Poor patching, lack of guidance leaving Australian healthcare data exposed
- 30 July, 2018 10:10
Half of healthcare CISOs admit having suffered a security breach in the last 24 months, according to new research that not only highlights the poor state of information security in healthcare organisations, but warns attackers are have gained the upper hand using machine learning (ML) and artificial intelligence (AI) tools.
Just a third of organisations responding to a recent member survey – conducted by the Health Informatics Society Australia (HISA) within its Cybersecurity Community of Practice – said they performed a cybersecurity risk assessment at least annually, while only 65 percent had a formal business or governance plan that included managing cybersecurity issues.
The large number of unprepared and under-tested organisations highlighted the ongoing risk to Australian healthcare data, with poor system-administration practices rife.
Just 54.5 percent of healthcare respondents said they knew what to do in the event of a cybersecurity incident, while just 34 percent said they would refresh their systems and hardware when vendor support ceases.
Fully 22 percent of organisations said they were continuing to store and manage healthcare data using end-of-life systems that had no vendor support – meaning that the steady flow of new vulnerabilities was not being addressed at all through vendor patches and updates.
Even where patches were available, many companies were proving slow to act: just 40 percent of respondents said they install operating system patches and updates within 48 hours of release, and 31.8 percent said they only patch after the IT team has had a chance to conduct extensive testing.
Just 46.5 percent of respondents said they had a senior information-security leader responsible for assuring cybersecurity – putting Australia’s healthcare industry well behind the results of a recent, broader Gartner survey that found a third of companies lack in-house security capabilities.
Continuing poor practices amongst Australian healthcare organisations will do little to assuage fears about the expansion of the government’s My Health Record (MHR) system, which has raised alarm bells by concentrating sensitive data that experts believe will be of great interest to cybercriminals.
“The number of systems that will have access to this amount of medical records is concerning,” Ivanti director of pre-sales Andrew Souter said in a statement. “While it is a great idea to centralise citizens’ data into a single platform, the need for a robust and streamlined security system is more important than ever before.”
The HISA figures corroborate the findings of a recent global survey of 3000 cybersecurity professionals, conducted by Ponemon Institute and sponsored by ServiceNow, that reported a 22 percent increase in the severity of cybersecurity attacks over the last 12 months.
Many companies were sitting ducks for breaches, the survey found, with 58 percent of breach victims saying they were breached because of a vulnerability for which a patch was available. Furthermore, 37 percent said they knew they were vulnerable well before they were breached.
Yet despite this awareness, many companies simply couldn’t mobilise their remediation efforts effectively enough. Some 65 percent of respondents said they find it difficult to prioritise what needs to be patched first, while 58 percent said that attackers are outpacing enterprises as they tap into ML and AI tools to increasingly iterate their attacks.
Cybercriminals aren’t the only operators targeting healthcare data: doctor booking portal HealthEngine recently drew wide condemnation after recent revelations that it was forwarding patient details to law firms and other third parties.
“People have made it clear time and time again that information about their health is extremely personal and private and they expect it to be kept secure, not shared with all and sundry,” said Electronic Frontiers Australia (EFA) board member Justin Warren in a statement.