Cybersecurity: what are healthcare organisations missing?

The Office of the Australian Information Commissioner (OAIC) has recently released its new Notifiable Data Breaches report for the January to June 2021 period. And once again, health care is the most affected industry when it comes to data breaches.

According to the report, the Australian healthcare sector alone represented 19% of all breaches reported to the OAIC. Actually, health service providers, followed by the finance industry have consistently reported the most data breaches compared to other industry sectors since the NDB scheme began.

Those new stats come a few months after cybersecurity experts pointed out Australian hospitals were amongst the organisations that are most vulnerable to a new wave of ransomware attacks.

The examples are not lacking, as with Victoria’s second-largest public health service Eastern Health, which was targeted by a cyber attack forcing three major hospitals to postpone surgeries and shut down their IT systems.

Data protection regulations and cyber threats keep on growing, while the digitisation of healthcare services is at an all-time high as a result of the pandemic. Yet, cybersecurity, data protection and privacy as well as regulatory compliance seem to continue failing despite increased investments.

So, what are healthcare organisations missing?

It’s not that cybersecurity isn’t a priority for healthcare providers, it is that there is a gap between where the current investments are made and what needs to be prioritised.

External protections are useless if the data itself isn’t secured

When you look at the most recent cyber attack trends, in particular the rise of ransomware, data is most of the time the asset targeted by hackers.

Investing in external protections without securing the data itself is a lost race against hackers.

Furthermore, focusing on the security of the end users, staff and infrastructure instead of the data itself at the point of capture means regulatory compliance will only become more challenging.

Healthcare leaders understand the importance of ramping up their cyber protection efforts surrounding data, but protecting data in any healthcare organisation is not an easy task.

It starts with identifying where data is at its most vulnerable, and then applying high levels of embedded security so even if the data ends up in bad actors’ hands it cannot be used.

Data transfer: one of the most overlooked risks to data health

The risk that is often the most overlooked is the security and privacy of data and files as they transit within the organisation and with third parties.

This is a challenge because healthcare providers and their partners must balance protecting patient privacy with delivering effective patient care whilst simultaneously meeting strict regulatory requirements around data privacy.

Protected health information (PHI) is among an individual’s most sensitive (and for criminals, valuable) private data. The guidelines for healthcare providers and organisations that handle, use or transmit patient information include strict data protection requirements, and those will keep on getting stricter.

From email attachments to automated machine-to-machine transfers at scale, healthcare providers face a unique set of risks that they are obliged to address with penalties for failure.

But, instead of taking proactive steps to secure data at the source — which would not only increase data security and privacy but also ease up regulatory compliance — most organisations are adding layer upon layer of security technologies.

This approach is simply ineffective if the data itself isn’t secure.

Embedded security and file encryption a non-negotiable anymore

Healthcare providers need to prioritise strategies and solutions where cybersecurity is embedded at the core of the data and business processes, instead of relying on users and infrastructure-based security.

Data and file encryption is the only way to provide the level of security and privacy needed to achieve and futureproof security, privacy and compliance.

Encryption means that even if the data were to fall into bad actors’ hands, it would be unusable, and thus worthless to the attacker.

A key component of creating a viable PHI security strategy is determining how data is moved, whether by individual users or as part of some automated process. Best practice dictates that healthcare organisations can ensure that technology is deployed to encrypt that data both at rest and in transit — regardless of how it is actually transferred.

It is important Australian health organisations look at file transfer and data collection methods that can secure data during all aspects of its journey, from creation to final deletion, and invest in platforms with a level of encryption automation. This approach means organisations won’t even have to worry about changing regulations, and they can guarantee the level of security and privacy expected by patients today.

Image credit: ©stock.adobe.com/au/maxsim