For an organisation whose entire business revolves around the trafficking of healthcare data, the need for information security is hardly a revelation. But when the Australian Health Service Alliance’s (AHSA’s) previous managed security provider closed shop, the organisation was forced back to market in a move that drove a long-overdue overhaul of its security, recovery, and training processes.
Outside help around security was always a must for AHSA, which provides relationship, analysis, contract, and educational services to around three-quarters of Australia’s private health-insurance funds. This sees it handling massive quantities of identifiable patient data from over 500 hospitals and 28 private health insurance companies.
All data is managed inhouse but with just around 40 staff, the organisation is “too small to have inhouse security expertise,” CIO Glen McLean told CSO Australia – and that, fuelled by the knowledge that between 1.5 percent and 2.0 percent of all breached data records belong to healthcare providers, compounded the importance of sourcing strong data protection support.
“Many people can point at examples of the value of a health record in a black-market situation,” he explained, “so we have always had an emphasis on protecting the patient data that we are custodians for. We have always been highly mindful that we have to protect data during its movements, and we have always relied on partners to give advice and check our security.”
A review of the well-stocked market for security services led AHSA to security specialist CQR, which stood out due to its breadth of expertise and formal accreditation under the CREST (Council of Registered Ethical Security Testers) scheme.
That certification lent weight to the penetration-testing capabilities that CQR brought to the table, guiding a review of AHSA’s security capabilities that quickly identified potential weaknesses in the company’s databases and Web site.
The engagement also led to the creation of a formal cybersecurity incident response plan – “it was the first time we had done that,” McLean notes – and spearheaded the delivery of cybersecurity education for all of the firm’s staff.
With surveys regularly highlighting workers’ willingness to compromise security policies in the name of efficiency, cybersecurity training has a track record of being a mixed bag. But the design of the program “went down really well,” McLean said.
“It just triggered so much conversation about security,” he explained. “People have had these things happen at home, and we see a certain amount [of malware] getting into the email and other systems. So we do our best to raise awareness, and a lot of good conversations happened” in the wake of an educational program that included videos of hackers in action and demonstrations of what can happen if users click on malicious emails.
“They just brought a vividness to the whole thing,” McLean said.
With CQR providing ongoing support, AHSA is heading into 2018’s compliance firestorm with the confidence that it has updated its data-protection frameworks and developed cogent response plans that will deliver rapid response in the event of a ransomware infection, distributed denial of service (DDoS) attack, or other incident.
“We have a lot of data flowing to us and back,” McLean said, “so it is important that we have processes to make sure our files are protected. Ultimately our data warehouse is fully protected, with as many of the traditional and required protections as we could get.”