Five reasons why COVID-19 has left the health sector vulnerable to cybercrime

An industry white paper published by cybersecurity firm Kroll explores the impact of COVID-19 on the healthcare industry’s cybersecurity landscape and shares best-practice guidance for healthcare providers.

The risk landscape resulting from the pandemic is characterised by five key vulnerability points:

• Rapid shift to remote working
• Expansion of telehealth
• Workforce under pressure
• Interoperability
• PPE shortages
   

A rapid shift to remote working, the expansion of telehealth services and a workforce under increased pressure — all triggered by the COVID-19 pandemic — have led to an 86% increase in healthcare data breach notification cases globally between March and September 2020.

According to the Notifiable Data Breaches Report by the Office of the Australian Information Commissioner (OAIC), Australia’s healthcare industry experienced more data breaches than any other industry, accounting for 22% of notifiable data breaches between January and June 2020.

“The sensitive nature of patient data and the criticality of healthcare systems means that they are an attractive target for cybercriminals,” said Louisa Vogelenzang, Associate Managing Director and Asia-Pacific lead for Identity Theft and Breach Notification services in Kroll’s Cyber Risk practice.

“Due to the COVID-19 pandemic, remote working and telehealth services have surged and IT providers have struggled to keep up with the demand, leaving important systems and data vulnerable.

“Healthcare providers hold some of the most sensitive data in the country and operate systems that support people’s wellbeing, so it’s important that their systems have the same level of cybersecurity we’ve come to expect from critical infrastructure.”

Vogelenzang noted that, with Australia’s healthcare industry experiencing more notifiable data breaches than any other sector, there are some key areas for improvement:

• Getting cyber hygiene basics right, which includes patching and ensuring multifactor authentication is enabled for remote access, as well as many more fundamental steps to eliminate the most common risks.
• Ensuring security awareness programs are in place and that they include how to spot and report phishing emails as well best practice for sharing sensitive information.
• Conducting reviews of third-party service providers, ensuring that they are appropriately protecting the most sensitive information and systems.
• Having an incident response plan that includes scenarios like ransomware and data breaches, practising this plan regularly through tabletop exercises, and ensuring the right partnerships are in place for support, should an incident occur.

A risky landscape

According to Kroll’s Data Breaches in the Healthcare white paper, email compromise and malware account for more than half (62%) of the incidents reported this year as of September 2020, highlighting the rising risk of human error due to changed working conditions brought about by the pandemic.

Previous reports also indicate that stolen health information — including Medicare numbers, medical insurance and credit card information — is being sold on the dark web for up to $1000.

The white paper suggests this new environment requires an enhanced security focus to ensure patient data is secure. With telehealth services likely to remain a key component of Australia’s healthcare industry, the report unpacks the implications for the security of patient information and how healthcare providers can ensure the security of their telehealth solutions.

Managing Director and Global Breach Notification Leader Brian Lapidus said, “For healthcare providers looking to make telehealth services a permanent fixture of their offering, it’s essential they have a good third-party risk assessment program in place to ensure all security risks are considered from the start and contracts are reviewed for security-related provisions, as well as general terms and conditions.”

The white paper also looks at new and changing regulatory obligations facing the healthcare industry and community expectations around how consumer data is managed and safeguarded.

“In an increasingly challenging cybersecurity landscape, healthcare providers must be prepared for a data breach to ensure they’re in the best defensible position when a cyber attack inevitably occurs,” Lapidus added.

Image credit:©stock.adobe.com/au/Gorodenkoff