Cross blood services.
The steps that were taken by the organization were quite innovative and adequate, but they could have done the same earlier. After the data breach, the organization has destroyed all the historical data of the donors from their website, deleted all the personal information that were collected earlier through website, developed new implementation such as third-party management standard operating procedure and third-party management policy as well as in order to monitor the compliance of the third-party providers along with appropriate data security and privacy practices and methods. Furthermore, the organization has updated the entire templates that are on contractual terms for the better acquisition of services and products, and have also included in the comprehensive privacy requirements and data security.
References: Bernroider, E.W., Margiol, S. and Taudes, A., 2016, December. Towards a General Information Security Management Assessment Framework to Compare Cyber-Security of Critical Infrastructure Organizations. In International Conference on Research and Practical Issues of Enterprise Information Systems (pp. 127-141). Springer, Cham.
Chmielecki, T., Cholda, P., Pacyna, P., Potrawka, P., Rapacz, N., Stankiewicz, R. and Wydrych, P., 2014, September. Enterprise-oriented cybersecurity management. In Computer Science and Information Systems (FedCSIS), 2014 Federated Conference on (pp. 863-870). IEEE.
Carroll, N. and Richardson, I., 2016. Software-as-a-medical device: demystifying connected health regulations. Journal of Systems and Information Technology, 18(2), pp.186-215.
Cook, K.A. and Block, A., 2017. Improving Health Care Cybersecurity. Risk Management, 64(11), pp.14-15.
Fraser, H. and Nolan, P., 2017. Understanding Health Sector Productivity.
Kruse, C.S., Frederick, B., Jacobson, T. and Monticone, D.K., 2017. Cybersecurity in healthcare: A systematic review of modern threats and trends. Technology and Health Care, 25(1), pp.1-10.
Lam, M.L.L. and Wong, K.W., 2018. Embracing Cybersecurity Risk Management in the Industry of Medical Devices. In Analyzing the Impacts of Industry 4.0 in Modern Business Environments (pp. 177-197). IGI Global.
Malhotra, Y., 2015. Cybersecurity & Cyber-Finance Risk Management: Strategies, Tactics, Operations, &, Intelligence: Enterprise Risk Management to Model Risk Management: Understanding Vulnerabilities, Threats, & Risk Mitigation (Presentation Slides).
Virtanen, P. and Stenvall, J., 2018. Knowledge Management and the New Configurations of Health Markets. In Intelligent Health Policy (pp. 65-88). Springer, Cham.
Wager, K.A., Lee, F.W. and Glaser, J.P., 2017. Health care information systems: a practical approach for health care management. John Wiley & Sons.
