CIO

The sick man of the cyber-security sphere…it’s time the Australian healthcare industry took a preventative approach to high tech ‘contagion’

by Priyanka Roy, Marketing Analyst at ManageEngine

Which industry is Australia’s worst offender when it comes to data breaches and cyber-security threats?

If you answered healthcare then congratulations, you’re on the money.

Health service providers were responsible for 58 of the 215 notifiable data breaches reported in the first quarter of 2019 according to the Office of the Australian Information Commissioner (OIAC), Australia’s privacy watchdog.

It was a similar story in the December 2018 quarter (54 of 262 documented breaches) and in the  September 2018 quarter (45 of 245 documented breaches).

They’re concerning statistics, particularly when considered against the backdrop of public concern about patient privacy generated by the national roll-out of Australia’s controversial electronic health record My Health Record in 2018.

The system appears to offer significant scope for large scale data breaches, given the number of parties which have electronic access to a rich seam of personal and medical information.

 A healthy disregard for cyber-security infections?

Yet, despite its well documented standing as the sick man of the cyber-security sphere, research suggests the healthcare sector continues to take a somewhat cavalier approach to the business of protecting core business systems and sensitive data.

Around half the healthcare organisations surveyed in a recent Microsoft study carried out by Frost and Sullivan hadn’t factored cyber-security into their digital transformation initiatives from the outset. Many took a ‘bolt on’ rather than a strategic approach to cyber-security.

It’s somewhat surprising, given the patient information healthcare providers typically have in their keeping is worth more to cyber-criminals than almost any other form of personal data.

Some US research suggests the value of personal records for sale on the ‘dark web’ doubles if they include medical information.

Used in combination with other personal data, medical records can provide the detailed and reliable personal information necessary to commit identity theft and obtain products and services by deception.

Unfortunately, all too often, the threat to patient privacy comes not from hackers and cyber-criminals outside the organisation but from within. A DBIR report from 2018 found an astonishing 56 per cent of cyberattacks in the healthcare sector were inside jobs, with money the most common motivation.

Diagnosis and treatment

Stringent security regimes aren’t implemented by accident. Rather, enterprises which place a high value on systems and data security devote considerable resources to ensuring they understand their vulnerabilities, the threats they face and the means by which these can be mitigated.

Conducting a comprehensive security audit of systems and processes is a good starting point.

Many healthcare organisations lack the expertise to carry out this exercise and will find it helpful to work with external consultants with the skills and knowledge to evaluate the status quo and make recommendations to augment existing security arrangements.

Implementing up-to-date cyber-security tools and technologies is a straightforward way to strengthen defences against external data thieves and should be top of the To Do list.

Cyber-security auditors don’t just look at software solutions; they’ll also give processes and practices a comprehensive examination. Encouraging employees to use secure channels of communication, for example, will reduce the likelihood of data being lost or compromised while it’s being transferred between the organisation and its patients or other providers.

It’s also essential to get a handle on where data is stored, whether it be on internal servers or offsite through a cloud-based service provider, and to obtain assurances it’s as secure as possible. 

While education and training won’t prevent rogue staff from attempting to steal patient data, it can reduce the likelihood of their honest colleagues instigating an accidental data breach.

Regular awareness training helps employees understand the dangers of phishing, malware and physical loss of data (think the misplaced USB drive, lost laptop or smartphone sans password) and the practices they can instigate to ensure the organisation does not become a statistic.

Ensuring patient data is in safe hands

The compromise of sensitive patient data can cost healthcare providers dear – both financially and in reputational damage. Adopting comprehensive protection strategies, including stringent cyber-security measures and regular staff training, will do much to ‘boost their immunity’ to both internal and external compromise and attack.