Keeping health care cyber safe
Health care is facing a crisis of cybersecurity. To ignore it might prove fatal for trust — for both patients and healthcare professionals. As cyber professionals, we know the pandemic has created enormous opportunity for cybercriminals to target healthcare systems and they are being helped by the current assumption that Australian healthcare organisations don’t need to focus on cybersecurity as a priority.
It is possible to thwart the threat of cyber attackers, but to do so healthcare providers need to acknowledge there is a problem facing their sector.
2020 saw emergency deployments of technology to keep Australians safe and healthy, ranging from contact tracing apps to telehealth services to remote working systems for non-patient-facing staff.
However, what hasn’t been evident is focus on protecting the sector’s vulnerability to cyber attack. We saw in the latest breach report by the Office of the Australian Information Commissioner (OAIC) that health was once again the highest reporting sector with 22% of the 518 notified breaches.
Malicious or criminal attacks caused 40% of health sector reported data breaches, while 57% resulted from human error (65 notifications). This is just the tip of the iceberg, as many breaches go unreported and also these figures don’t include the My Health Record scheme, which has separate notification requirements.
Following a warning from the Australian Cyber Security Centre (ACSC) that cybercriminals can cause severe service disruption to hospitals, with two significant threats identified, now is the time to act.
Learning a deadly lesson
America’s Universal Health Services (UHS), which has more than 400 locations mostly in the US, was hit with a cyber attack in late September 2020 — described as one of the largest attacks against a medical service provider in US history. As UHS systems failed, some hospital staff were reduced to recording patient information with pen and paper, while online medication systems were inaccessible. Reports of the incident quoted a source as saying the attack “looks and smells like ransomware”.
Cyber attacks on hospitals can prove to be deadly. The UHS attack was preceded by a cyber attack on a German hospital in mid-September that led to a patient dying. Duesseldorf University Clinic was infiltrated by a hacker that caused the hospital’s IT systems to gradually crash. The hospital could no longer access data and an incoming patient with a life-threatening condition had to be redirected to another hospital over 30 km away. The patient died due to the delay in receiving care. Local prosecutors launched an investigation against the unknown perpetrators of the attack on suspicion of negligent manslaughter.
We saw the Victorian healthcare system falling prey last year to a ransomware attack that shut down administrative systems in nearly a dozen regional centres. While security staff disconnected the systems from the internet and scrambled to isolate the ransomware, the impact hit staff and patients over days.
Following the attack, a review of the Victorian health services’ security found that all were vulnerable to the theft or alteration of patient data. Yet despite the state government’s ongoing efforts to improve cybersecurity response, a review of health services’ recent annual reports found that cybersecurity is still not an executive priority.
This clearly needs to change.
A tonic to prevent cyber issues within Australian health care
How can Australian healthcare providers better respond to cyber threats and avoid making the same mistakes? The OAIC recommends a four-step process: contain, evaluate, notify and review. The containment step involves taking any action necessary to stop the breach. Activate the data breach plan (you do have one, don’t you?), then stop the unauthorised practice, recover the records or disconnect the system that was breached.
Modern security solutions are being powered by artificial intelligence (AI), machine learning (ML) and automation to provide superior cyber threat prevention and remediation. This means that threats can be contained before they execute (even if they’ve never been seen before), and that tablets and other mobile devices used by healthcare staff can be better protected.
With the increased volume and variety of enterprise IoT endpoints and as the scale of cyber threats continues to grow, AI-driven security solutions provide a consolidated, simplified endpoint security and management offering to reduce cost and complexity in a chaotic environment.
The second step in ensuring healthcare IT environments are secured effectively involves evaluation of what was breached and the likelihood of physical, psychological, emotional, financial or reputational harm and any remedial actions required.
The notification step requires promptly contacting affected individuals and notifying the OAIC.
The review stage involves investigating the cause of the breach and modifying procedures as needed, to guard against future attacks. Outside help should be called in if necessary, such as seeking advice from the ACSC in developing and tweaking cyber incident response plans.
2020 has been a pivotal year for healthcare organisations trying to maintain business continuity, while undergoing digital transformation and workplace upheaval — all while focusing on maintaining quality of patient care in the face of an extreme health crisis.
Healthcare providers cannot afford to make securing operations a secondary priority any longer. While patient care should, and will, remain the number one priority, part of that is ensuring cyber threats and data breaches do not prevent frontline staff from continuing to deliver patient services.
Technology is playing a significant and positive role in the aged-care space. ACIITC's report...
Innovative products like HomeGuardian can bridge the 'care gap' and transform the...
Businesses and aged-care facilities in Australia and New Zealand will be able to operate with...