1
00:00:00,240 --> 00:00:02,800
Speaker 1: Well, last week we know that the ABC had broke

2
00:00:02,880 --> 00:00:06,200
Speaker 1: news that more than fifty thousand patients had their health

3
00:00:06,240 --> 00:00:10,000
Speaker 1: files sent between two Northern Territory government departments. It happened

4
00:00:10,000 --> 00:00:14,080
Speaker 1: back in twenty eighteen and twenty nineteen was part of

5
00:00:14,080 --> 00:00:17,160
Speaker 1: a software system upgrade which was never made public by

6
00:00:17,239 --> 00:00:20,480
Speaker 1: the Health minister at the time. It's understood that more

7
00:00:20,520 --> 00:00:25,640
Speaker 1: than three thousand identifiable records were actually transferred to global

8
00:00:25,640 --> 00:00:30,520
Speaker 1: software vendor InterSystems, which has offices in about twenty seven countries.

9
00:00:30,840 --> 00:00:34,040
Speaker 1: The ABC says that some patient items were classed as

10
00:00:34,120 --> 00:00:38,080
Speaker 1: having high clinical risk, such as psychology reports and psychiatric

11
00:00:38,120 --> 00:00:41,880
Speaker 1: facility visits, as well as termination of pregnancy or still

12
00:00:41,920 --> 00:00:46,760
Speaker 1: birth records, as well as electric shock therapy records. Now,

13
00:00:47,240 --> 00:00:50,560
Speaker 1: I think that the report of this and the concerns

14
00:00:50,600 --> 00:00:52,720
Speaker 1: have maybe made quite a few of you think to yourself, well,

15
00:00:52,760 --> 00:00:55,920
Speaker 1: hang on, just how far can our details be shared?

16
00:00:56,480 --> 00:00:59,720
Speaker 1: And you know, what do we do if our information

17
00:01:00,200 --> 00:01:03,240
Speaker 1: is actually shared to a third party. Now joining me

18
00:01:03,280 --> 00:01:05,080
Speaker 1: on the line to talk a little bit more about

19
00:01:05,080 --> 00:01:10,399
Speaker 1: this is Anti Academic Center for Cybersecurity and Innovation Director

20
00:01:10,760 --> 00:01:15,320
Speaker 1: Marmon ala Zab. Good morning to you, professor.

21
00:01:14,360 --> 00:01:16,160
Speaker 2: Good morning and thank you for having me.

22
00:01:16,280 --> 00:01:18,680
Speaker 1: Yeah, thank you so much for your time. Now, what

23
00:01:18,720 --> 00:01:21,839
Speaker 1: are your thoughts on how this data breach was handled

24
00:01:23,200 --> 00:01:24,200
Speaker 1: right when?

25
00:01:24,240 --> 00:01:26,920
Speaker 2: First of all, I want to start by saying that

26
00:01:27,040 --> 00:01:32,080
Speaker 2: faber security is indeed the risk that organizations need to

27
00:01:32,160 --> 00:01:36,800
Speaker 2: actively manage with. Of course, the increasing reliance and technologies

28
00:01:36,840 --> 00:01:41,240
Speaker 2: and interconnectedness of system and potential risk and a threat

29
00:01:41,280 --> 00:01:46,800
Speaker 2: to fybersecurity have grown significantly. It's very important for organizations

30
00:01:46,840 --> 00:01:50,120
Speaker 2: to have a very active faber security measures in a

31
00:01:50,200 --> 00:01:54,520
Speaker 2: place to protect their systems, data and sensitive information from

32
00:01:54,600 --> 00:02:01,120
Speaker 2: unauthorized access, even sometimes from mistakes and errors. So I

33
00:02:01,160 --> 00:02:04,640
Speaker 2: think the practice that's happened in this particular case that

34
00:02:05,640 --> 00:02:09,400
Speaker 2: number number of issues here to start with. Here the

35
00:02:09,720 --> 00:02:13,480
Speaker 2: government should reach down so people impacted at the time. Yeah,

36
00:02:13,560 --> 00:02:17,760
Speaker 2: in my view, hiding the hack sometimes is more damaging

37
00:02:17,800 --> 00:02:21,040
Speaker 2: the hand than the heck itself. And this instance, hiding

38
00:02:21,080 --> 00:02:23,520
Speaker 2: the bridge is damaged. It can be damaging more than

39
00:02:23,560 --> 00:02:28,440
Speaker 2: the bridge itself. Reaching out to these victims who their

40
00:02:28,680 --> 00:02:33,760
Speaker 2: sensitive data is being identified, it can be a serious

41
00:02:33,800 --> 00:02:39,000
Speaker 2: issues more. Second thing is also public should have been

42
00:02:39,040 --> 00:02:43,680
Speaker 2: notified about the data incident. I think public needs to

43
00:02:43,720 --> 00:02:47,120
Speaker 2: know how the data has been their data is being

44
00:02:47,160 --> 00:02:51,320
Speaker 2: handled and has been also, if there is any particular

45
00:02:51,360 --> 00:02:52,640
Speaker 2: mechanism in a place.

