Australian Red Cross Blood Service Data Breach: Essay, Details, Risk Assessment.

Reasons for data breach in Australian Red Cross Blood Service

Discuss about the IT Security Management for Security Risk Assessment.

The case study involved in this report is about a blood service bank known as Australian Red Cross Blood Service. The data breach that occurred in the company contained about 550,000 victims who were donating blood through this blood service. The donors were having all their details on the website. The file that contained all the data were placed on a public website, which lead to the data breach (Hoad et al. 2015). The personal information that were lost in the data breach contained personal information that were related to the blood donation including type of donation, the use of blood and the type of donation the user is making. The incident mainly took place because of the absence of contractual risk assessment that was to be implemented by the Blood Service. This report consists of the details of the data breach that took place in the Blood Service. The risk assessment that is involved with the company is discussed in this report. All the business requirements that are involved in the Red Cross Blood Service are discussed in this report.

The security breach that took place with the Australian Red Cross Blood Service lead to a loss of information of about 550,000 blood donors, having their personal information stored in the website of Donor Blood (Fraser et al. 2018). The security measures that were absent that caused the data breach is the absence of measures or other steps that were to be taken as a security measure for protecting the personal information of the blood donors. The reason for data breach was also retention of data on the website for longer period. The service of blood collection also had not met all the requirements of Privacy Act that are related to the data breach. The main cause of the data breach was error that was done by Precedent employee of the company. To identify the risks, the Blood Service should have implemented a framework that includes sourcing strategy, and form contract terms that are appropriate for the company. For securing the network of Red Cross Blood Service, the marketing team should manage the Precedent contract and improve the service that will be provided to the company (Storry et al. 2014). For securing the network of the service, the supplier should comply and have to ensure that the Personnel of the company should also comply with all the policies and the procedures are o be defined properly by the Blood Service. there should be limitation provided to the security, privacy, occupational health, computer resources, awareness training whenever it is necessary. To imply the security, the recipient should also protect the confidential information so that any unauthorized users do not access or can use the data that are confidential to the company (Snyder, Stramer and Benjamin 2015). The duty of the company is to prepare proper precaution so the secrecy of the company can be preserved and the confidential data is kept confidential as well.

Impact of data breach on donors’ personal information

The User Acceptance Testing (UAT) of the company is used for testing as well as taking approval for all the changes that are needed for the website. These activities are all maintained and hosted by precedent of the company directly. The UAT contains a copy of all data that is associated with the website (Bruun et al. 2016). There are many mechanisms that help to protect the data of the website that is stored in UAT. For the Red Cross Blood Service, the section on the web server where the UAT kept the data was made public so that all of them can access them. As the files were stored publicly, the possibility of data breach tended to be much more and the data of the Blood Service was not secure at all (Brixner et al. 2018). The data were not stored directly under the Blood service. The Precedent and the Blood Service both of the organizations have obligations related to the data breach. The service providers of third party were not able to keep the data safe for the Red Cross Blood Service. The contractual arrangements that were made between the Precedent and Blood Service were failed to focus on the control mitigation process subjected to the risks involved in the Blood Service.

Before the data breach, the Australian Red Cross Blood Service had a Blood Service website that deals with the personal information consisting of details of the blood donors. The website also provides appointment for the donors who want appointment for donating blood (Lopez et al. 2016). The Blood Service has a third party provider known Precedent who manages all the data for the company. After the data entered by the donors, the data are transmitted to the Precedent of the company. When the data is received by the Blood Service, the data is then transferred to the internal NBMS (National Blood Management System). The NBMS records all the information of the donors (Daly 2018). There are many services known as Amazon Web Services, which hosts the environment production of Blood Service website. Business analysis also includes non-production environment that includes UAT (User Acceptance Testing) for the website and the Precedent managed them directly. The UAT copies all data that enters in the environment. The UAT is secured by giving passwords. However, the UAT environment was made public and the user knew the place where they were located.

