Financial and Data Literacy
Financial and data literacy is the upcoming evolution of practice in a wide range of sectors. In many organizations, accountants, bookkeepers and certified public accountants have been offering compliance, processing, tax, reporting and accounting services to their clients. In this regard, the accounting practice has accumulated a wide range of methods and information that are used to improve the quality of financial services. Because professionals in this field possess tremendous skills and knowledge, they do not only offer high-quality financial services but provide significant value to their employers. However, many professionals do not possess adequate cybersecurity knowledge and skills. At a time of increasing information and information system threats, organizations have a significantly high risk of cyber-attacks. Large and small organizations can incur significant financial losses, especially from the loss of confidential data and system compromise. Because of the low levels of financial and data literacy, high profile cybercrimes can have devastating impacts on both organizations and individuals. For instance, Hillary Clinton’s bid for presidency 2016 was significantly affected by a release of confidential information acquired through a phishing attack on her campaign manager, John Podesta (Gilbert, 2016). Despite having significant knowledge and skills in campaign management, the manager released confidential information to phishers, hence putting both the candidate’s privacy and that of his boss at stake. Thus, professionals , especially in health sector must possess adequate levels of cyber security threats and risk mitigation knowledge and skills, to effectively execute their duties.
Case Study Overview
On Jan 28, the ministry of health in Singapore reported a massive cybersecurity breach that leaked confidential records, including the positive status, of about 14,200 HIV victims, their contact details and identification details. According to the ministry of health report to the media, Farrera Brochez, HIV positive American living in Singapore, used numerous techniques, including lying to the ministry of manpower officials. Bronchez’s case reveals numerous information and information system security threats and vulnerabilities in the Singaporean government institutions, which facilitated the successful execution of the breach. Until the breach, access to confidential information from the HIV registry was still active. Moreover, the ministry of health workers has several untrustworthy individuals, including doctors, which can facilitate cyber breaches. With such vulnerabilities, there is a significantly high number of threats, hence an increased risk of privacy breaches, as well as the security of the information system at the ministry of health.
Social engineering techniques are some of the most effective techniques that can be used to successfully access confidential health information from the ministry of health in Singapore. Phishers are a significant threat to the security of information and information system at the ministry of health in Singapore. Without the appropriate information security policy, departments in the ministry of health cannot effectively protect the privacy of patient and employee information. Failure to regularly update records and revise information access requirements significantly increases the chances of losing information to people who are no longer employees at the ministry. Despite having resigned from the ministry in 2014, doctor Ler could still access confidential information from the registry department. With a high number of information system users such as doctor Ler, the ministry it a considerably high risk of losing information to cybercriminals, especially phishers. Retired personnel can sell or manipulate the system for financial gains.
Despite being one of the simplest methods of com, phishing is one of the most popular and effective techniques of cyber security breach execution. While using spam emails, phishers can successfully send malware or acquire confidential information from unsuspecting employees in an organization. Current statistics indicate that phishing cases have significantly increased in the recent past. A high success rate has sustained a high number of phishing cases in the world. According to Marshal and MailGuard (2018), about 44% of spam emails contain attachments that contain malware. Moreover, about 44% of spam emails lead to successful information and information security breaches in the world. Thus, because the ministry of health employees in Singapore possesses significantly reduced levels of information security knowledge, social engineering techniques can be used to successfully compromise the information and information security.
Apart from compromising privacy, phishing can be used to spread malware, including worms, viruses and Trojans. Phishers can use spam messages to spread malware to compromise the information system. Because of the high success rate of phishing in the world and the reduced level of information security at the ministry of health, phishers can use spam emails to introduce malware in the healthcare information system. A large number of workers cannot easily differentiate genuine and malicious emails. Thus they will probably open attachment links from phishers hence enabling to successfully infect the information system at the ministry of health.