46
00:02:52,560 --> 00:02:55,160
Speaker 1: Yeah, I think it's a. I think they're really good

47
00:02:55,200 --> 00:02:57,880
Speaker 1: points that you make, you know, A Fundamentally people want

48
00:02:57,919 --> 00:03:01,320
Speaker 1: that openness and transparency. I want to know if their

49
00:03:01,320 --> 00:03:03,679
Speaker 1: information has gone further than what they thought it had.

50
00:03:04,800 --> 00:03:08,880
Speaker 2: Absolutely, absolutely, and really in this particular case, I mean

51
00:03:09,000 --> 00:03:13,200
Speaker 2: usually when it transferring health data is undertaken, is so

52
00:03:13,320 --> 00:03:19,840
Speaker 2: important that privacy and security impact assessment should really been

53
00:03:20,160 --> 00:03:24,720
Speaker 2: done at the time. So it's surprising that that was

54
00:03:24,840 --> 00:03:29,000
Speaker 2: not the case. And really data governance planned, it looks

55
00:03:29,080 --> 00:03:32,560
Speaker 2: like there was There is no data governance plan was

56
00:03:32,560 --> 00:03:37,480
Speaker 2: conducted by the Anti Health and or even data governance plan,

57
00:03:37,560 --> 00:03:39,840
Speaker 2: which is really our framework or a strategy that's our

58
00:03:39,920 --> 00:03:47,680
Speaker 2: client policies, procedures and guidelines and managing and protecting organizations.

59
00:03:47,320 --> 00:03:50,880
Speaker 1: As it professor, from your like, from your perspective, because

60
00:03:50,880 --> 00:03:52,080
Speaker 1: I know a lot of people are going to be

61
00:03:52,120 --> 00:03:54,480
Speaker 1: listening to this right now and going, oh goodness, mate,

62
00:03:54,480 --> 00:03:56,160
Speaker 1: this is the first I've heard of it. Is there

63
00:03:56,200 --> 00:03:59,480
Speaker 1: any chance that you know that my information has been

64
00:03:59,560 --> 00:04:04,280
Speaker 1: shared or sensitive information has been shared? So from your perspective,

65
00:04:04,640 --> 00:04:08,640
Speaker 1: is it a situation here where the department has has

66
00:04:08,720 --> 00:04:14,320
Speaker 1: shared that information with a software provider, but it hasn't

67
00:04:14,320 --> 00:04:19,120
Speaker 1: gone out sort of more broadly, what is your understanding, Well, well.

68
00:04:19,000 --> 00:04:22,880
Speaker 2: My understanding is the data has not been out in

69
00:04:22,920 --> 00:04:28,880
Speaker 2: the public, is within between the governments and the software provider.

70
00:04:29,680 --> 00:04:32,479
Speaker 2: So look, the consequences of the fiber security of the

71
00:04:32,560 --> 00:04:37,560
Speaker 2: database can be very very severe consequences, especially if it's

72
00:04:37,560 --> 00:04:42,760
Speaker 2: been data for a rental sale under the ground market.

73
00:04:42,839 --> 00:04:48,920
Speaker 2: But in this case, the risk I mean less damaging

74
00:04:49,160 --> 00:04:53,800
Speaker 2: is the data is just in between the company and

75
00:04:54,240 --> 00:04:56,880
Speaker 2: just within the company and the government. Yes, it hasn't

76
00:04:56,920 --> 00:05:00,800
Speaker 2: been reached to the public, so I guess it's at

77
00:05:00,880 --> 00:05:01,560
Speaker 2: less damaging.

78
00:05:01,839 --> 00:05:04,920
Speaker 1: Yeah, and thankfully so, because it does sound like it's

79
00:05:04,960 --> 00:05:08,279
Speaker 1: really quite sensitive data. I mean, do people have a

80
00:05:08,360 --> 00:05:11,880
Speaker 1: right to know if their sensitive information has been compromised

81
00:05:12,200 --> 00:05:13,080
Speaker 1: or sort of passed on?