Measures for securing the network of Red Cross Blood Service

After the data breach had taken place, the business requirement of the Red Cross Blood Service was changed (Martin et al., 2017). For detecting the vulnerability that was involved in the data breach, a cyber security expert known as Troy Hunt was contracted, who informed the AusCERT (Australian Cyber Emergency Response Team) and took subsequent steps that are to be taken for the data breach that took place in the company (Williamson et al., 2015). The UAT environment was immediately removed from being accessing the data. The Blood Service engaged the Incident Management Service of AusCERT so that they can respond at the time of further data incident. The Blood Service engaged IDcare so that they can identify the risk assessments that are involved. IDCare lowers the risk of misusing the data in future. All the public and the victims of the data breach was informed about the data breach that took place (Solomon 2017). In addition, for further investigation, special organization was engaged, so that they can monitor the website of the company against any type of vulnerabilities.

Data breach took place in the company of Red Cross Blood Service but there was no such authorization of the Blood Service nor was the Blood service directly involved. The situation was also outside the scope of Precedent. As the data breach already took place, the protection was to take pre data breach for saving the personal details of all the donors involved in the system. The Blood System was not having appropriate risk assessment measure to fight the data breach. However, when the Blood Service was notified about the data breach, the company took necessary steps to control the situation and also tried to implement such factors that will help to mitigate any type of data breach in future. The substantial proceedings that were taking by Blood Service were very acknowledgeable, and there was a communication established in the community about the incident.

References

Brixner, V., Kiessling, A.H., Madlener, K., Müller, M.M., Leibacher, J., Dombos, S., Weber, I., Pfeiffer, H.U., Geisen, C., Schmidt, M. and Henschler, R., 2018. Red blood cells treated with the amustaline (S?303) pathogen reduction system: a transfusion study in cardiac surgery. Transfusion.

Bruun, M.T., Pendry, K., Georgsen, J., Manzini, P., Lorenzi, M., Wikman, A., Borg?Aquilina, D., Pampus, E., Kraaij, M., Fischer, D. and Meybohm, P., 2016. Patient Blood Management in Europe: surveys on top indications for red blood cell use and Patient Blood Management organization and activities in seven European university hospitals. Vox sanguinis, 111(4), pp.391-398.

Daly, A., 2018. The introduction of data breach notification legislation in Australia: a comparative view. Computer Law & Security Review.

Fraser, N.S., Moussa, A., Knauth, C.M., Schoeman, E.M., Hyland, C.A., Walsh, T., Wilson, B., Turner, R., Dean, M.M., Perkins, A.C. and Flower, R.L., 2018. KLF1 variants and the impact on the expression of red blood cell surface molecules in blood donors with the In (Lu) phenotype. Pathology, 50, p.S104.

Hoad, V.C., Speers, D.J., Keller, A.J., Dowse, G.K., Seed, C.R., Lindsay, M.D., Faddy, H.M. and Pink, J., 2015. First reported case of transfusion-transmitted Ross River virus infection. Med J Aust, 202(5), pp.267-70.

Lopez, G.H., McGowan, E.C., McGrath, K.A., Abaca?Cleopas, M.E., Schoeman, E.M., Millard, G.M., O'Brien, H., Liew, Y.W., Flower, R.L. and Hyland, C.A., 2016. A D+ blood donor with a novel RHD* D?CE (5?6)?D gene variant exhibits the low?frequency antigen RH23 (DW) characteristic of the partial DVa phenotype. Transfusion, 56(9), pp.2322-2330.

Martin, G., Martin, P., Hankin, C., Darzi, A. and Kinross, J., 2017. Cybersecurity and healthcare: how safe are we?. Bmj, 358, p.j3179.

Snyder, E.L., Stramer, S.L. and Benjamin, R.J., 2015. The safety of the blood supply—time to raise the bar. N Engl J Med, 372(20), pp.1882-1885.

Solomon, A., 2017. Time to prepare for mandatory data breach notification. Governance Directions, 69(10), p.593.

Storry, J.R., Castilho, L., Daniels, G., Flegel, W.A., Garratty, G., Haas, M., Hyland, C., Lomas?Francis, C., Moulds, J.M., Nogues, N. and Olsson, M.L., 2014. International Society of Blood Transfusion Working Party on red cell immunogenetics and blood group terminology: Cancun report (2012). Vox sanguinis, 107(1), pp.90-96.

Williamson, L.M., Benjamin, R.J., Devine, D.V., Katz, L.M. and Pink, J., 2015. A clinical governance framework for blood services. Vox sanguinis, 108(4), pp.378-386.