Social Media attacks
Because there are many people with information system access credentials, the cluster that cybercriminals can focus on to compromise information and information system security is extremely large in Singapore. Through social media platforms and websites, cybercriminals can not only target current employees at the ministry but retired personnel. Unlike compared to when access is given to a set of few employees, hackers and attacks have a high chance of success when there is a large number of users with access to confidential information. The high number of employees with access to information indicates that chances of having untrustworthy or vulnerable users are considerably high. In this regard, attackers do not only have a large number of people that they can exploit but a variety of execution techniques as well (Blake, Francis, Johnson, Khan & McCray, 2017). For instance, cybercriminals can choose to focus on users who have inadequate information system security knowledge and skills to execute social engineering-based techniques or directly acquire direct access from untrustworthy employees. Therefore, because there are many employees without sufficient information security knowledge, it is highly likely that attackers and hackers will successfully conduct information security breaches at the ministry of health in Singapore.
With an expanding economy, data has become one of the most valuable assets in the modern organization. Multinational organizations, such as Facebook, Amazon and Google, focus on gathering, using and sharing of data to ensure enhanced operations. In this regard, there is a need to emphasize transparency on the process in which companies request, consent, manage, and adhere to policies to develop trust and accountability with partners and customers who demand privacy. A high number of organizations have identified the purpose of upholding data privacy through failures that have resulted in huge financial losses (Abouelmehdi, Beni-Hessane & Khaloufi, 2018). The 2014 leakage of patient data in Singapore is a typical example that reveals how organizational failures can compromise the privacy of customers and partners. Despite holding essential patient information, the ministry of health is yet to implement an effective access structure that can safeguard data from cybercriminals. Hackers can easily perform uninvited surveillance; hence violate the patients’ rights to privacy. Because the high sensitivity of the health information data, the ministry of health must implement the necessary information security measures to safeguard the privacy right of patients in Singapore.
Although the ministry of health possesses a relatively secure information system, it cannot guarantee the privacy of patients; there are significant loopholes that can lead to violations. The ministry does not have an effective strategy to govern the process of gathering gathered, utilizing and sharing information. In this regard, Employees, such as Ler, may significantly increase the number of data mishandling cases; hence increase the chances of exposing confidential information to unauthorized users, such as Brochez. Because the ministry is yet to implement effective worker verification procedures, it is extremely difficult to protect the privacy of patients, especially when there are many untrustworthy workers in the country. Therefore, the ministry of health cannot guarantee the privacy of patients in the country.
Despite having become a significant information and information system security in many countries across the world, the ministry of health is yet to formulate and implement an effective strategy to prevent data theft. With a significant increase in the number of recorded cases, data theft is already an overwhelming problem in many parts of the world. In 2016, the United States recorded more than 450 breaches that resulted in the exposure of about 12.7 million records. Despite data theft being a significantly overwhelming issue in the world, Singapore still performs a considerably reduced amount of background checks to foreign health experts seeking employment in the country. In this regard, most likely there is a high number of untrustworthy workers, such as Brochez, who used stolen data to enter acquire an opportunity to work in the country. Thus, the ministry of health faces a considerably increased risk of information security breaches from domestic or foreign medical practitioners.
In many countries around the world, some of the most compelling data breaches occur in the health sector. In 2015, the top three data breaches in the United States occurred in the health sector. The leakage of confidential health information is the largest data security breach that has ever happened in Singapore. In this regard, the ministry of health must implement robust information security measures to enhance the security of confidential data. Nevertheless, despite the high vulnerability of confidential health data, the Singaporean ministry of health is yet to formulate adequate risk mitigation measures. For instance, the ministry of health does not have an explicit recruitment strategy to facilitate the recruitment of trustworthy data handlers. In this regard, the ministry has been recruiting untrustworthy employees, such as Ler, who pose a significant threat to the privacy of patients (Wang, Ali & Kelly, 2015). Moreover, the ministry cannot prevent cybercriminal emanating from high-risk regions, such as the United States, from working in the country. With a high number of such employees in strategic positions, the information security system is considerably vulnerable to cyber-attacks, hence cannot successfully reduce or eliminate chances of data breaches at the ministry of health.
