The digital revolution has been a catalyst for seismic change in the way healthcare is delivered but managing the security risks associated with this transformation remains a major headache for the sector.
The efficiencies and improved outcomes that have resulted from technology and connectivity are undisputed – and legion.
From online appointment booking systems and telemedicine initiatives which provide the farthest flung Australians with access to specialist care, to image-guided and robotic surgery, digitisation has had an extraordinarily positive effect on health administration and patient care.
Unfortunately, cybersecurity strategies designed for corporate environments have failed to address the peculiar requirements of the health system and breaches and incidents have become commonplace.
According to the Office of the Australian Information Commissioner – the statutory authority responsible for adjudicating privacy breaches – health service providers were the number one reporter of data breaches in the first quarter of 2018, making up 24 per cent of all notifications.
Last year saw clinical systems at five of Queensland’s largest hospitals slow to a crawl, after efforts to prevent a cyberattack backfired.
Hospitals were forced to revert to paper-based systems when electronic medical records began to malfunction, after emergency measures were put in place to prevent infiltration by Wannacry. The ransomware worm hijacks the hard drives of Windows based computers, rendering them inoperable until the owner pays the demanded sum. Contagion from the software had previously brought the UK’s National Health Service to its knees, forcing the cancellation of around 20,000 appointments.
The Royal Melbourne Hospital’s pathology department fell victim to a similar cyber assault in January 2016, courtesy of the Qbot worm.
Private practices have not been immune from malicious activity and, when successful, the potential for reputational damage is significant. London Bridge Plastic Surgery, a clinic whose once tightly guarded client list included celebrities and royalty, was held to ransom in late 2017, after its systems were infiltrated and naked images of patients sent to a journalist.
A special case
Why are healthcare providers at especial risk, compared with organisations in other sectors, which also need to balance the benefits of digitisation against the dangers of business disruption, privacy breaches and the material and reputational damage that commonly accompany a hacking episode?
The answer lies in the following quintet of challenges, most of which are unique to the healthcare industry.
- The arduous sign-in and authentication procedures employed in financial and commercial environments are impractical in environments where ease-of-use, availability and patient safety are top priorities.
- The healthcare system relies on the high use of locum and casual staff who are typically expected to ‘hit the ground running’, with little, if any, time allocated for cyber security training.
- The security patching – or updating – of medical devices is deemed to be a substantial change to their design or production and, in most instances, must be accompanied by re-certification by the Therapeutic Goods Administration. This can be expensive and time consuming and a powerful incentive for facilities to take a reactive rather than proactive approach.
- Health records contain much of the data required to perpetuate identify fraud. This is more lucrative and harder to block than credit card fraud, which typically nets a thief between $1000 and $2000 before a card is cancelled compared to $8,000-$10,000 for identity theft. The value of health records on the black market reflects this – they trade for 10 times the price of stolen plastic. This creates a huge incentive for criminal hackers to target custodians of personal healthcare information.
- The healthcare system isn’t a single entity; it’s a fragmented ecosystem comprising publicly- and privately-run hospitals and practices, universities and research institutions. The openness and interoperability that’s one of its great strengths is also an extraordinary weakness from a cyber-security perspective, as it makes the various components more vulnerable to attack from self-propagating malware and hackers.
Tailoring your security response
Given these challenges, attempting to mitigate risk by enacting a homogenous security strategy across an entire healthcare business, organisation or network does not answer.
Rather, healthcare providers do well to adopt an approach whereby digitised assets are placed into categories, each with its own security protocols and protections. Broadly speaking, most assets in a healthcare setting can be deemed administrative systems, clinical information systems, or modalities – internet-connected clinical devices and systems for diagnosis and treatment.
Determining how each asset within a category can be accessed – by both legitimate users and criminals – can help ascertain the potential impact on an attack and the controls that may be appropriate to protect data integrity without compromising functionality and patient safety.
The improvement journey
The healthcare sector has some of the toughest security requirements of any industry and few practices and institutions have the time and budget to overhaul their security infrastructure in entirety or start again from scratch. For most, enhancements will be incremental or occur by way of reactive response to an acute cyber threat.
A security audit by an independent consultancy with health industry specific experience can be a useful investment. In additional to providing insight into specific risks, the exercise can be used to inform the creation of a long-term ‘security roadmap’. Such a plan can help ensure security requirements are evaluated and protections implemented as new equipment and systems are acquired, not bolted on retrospectively, after risks are identified.