Cybersecurity is everyone's responsibility
By Deana Scott, Cybersecurity Community of Practice Chair, Australasian Institute of Digital Health
Monday, 28 March, 2022
Health care continues to become increasingly digitised with an ever-expanding range of infrastructure options, technology platforms and devices being implemented and accessed both internally and externally by hospitals and healthcare organisations. Across the globe, the pandemic has seen the speed of digitisation in care delivery accelerate, with many organisations being caught off guard by legacy infrastructure, poor systemisation and a need to rapidly pivot in response to daily announcements and infection rates.
The challenge now is how do healthcare organisations continue to respond with a secure approach to ensure the sector doesn’t suffer a virtual pandemic due to the opportunistic actions of malicious actors?
Health care has continued to hold first place in the biannual notifiable breach reports and therefore is a top concern for the Office of the Australian Privacy Commissioner (Office of the Australian Information Commissioner, 2022). Of significance, compromised credentials made up 60% of reported cyber incidents, highlighting the need for greater awareness and responsibility in protecting user profiles. Ransomware is in third place and the impact of such an attack can severely disrupt the delivery of care and, consequently, patient safety.
Consumer confidence is crucial to the reputation and sustainability of any organisation and will become a significant metric as health care makes its slow but incremental progress towards value-based care. This brings us back to the question of how health care continues to leverage technology while mitigating the potential for a cyber attack and retain consumer confidence in delivery of care. The answers lie in a two-pronged approach, one that involves accepting that cybersecurity is at the intersection of people and technology. It is a symbiotic relationship, like hardware and software.
Internal as well as external stakeholders must be engaged in any cyber strategy and they are key to mitigating cyber incidents. It requires a ‘whole of organisation’ approach with cyber hygiene protocols embedded into agreements, contracts and onboarding and offboarding activities for staff, contractors and suppliers.
The OAIC Notifiable Breaches Report July to December 2021 (Office of the Australian Information Commissioner, 2022) again highlighted the increase in human error breaches. It is no longer accepted that cyber hygiene protocols be the sole responsibility of the IT department or require a technical ‘fix’. There is a broader problem embedded across health care of abdicating one’s responsibility by proxy.
The Australian Digital Health Agency (Australian Digital Health Agency, 2022) website states: “Everyone involved in providing and supporting healthcare plays a role in maintaining the privacy of people’s information that healthcare provider organisations hold. This means making sure everyone is secure in their online behaviours, both at work and at home.”
As a board member, director or individual, there are mandatory legislated responsibilities that must be adhered to in the collection, use and disclosure of personally identifiable information (Office of the Australian Information Commissioner, 2019), more so when it comes to healthcare information. Federally, and at state level, PII is legally protected, and it is therefore essential this data have strong governance and controls applied. A documented cyber response plan (CRP) and business continuity plan (BCP) can serve an organisation well as was demonstrated by Eastern Health when it became victim of a cyber incident. In its media release on 17 March 2021 (Eastern Health, 2022), Eastern Health outlined their response and ensured that consumer confidence was maintained by confirming patient safety was not impacted and within six weeks had returned to normal services.
Implementing an organisation-wide dedicated cyber strategy is a significant undertaking and it requires an acceptable level of funding and dedicated resources. For smaller healthcare organisations, these strategy and response plans don’t need to be onerous, but they do need to be in place, however brief. Not having a documented plan in place may impact insurance excesses and increase the severity of fines in the event of a cyber incident.
As an individual working in the healthcare sector with (or without) access to personally identifiable information, any breach in your own infrastructure (smart phone, laptop, etc) is a potential risk to the work environment as well.
We should all be aware of the risk from emails (phishing attacks, attachments with malicious functionality, requests for information) or of inserting and/or opening unknown storage devices (the USB you find the in carpark). However, the seemingly innocuous discussion in the lift, or social media post that reveals sensitive information about the work environment, the text message about a parcel delivery or downloading a cat video out of curiosity can all be used by a malicious actor to breach defences.
Stay vigilant inside and outside the workplace — don’t let curiosity kill your cyber defences.
Australian Digtial Health Agency. (2022, March 3). Cyber Security Awareness. Retrieved from Digital Health for healthcare providers: https://www.digitalhealth.gov.au/healthcare-providers/cyber-security/cyber-security-awareness
Eastern Health. (2022, March 3). Latest News . Retrieved from Eastern Health: https://www.easternhealth.org.au/media-events/latest-news/item/1277-media-statement-cyber-incident#media-statment-17-march-2021
Office of the Australian Information Commissioner. (2019). Australian Privacy Principles Guidelines. Privacy Act 1988. oaic.gov.au.
Office of the Australian Information Commissioner. (2022, February). https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/notifiable-data-breaches-report-july-december-2021. Retrieved from https://www.oaic.gov.au/: https://www.oaic.gov.au/__data/assets/pdf_file/0010/12205/Final-Notifiable-Data-Breaches-Report-Jul-Dec-2021.pdf
Office of the Australian Information Commissioner. (2022). Notifiable Data Breaches Report July to December 2021.
The Australasian Institute of Digital Health works to support the digital health workforce to implement and understand issues around cybersecurity and ultimately offers thought leadership on the topic through its Cyber Security Community of Practice. Find out more at www.digitalhealth.org.au.
If you close your eyes and picture the hospital of the future, a few images may spring to mind....
Cyber breaches in Australia’s healthcare industry are rising fast compared to other...
More than ever, hospitals and other organisations in the healthcare ecosystem depend on network...