News
‘I was hacked’: GP’s stark warning for colleagues
High-profile Melbourne GP Dr Mukesh Haikerwal has called for vigilance after hackers stole his identity then tried to steal his money.
Dr Mukesh Haikerwal, an active social media presence who describes himself as a 'relatively knowledgeable user', found himself the victim of a sophisticated fraud. (IMAGE: AAP/Daniel Pockett)
At first Dr Mukesh Haikerwal thought it was just the authorities being helpful.
A highly active social media user, he had commented on Twitter about a Sydney Morning Herald article on MyGov, and mentioned he was having his issues with the government services site.
Having tagged the Services Australia Twitter account, he saw it followed him shortly after – or so he thought – and he followed them back.
They emailed and asked two security questions, as well as sending him authentication codes to his mobile phone.
He had supplied neither his email nor his mobile phone number.
Just in time, Dr Haikerwal’s suspicions were aroused when he was asked for further information, including details of his driving licence.
After getting through to the real Services Australia, he found that hackers had already set up a fake MyGov account in his name, changed the address and payment details on his ATO account and applied for a $55,000 tax rebate to go through to an account entirely unrelated to him.
The Melbourne GP describes the hacking operation as a ‘terrifying’ and sophisticated set up, and has decided to speak out to illustrate how vulnerable our data can be, both at an individual and at a general practice level.
‘I’m a relatively knowledgeable user,’ he told newsGP.
‘I let my guard down with the follow back on Services Australia. With that one, I blinked.’
The Twitter account he followed had been set up in 2012, and on first impression appeared to be a completely bona fide government account – with just a tiny difference in the way it looked to the genuine article.
‘When I went back to it afterwards, having realised there was a problem, there was a dud handle,’ Dr Haikerwal said.
Medical profession ‘a huge target’
After working out what had happened, and notifying the authorities, he went to a long-term contact for advice: security expert Tom Crampton.
The CEO of cyber security company Trusted Impact, Mr Crampton says identity theft and hacking is growing both in frequency and cunning.
‘The approach used to try to manipulate Mukesh for access to his personal data illustrates the very high level of sophistication that everyone should expect will happen to them,’ Mr Crampton told newsGP.
‘It’s not a question of if, but when.’
As the recent Medibank hack has shown, healthcare organisations are by no means immune.
Dr Haikerwal believes the publicity surrounding the Medibank breach may increase the chances of attacks on health providers, while Mr Crampton describes the medical profession as ‘a huge target’.
‘Medical information is worth between 10 and 40 times more than a credit card number on the black market – money equals motivation,’ he said.
Mr Crampton notes that the Australian Cyber Security Centre describes ransomware as the ‘most serious of the cybercrime threats to Australia’ and says that 90% of attacks begin with a phishing email.
‘If you’re not training yourself or your staff how to identify the signs of a social engineering attack or phishing email – you should be,’ he said.
He also says the threat of ransomware can be reduced by ‘simple back-up principles and good cyber hygiene’.
‘Don’t just back up your data, but test that it can be restored,’ he advised.
Dr David Adam is a member of the RACGP Expert Committee – Practice Technology and Management, and says practice owners and managers ‘should seriously consider an authenticator app or security keys rather than using phone numbers for access to practice systems’.
As for measures GPs can take to protect themselves from identity theft, he says advice issued by the Australian Cyber Security Centre is useful – up to a point.
‘Unfortunately, much of it boils down to “be careful,”’ Dr Adam told newsGP.
‘We don’t ask our patients to just be careful in order to avoid hip fractures, it is important to see systemic change and real protective options.’
While Dr Adam notes that the Twitter account followed by Dr Haikerwal was not verified, he says there is a responsibility for organisations to shield users as far as possible from fraudulent activity – and suggests that recent changes on Twitter may increase the scope for abuse.
‘We expect social media platforms, our IT professionals and the Government to help protect us against scams and abuse,’ he said.
‘Twitter’s identity verification system was supposed to allow the real Services Australia to be identified by a special check mark, but in recent weeks, these have become available for direct purchase, and there’s been an entirely predictable slew of fraudulent posts which appear to be official.’
Meanwhile, Mr Crampton notes the high stakes in safeguarding sensitive health information.
‘If a bank loses your money, they can give it back and everything is made right,’ he said.
‘If confidential health information gets exposed, there’s no giving it back – once the damage is done, it can’t be rectified.’
He advises for multi-factor authentication to be turned on for anything accessed via the cloud.
‘It’s generally simple and significantly reduces your exposure,’ he said.
Mr Crampton also advises practices to get a password manager and not to reuse passwords, which he says may already have
leaked in previous breaches.
Vigilance is also key, he says – and advises a constant wariness for any signs of fraudulent activity.
‘Do not think that you are not a target,’ he warned.
It is a lesson that Dr Haikerwal now knows all too well.
‘We’re all vulnerable,’ he said. ‘We’ve got to all keep watching, pain in the arse though it is … and just be vigilant for nefarious activity.’
The college’s ‘Information security in general practice’ resource has recently been updated and is available on the RACGP website.
Log in below to join the conversation.
cyber security information security Services Australia
newsGP weekly poll
Is it becoming more difficult to access specialist psychiatric support for patients with complex mental presentations?