Proposed Mitigation Strategy
The ministry of health requires an effective information security strategy to reduce or eliminate the chances of information security breaches that can lead to significantly compromise the privacy of patients. In particular, the ministry must ensure that relevant departments possess procedures and tools to prevent threats from getting into the health information system. Moreover, must align its IT management strategies with the organizational structures to effectively reduce or eliminate the occurrence data breaches that may emanate from any part of the organizations. For instance, to minimize the chances of doctors exposing confidential information, the cyber security team must change access rights for several categories of system users. Although doctors should be able to access confidential records, they should be able to copy, print or transfer the materials from the internal information system. Apart from changing the information access structure, the ministry must implement an effective event handling procedure to minimize the impact of information security breaches (Attema et al., 2018). By making such adjustments, the ministry will reduce the rate of security breaches occurrence, as well as their impacts on the patients.
Data Security Policy Changes
The ministry of health must make a wide range of policy-related changes that can yield a significant reduction in the rate of security breaches that can lead to the loss of data and the violation of patient privacy rights. For instance, the ministry should implement information access rights to reduce the chances of privacy breaches and data thefts. Although information security users should be able to access confidential information, they should not be able to make changes that can yield a significant reduction in the risk of data theft from the ministry registry. Furthermore, it is necessary to implement policies to enhance the training of the information system users to increase the level of literacy in all the departments in the ministry.
In Singapore, there is a considerably high risk of information data security breaches, hence data theft and the violation of the patients’ privacy rights. The 2012 information security breach in the country reveals that there exists a high number of information and information system security issues within the ministry of health. Because the ministry does not conduct adequate background checks to significantly reduce or eliminate malicious insiders, who can facilitate the compromise of the information system security. In this regard, malicious insiders and external insiders, such as Brochez and Ler, can easily acquire access to highly confidential information of patients. Furthermore, because the ministry does not conduct information system security training, do not possess adequate skills and knowledge to differentiate genuine requests and malicious actors. Thus, the ministry must make comprehensive changes to its data information security policy to reduce the chances of breaches, especially facilitated by malicious insiders. For instance, the ministry must introduce information system access rights to ensure to reduce the chances of data theft. Furthermore, the ministry should introduce information security training programs that can equip employees with knowledge and skills that can reduce the vulnerability of the information security systems. With such programs, the ministry of health can effectively minimize or eliminate information security breaches, hence reduce the cases of data theft or privacy right violations.
Abouelmehdi, K., Beni-Hessane, A., & Khaloufi, H. (2018). Big healthcare data: preserving security and privacy. Journal of Big Data, 5(1), 1.
Attema, T., Mancini, E., Spini, G., Abspoel, M., de Gier, J., Fehr, S., … & Cramer, R. (2018). A New Approach to Privacy-Preserving Clinical Decision Support Systems for HIV Treatment. arXiv preprint arXiv:1810.01107.
Blake, L., Francis, V., Johnson, J., Khan, M., & McCray, T. (2017). Developing robust data management strategies for unprecedented challenges to healthcare information. Journal of Leadership, Accountability and Ethics, 14(1).
Marshal, E., & MailGuard P. (2018). MailGuard Blog ? Breaking alerts, news and updates on cybersecurity topics. Retrieved from http://mailguard.com.au/blog/clinton-campaign-phishing
Wang, P., Ali, A., & Kelly, W. (2015, August). Data security and threat modeling for smart city infrastructure. In 2015 International Conference on Cyber Security of Smart Cities, Industrial Control System and Communications (SSIC) (pp. 1-6). IEEE.
Gilbert, B. (2016, October 31). Hillary Clinton’s campaign got hacked by falling for the oldest trick in the book. Retrieved from https://www.businessinsider.com/hillary-clinton-campaign-john-podesta-got-hacked-by-phishing-2016-10?IR=T