Seven Successful Practices for a Robust Healthcare Cyber Security Plan

By Cliff Kittle, Principal, Healthcare & Life Sciences Information Security, Secureworks

Significant strides have been made in the digitalisation of the Australian healthcare industry. For example, medical records are now becoming digitalised and stored online to allow doctors across the country to access patients’ files regardless of what hospital they are visiting. 

In addition, the Australian government is considering moving digital medical records from the current “Opt-In” service to an “Opt-Out” service, which would significantly increase the risk that Australians’ personal medical records could land in the hands of hackers. 

Hackers can make large sums of money by selling an individual’s medical records on the dark web.  Hospitals must adopt a strong strategy to ensure peoples’ personal data is defended well. Below are seven practices that, if put into action, can be the foundation of a cybersecurity action plan. If security is to be a priority within the healthcare industry as they transition into a more digitalised platform, these principals must be put into action.

Assessment – Target Critical Vulnerabilities

It is important that security experts within the healthcare industry assess where they are most vulnerable to an attack. By ranking potential risks on a severity and likelihood level, executives and security professionals can determine the liability associated with a situation should an actual attack occur. Scenario analysis depends on a variety of things that might happen in the rapidly changing and disorderly reality of a cyber-attack. 

To address the vulnerabilities found through the assessment, the security leader must examine every aspect of the people, processes, and technology of the hospital from the perspective of the potential adversary.

Be Bold

IT teams sometimes must take chances. A risk-reward trade-off approach can increase the organisation’s inclination to make bold decisions, train people to evaluate choices and make decisions, as well as act in the absence of complete information. Sometimes when presented with a large portion of information it is irresponsible to wait for more details as the hesitation could be costly.

 The training of leaders in preparation and planning during the scenario analyses can help develop keen and quick insight in the face of limited information, enabling the exercising of initiative with confidence.

Keep Focus

The security vision of the executive and IT teams must also extend beyond the compliance-driven protection of patient records to highlight patient safety and quality of care. Security vision will enable organisations to improvise within a situation that was not considered or previously identified with respect to controls available. Vision will better enable organisations to shift resources and manage business risks while targeting the sophisticated adversaries of today and the predicted growth of targeted attacks. Security vision is critical to success; it requires considerable balance and creativity if it is to be maintained. It also requires the willingness to assume certain risks presented by a situation.

Decision Making

Giving members of the security team the ability to make decisions, based on the leader’s intent, during a crisis might seem risky, but it is in fact strategic. There is no better way for an IT leader to prove the faith they have in their IT team, than to demonstrate confidence in their decision-making capability by giving the team the authority to make decisions in critical situations.

 For this strategy to be successful trust and open communication must include a clear understanding of the security leader’s intent and the degree to which the subordinate has authority to make decisions. Finally, the security leader’s intent, while originating from the top, should be recognised as an agreement throughout the team.


The pace of observation is also an important principal to consider. During an attack, security teams must orient their defences to the situation, determine what action must be taken, and act on that response more rapidly than the adversary can execute their attack. In doing so, the adversary will need to change their attack in response to the defensive action taken. 

During the attack, this becomes a continuous loop of act and respond. The entity that can accomplish this faster will cause the opponent to act in a way that presents a new opportunity. Should one side take advantage of these new opportunities, they will break the will of the adversary and cause the attack to end.

Team Work

The last strategy draws all skills and teammates together. In healthcare, its effectiveness is dependent on extensive cross-training of the security team member’s specialties to instil a better understanding across functional areas of their role in the combined effort. 

IT teams must trust each other to do the right thing. A leader must keep the team focused and coordinated. IT members must be comfortable in working across different roles and the team must overcome competing interests.

Healthcare Security in the End

Many countries around the world are envious of Australia’s healthcare system. As the Australian government continues to embrace digital transformation, moving citizen’s personal information into a digital format, they must be aware of the risks from hackers.

 It will be imperative for healthcare organisations to effectively protect the health systems from cyber criminals trying to cause havoc and make a profit on citizens’ personal information. These seven principles for success in the healthcare world will be a “Must Have” for IT teams moving forward in the evolving threat environment of the global healthcare industry.

Show Comments