82
00:05:13,200 --> 00:05:18,160
Speaker 2: Though? Well, I'll tell you. Under the under the Data

83
00:05:18,279 --> 00:05:23,920
Speaker 2: Notification Scheme, organizations or agencies that must comply with the

84
00:05:23,960 --> 00:05:28,440
Speaker 2: Australian Privacy Loan has to tell victims if a data

85
00:05:28,440 --> 00:05:31,599
Speaker 2: bridge is likely to cause them a serious harm and

86
00:05:31,680 --> 00:05:34,599
Speaker 2: they must not apply the victims. An example on this

87
00:05:34,760 --> 00:05:40,400
Speaker 2: really like for example, identityifs or financial loss or likely

88
00:05:40,520 --> 00:05:45,280
Speaker 2: risks or physical harm. So organizations or agency must tell

89
00:05:45,680 --> 00:05:51,240
Speaker 2: victims Unpatlick about the series of the data bridge. Yeah,

90
00:05:50,440 --> 00:05:55,520
Speaker 2: so I'm wondering if if the Department of the government

91
00:05:55,600 --> 00:05:59,880
Speaker 2: has reached out to these victims and they have been pro.

92
00:06:00,040 --> 00:06:03,240
Speaker 1: Active about it, you would really hope so, I mean,

93
00:06:03,360 --> 00:06:07,000
Speaker 1: particularly when you're talking about that sensitive information that has

94
00:06:07,040 --> 00:06:11,159
Speaker 1: apparently been passed on, you would hope that they have. Professor,

95
00:06:11,200 --> 00:06:14,839
Speaker 1: what safeguard should the government realistically adopt in an effort

96
00:06:14,839 --> 00:06:19,640
Speaker 1: to try to prevent something like this from actually happening again, Well.

97
00:06:19,560 --> 00:06:22,920
Speaker 2: I think really the very first look is how they've

98
00:06:23,000 --> 00:06:28,640
Speaker 2: established data governance plan, and that is that include we

99
00:06:29,000 --> 00:06:33,440
Speaker 2: looking again at the having a proper framework and strategy

100
00:06:33,880 --> 00:06:37,159
Speaker 2: that outlined the policies, the procedures, the guideline of managing

101
00:06:37,240 --> 00:06:41,719
Speaker 2: and protecting the organization's data assets. And that is also

102
00:06:41,800 --> 00:06:44,960
Speaker 2: include the data security and privacy, which is outline the

103
00:06:44,960 --> 00:06:48,240
Speaker 2: measures to protect the data from an authorized access. It's

104
00:06:48,320 --> 00:06:52,719
Speaker 2: also include strategies of how you encrypt the data, access controlled,

105
00:06:53,680 --> 00:06:56,320
Speaker 2: the authorization of the users who can access the data,

106
00:06:56,480 --> 00:07:02,600
Speaker 2: data animalization, the compliance within the data protection regulations. I mean,

107
00:07:02,640 --> 00:07:05,520
Speaker 2: if we do have that in a place, I would

108
00:07:05,560 --> 00:07:11,480
Speaker 2: imagine even that this distabulation wouldn't even happen, because when

109
00:07:11,480 --> 00:07:15,440
Speaker 2: we're talking about privacy preserving, we're talking about how we

110
00:07:15,520 --> 00:07:20,280
Speaker 2: even share data with third party contracts even to get

111
00:07:20,280 --> 00:07:23,119
Speaker 2: them to do their job. Instead of giving them real

112
00:07:23,280 --> 00:07:29,120
Speaker 2: data of real victimission, we just we're just provided them

113
00:07:29,160 --> 00:07:34,080
Speaker 2: with dumid data or animalized data or the I the

114
00:07:34,200 --> 00:07:39,360
Speaker 2: identifiable data. So having a framework of strategy implemented at

115
00:07:39,360 --> 00:07:41,720
Speaker 2: the first place is very important.

116
00:07:42,560 --> 00:07:45,720
Speaker 1: Now tell me, professor, you know, what should people do

117
00:07:45,840 --> 00:07:48,440
Speaker 1: if they are listening this morning and they're concerned that

118
00:07:48,480 --> 00:07:53,040
Speaker 1: their information has potentially been compromised? What what advice would

119
00:07:53,040 --> 00:07:53,440
Speaker 1: you give you to.

