Credit: ID 44662539 © Wittaya1988 | Dreamstime.com
Around the globe, cyber-security threats are real and rising and Australia’s healthcare sector is far from immune.
Maintaining effective cyber-security defences has become a strategic challenge for healthcare providers of all sizes and stripes, from standalone practices to the country’s largest hospital chains.
Healthcare is one of Australia’s largest and fastest growing industries – worth $152 billion a year, according to Ibisworld research.
The sensitive patient data healthcare providers have in their possession is of considerable value to hackers and cyber-criminals looking to appropriate and misuse it for financial gain.
US research suggests this type of information sells for a premium on the dark web, where records containing medical data can go for up to twice the price of other personal records.
Evidence also suggests Australia’s healthcare providers are struggling to mitigate the cyber-risks they face. Health service providers accounted for 54 of the 262 notifiable data breaches in the final quarter of 2018, according to Australia’s privacy watchdog, the Office of the Australian Information Commissioner.
Mitigating cyber-risk effectively – and shrugging off the sector’s ‘chief offender’ title – calls for a top-down approach, with buy-in and support from senior clinical and administrative staff.
Scoping out the challenge
The past two decades have seen information technology undergo an extreme transformation. Once synonymous with processing power in the data centre, it’s now engrained in almost every aspect of daily life, at home and at work. That’s resulted in a change to the threat landscape.
Once a rarity, cyber-security incidents are now unremarkable and managing the risks associated with them has become part and parcel of running an organisation, rather than merely an issue for the tech team.
For many healthcare providers, the challenges of implementing effective cyber-security practices are exacerbated by the legacy solutions that are still in use – aging equipment and core infrastructure that can be difficult to patch and protect.
Getting the board on board
Unfortunately, executive-level discussion about cyber risks tends to revolve around fear, in many healthcare organisations. Attention is typically focused on the dire implications of an attack and the fallout it could cause.
Often, security professionals will present alarming data about the rates of attack and the extent of potential damage. Their overriding message is that, if everything is not fixed quickly, the organisation could find itself in real trouble.
A more constructive focus would be on how, beyond reducing the threat level, becoming proactive about cyber-security can benefit a hospital or healthcare organisation more broadly, by bolstering its reputation for integrity and care. Both are key criteria for Australians when purchasing health services in a competitive market.
Health sector leaders also need to consider cyber risk from a legal perspective. In common with other organisations, healthcare providers need to comply with the Australian Privacy Principles laid down by the Office of the Australian Information Commissioner.
Practices which treat patients from EU countries are also subject to that bloc’s stringent GDPR regulations, which extend to all organisations that hold the personal data of EU citizens, regardless of geographic location.
Healthcare executives also have a duty to manage the level of cyber risk faced by their organisation, and should keep the reasonableness test front of mind when assessing their planned level of action.
This is important because risk reduction steps that would be deemed reasonable today are very different from what they were 10 years ago. Decision makers need to ensure their responses are evolving over time and commensurate with current threat levels.
A problem for the institution, not the IT department
Viewing cyber security as a technology problem, rather than a governance problem, is a mistake. Healthcare organisations which take that approach and postulate that the purchase of another new piece of technology will solve the problem perpetrate the myth that it’s possible to buy your way to safety.
And a myth it is. While products are clearly an essential piece of the security puzzle, it’s vital healthcare organisations develop much broader strategies to deal with rising threat levels.
Creating a multi-disciplinary team comprising representatives from across the organisation is the best way to ensure all aspects of cyber risk are assessed and each division or business unit is aware of its role, both in mitigation and response, should an incident occur.
Time to act
The danger to organisations posed by hackers and cyber-criminals is real and rising. Threats are becoming increasingly targeted and sophisticated, according to advice released by the Australian Cyber Security Centre in 2019. Business leaders surveyed for PwC’s 2018 Global Economic Crime and Fraud Survey: Australian Report flagged cyber-crime as the most disruptive economic crime of our era.
Taking an enterprise-wide approach to cyber-security, led by senior administrators and clinicians, will help mitigate the risk for healthcare providers prepared to put the issue on the agenda in the boardroom as well as in the IT shop.