What is the legal protection of a data leak victim? What is the price of the customer’s privacy and the disclosure of highly confidential information? What if the leaked information adversely affects the victims’ future careers, insurance policies or bank loan decisions – even though that shouldn’t be possible either? Why are all the most sensitive data stored in information systems protected by a single username and password, or vulnerable to human error? Should data security risk analyses consider that all data stored in information systems could fall into the wrong hands?
Psychotherapy Center Vastaamo’s patient data breach and blackmail of patients in October 2020 is a critical example of the emergence of cyber threats. The crime has accumulated the largest number of victims in Finnish history, with over 25,000 recorded police reports. According to the perpetrator, he has information on 40,000 people. The crime is investigated under the criminal codes of aggravated hacking, aggravated blackmail and dissemination of information violating personal privacy.
On a global scale, the number of victims, the ransom claims and the number of police reports do not seem very large, but blackmail with the publication of highly sensitive psychotherapy data is exceptionally outrageous and uncommon universally.
At a national level, the Vastaamo case has discombobulated Finns’ sense of security. At the same time, the case is a test of Finland’s overall security and the authorities’ ability to deal with a serious data protection breach. Those responsible must be identified, but the integrity of the victims of ‘digital violence’ must also be improved. The question arises as to whether legislation and administration are up to date. The lack of a comprehensive cyber legislation in Finland should also be re-examined. Simply updating the intelligence legislation is not enough.
According to the Prime Minister Sanna Marin, it needs to be examined whether major changes are needed in the state administration, such as the centralization of cybersecurity, data protection and other digital issues under one ministry. The establishment of the National Cyber Director post does not seem to have eliminated the cybersecurity management deficit. At the heart of creating an overall security model is co-operation and co-ordination between ministries, which is challenging in rapidly evolving cyber crises.
At a corporate and organizational level, the role and responsibility of the company’s top management in cybersecurity control and communication is emphasized. There is a lot to criticize and improve in Vastaamo’s operations, especially in preparation and crisis communication. They are now bearing the consequences of the lack of cyber risk analysis and situational awareness.
The CEO of Vastaamo seems to have buried a data breach that had already taken place a year and a half earlier. There have clearly been shortcomings in the security of the patient information system and the practices that protect it. However, the perpetrator of the hack and ransom are to blame for the plight of tens of thousands of Vastaamo’s customers. Even the large sanctions that may be imposed on the company or the dismissal of the CEO will not help the victims of the information leak, nor will it eliminate the possibility of similar events occurring in other companies. The company’s board of directors and all management must take responsibility for the information security breaches. The lack of cyber risk analysis is evident when assessing the level of cybersecurity in many companies. Reliable risk analysis provides a good starting point for developing preparedness and building preventive capabilities.
The Vastaamo case is also a reminder that cyber attacks and data misuse are becoming increasingly rampant and, with them, critical consequences. Ransomware attacks have increased by 50% in the last three months.1 Hacking and ransomware attacks on health information have long been on the rise, tormenting health care providers. In October, six different hospitals were attacked simultaneously in the United States, and by the end of July this year, 40 million patient records have been stolen in more than six hundred different data breaches. Attacks on patient data are only part of the growing data leakage problem.
The case has raised the question of whether the sensitive health information of Finnish people is sufficiently protected and whether companies and organizations operating in the healthcare sector and the applications in use have been audited. HUS, The Hospital District of Helsinki and Uusimaa, introduced a new Apotti customer and patient information and ERP system for the entire Meilahti hospital area. Since its introduction on October 31, 2020, all HUS hospitals are now using the Apotti system, which increased the number of users from about 10,000 to just over 20,000, as well as the customer base to nearly two million.2 To ensure Apotti’s security, everything has presumably been completed with the highest level of expertise, but 100% digital security does not exist. It is good to keep in mind that in 2018 there was an attack on the Norwegian healthcare system, where the customer data of up to three million people were breached.3 The growing number of users alone significantly increases the insider risk and the possibility for human error.
Learning from the past to improve the future
For Finland, the Vastaamo case is too significant of a crisis to waste. However, should the crisis have to be so big for one to realize the importance of investing adequately in cybersecurity and overall corporate security, and for the management of a company to understand the importance of cyber risk analysis for business continuity?
It is a known fact that it is much more difficult to remedy the repercussions than to deal with the actual cyber crisis. Even in the Vastaamo case the leaked data will not be recovered. The information is likely to have already been sold or will be sold to the highest bidder. The patient data that has been published online has probably already spread to the digital world.
Health data differs from credit card and personal data records in that it retains its value regardless of resale. Health data does not expire. Therefore, it is especially valuable on the black market. Of course, comprehensive health data would also have a lot of commercial or research value. Even if the health information is not used in Finland, it does not mean that it could not be used elsewhere.
Unfortunately, the biggest winners in this crisis are the intelligence organizations that collect data in our country. They have gained valuable information and understanding of how Finnish society operates in such a crisis situation. One must learn as much as they can from a crisis like this and translate it into action at national, company and individual level. Hopefully, every company and organization that handles sensitive information will review its own security policies and correct deficiencies in their own systems and operations. This unfortunate case provides an opportunity for the development of a Finnish cybersecurity culture, which is built on a series of small forward-looking development measures.
The number of data leaks is on the rise
The world will continue to see major data breaches in the future unless the level of security improves. Healthcare organisations are a growing target. One reason for the increase in attacks is presumably the sophistication and automation of cybercrime. Ransomware-as-a-Service services are available to anyone and can be purchased for a small fee. There is a huge aftermarket for stolen data. Here are just a few examples of recent cyber attacks:
- More than 23,000 hacked databases were published for download on several different hacking forums.4
- A hacker is selling 34 million user records stolen from 17 different companies.5
- There have been 194 coronavirus-related cyber attacks in the UK. 6
- In 2020, a total of more than 8.3 million people’s information has been stolen in the largest healthcare data leaks.7
- Every crisis is also an opportunity. Let’s not waste the possibilities to learn from the Vastaamo case.
- Information security and crisis communication is a big strategic issue for the company, which should be taken into account by the management.
- The repercussions of cyber attacks can be much more dramatic than the attack itself.
- A cyber attack life cycle from preparation, to attack and data exploitation can take a long time, even years. Therefore, preparing for cyber attacks must also be a long-term and planned exercise.
Featured in Sectra Newsletter, November 2020