[ad_1]
In the simulated hacking attack on Norway’s four health regions, the Auditor General’s Office tried to make noise to be revealed.
However, they managed to do what they feared: hack into access to sensitive and confidential information about Norwegian patients.
At Health South-East they gained access to the health information of so many. In the other three, they got access to absolutely everyone’s health information.
In total, this corresponds to information on several hundred thousand Norwegians.
– We were surprised how easy it was, says Annette Gohn-Hellum.
Can it, in the worst case, cause injury to the patient?
She is the chief of operations of the General Audit Office. His objective with the attack was to verify the security of the data of the sanitary regions.
They did the same four years ago and were now interested to know what has been done since then.
– We flagged serious errors four years ago, and there was also an attack in 2018. It seems that not much more has been done with data security in Norwegian hospitals since then. Norwegian hospitals lag far behind the basic requirements for ICT security, says Gohn-Hellum.
The Office of the Auditor General has had to give a report at least as serious to the health authorities.
Gohn-Hellum says it can have fatal consequences if patient information ends up in the wrong hands.
Patient information can be deleted, blocked, manipulated or stolen
Systems and equipment that are critical to the operation of hospitals can be stopped.
– At worst, it can cause injury to the patient, says Gohn-Hellum.
SIMPLE: Annette Gohn-Hellum says the Office of the Auditor General used simple hacking methods and that they tried to make noise to be discovered. However, they hacked into access to confidential medical information.
Photo: Ilja C. Hendel / General Auditor
Simple method used
The hackers’ methods used in the attack were intentionally very simple.
The hackers started by controlling the PCs. They then got an overview of the network and then tried to access the employee user accounts. They did this by guessing passwords.
In addition, they identified users with extended rights. Their experience is that too many employees in the Norwegian healthcare system have these rights. Through these users, hackers gained access to internal networks.
So the road is short to take control of the entire system.
And the Office of the Auditor General accomplished that in three out of four health regions.
– You can then delete information and data, lock down systems, and demand a ransom to return control. Then you own them, says Gohn-Hellum.
I felt naked and offended
This summer, NRK revealed that four Norwegian hospitals on their websites had posted health information on several hundred patients.
About, among others, Helge Aurheim and his slimming operation. The names, social security numbers and more were posted on the Oslo University Hospital website.
– You feel reasonably naked. First, you don’t know what’s out there. Second, this is not expected to happen. We trust that hospitals have control over this information, he says today.
The hospital apologized for the case and admitted that they broke the law.
Tonje Brenna received health information related to her epilepsy treatment posted to the public on the Sykehuset Innlandet website.
– I felt violated. It is not a good experience that my medical information, my social security number and my information have ended up in the wrong hands. It makes me feel like I have to be careful with everything. After that, I lost all confidence in the hospital’s handling of my privacy, says Brenna.
Solberg and Høie promise improvements
The Office of the Auditor General is concerned that all hospital employees should be aware of ICT security.
But they emphasize that leaders are primarily responsible for building a good culture related to this.
– The fact that we managed to enter was much more than the behavior of the employees, says Gohn-Hellum.
At a press conference on Tuesday, Prime Minister Erna Solberg (H) promised to strengthen data security in hospitals.
He emphasized that all hospital employees must take responsibility, but errors in the system must also be clarified.
EXPECTED IMPROVEMENT: The Auditor General’s Office believes that the Ministry of Health has done little to improve ICT security.
Photo: Terje Pedersen / NTB
– Some of them have been fixed since the simulated attacks in January, while other bugs force us to create completely new systems. There has been a delay here, and it will take time before we can fix some of them, Prime Minister Erna Solberg said.
Health Minister Bent Høie (H) acknowledges that not enough has been done to secure ICT systems in Norway’s health regions.
– The report of the General Auditor is serious and very important. It provides health regions with a clear basis to continue working to reduce this risk, Høie tells NTB.
He assures that the work is underway and that he himself will follow up in 2021.
The Auditor General’s Office believes that the Ministry of Health has acted too passively so far.
– The ministry is at least responsible for keeping informed about the state of the area. Especially when we can ensure that both the law and regulation have been violated, says Auditor General Per-Kristian Foss.
According to the Office of the Auditor General, the health regions have addressed many of the specific weaknesses following the report they have received. However, several of the weaknesses will take longer to rectify.