120
00:07:53,480 --> 00:07:55,960
Speaker 2: That look like? Thank you very much. I think this

121
00:07:56,040 --> 00:07:58,400
Speaker 2: is a very good question. And and and and I

122
00:07:58,440 --> 00:08:01,000
Speaker 2: do have an issue with we always talking about what

123
00:08:01,200 --> 00:08:05,040
Speaker 2: the victims can do, what affected citizens can do. And

124
00:08:05,080 --> 00:08:08,560
Speaker 2: I think I would like really to question to rephrase

125
00:08:08,600 --> 00:08:11,440
Speaker 2: the question in a way, you know, and I think

126
00:08:11,480 --> 00:08:14,000
Speaker 2: this is where the faults and in our in our

127
00:08:14,120 --> 00:08:19,880
Speaker 2: law really the Australian UH notifiable data breager schemes already

128
00:08:19,920 --> 00:08:24,680
Speaker 2: hold victims of datablage responsibility for dealing with consequences we

129
00:08:24,840 --> 00:08:29,280
Speaker 2: often would say, oh what now can this impacted citizens

130
00:08:30,000 --> 00:08:32,440
Speaker 2: can be how they can deal with it, what they

131
00:08:32,480 --> 00:08:35,280
Speaker 2: need to do with it. So really, victim of distiblage

132
00:08:35,440 --> 00:08:38,199
Speaker 2: find it difficult to bring an action really in course

133
00:08:38,360 --> 00:08:45,160
Speaker 2: because no source of privacy is established in Australia. The

134
00:08:44,080 --> 00:08:48,640
Speaker 2: the Notifiable Data Breacher schemes should be understood in a

135
00:08:48,679 --> 00:08:53,280
Speaker 2: border context of Australian the privacy principles, And in my view,

136
00:08:53,320 --> 00:08:57,800
Speaker 2: I really think the the the the the NDB schemes

137
00:08:57,840 --> 00:09:02,400
Speaker 2: gives entities that should be responsible for data protections much

138
00:09:02,480 --> 00:09:07,559
Speaker 2: leeway while holding individuals only victims of data bridge responsible

139
00:09:07,559 --> 00:09:10,360
Speaker 2: of dealing with with the consequences. And I think this

140
00:09:10,440 --> 00:09:16,280
Speaker 2: is really a problematic. YEA, reddressing the grievance caused by

141
00:09:16,600 --> 00:09:21,160
Speaker 2: a data bridge is difficult in the Australian context. It

142
00:09:21,240 --> 00:09:25,079
Speaker 2: is really difficult in my view, for victim of a

143
00:09:25,240 --> 00:09:28,960
Speaker 2: breach of a privacy to bring an action in cause,

144
00:09:29,559 --> 00:09:32,400
Speaker 2: mainly because there is no real established thoughts of for

145
00:09:32,480 --> 00:09:33,680
Speaker 2: privacy in Australia.

146
00:09:33,720 --> 00:09:36,280
Speaker 1: So it sounds like we really have some work to

147
00:09:36,320 --> 00:09:37,880
Speaker 1: do in Australia in this space.

148
00:09:38,960 --> 00:09:43,560
Speaker 2: Absolutely absolutely, it's it's it's, it's it's it's everyone's responsibility

149
00:09:43,640 --> 00:09:46,760
Speaker 2: is everyone is part of it, is not just victims.

150
00:09:46,800 --> 00:09:50,760
Speaker 2: How now deal with it? I think it's an organization,

151
00:09:50,880 --> 00:09:55,600
Speaker 2: it's regulation, it's slow, it's everyone is part of it,

152
00:09:55,800 --> 00:09:58,320
Speaker 2: and they need to work together. And I think this

153
00:09:58,480 --> 00:10:05,440
Speaker 2: is a very much interconnected system must work together well.

154
00:10:05,440 --> 00:10:11,319
Speaker 1: Mamoon Alazab, the Anti Academic Center for Cybersecurity and Innovation Director,

155
00:10:11,520 --> 00:10:13,959
Speaker 1: I really appreciate your time this morning. Thanks so much

156
00:10:14,000 --> 00:10:15,000
Speaker 1: for having a chat with us.

157
00:10:15,800 --> 00:10:16,720
Speaker 2: Thank you for having me.

158
00:10:16,920 --> 00:10:17,680
Speaker 1: Thank you