As healthcare becomes increasingly digitised, cyber criminals are looking to take advantage, writes Rupert Taylor-Price.

Earlier this month, Victoria’s second largest public health service Eastern Health was the target of a cyber attack that forced three major hospitals to postpone surgeries and shut down of IT system.

It comes after the Australian Cyber Security Centre (ACSC) late last year issued a stark warning to local health providers that their sector is under attack.

For healthcare and life-sciences institutions, the attack on Eastern Health was far from an isolated incident.

According to the Office of the Australian Information Commissioner (OAIC), the health sector reported the most breaches under the Notifiable Data Breach scheme, making up 23 per cent of all breaches from July to December 2020.

The sector suffers from a combination of highly valuable data and lagging security measures, which have drawn a wide range of threat actors into the fold.

The coronavirus pandemic has only exacerbated this, as hackers have been pouncing on healthcare organisations who have even less resources than usual. This is a treacherous scenario considering cyber incidents within healthcare can impede practitioners and put lives at risk.

A more sophisticated landscape

Alongside a greater number of exploits, threats are also becoming more sophisticated and complex , with hackers more strategic and considered. Highly advanced toolsets are used to target even smaller and more vulnerable networks where data can be more easily siphoned.

Threat actors are coming from a variety of backgrounds and could have multiple motives. Nation-state hackers and those working for organised criminal syndicates are increasingly prolific, breeding an ambiguous blend of financial, geopolitical or ideological motives.

Healthcare as an industry is being targeted in new ways. While phishing and credential theft are common, ransomware is also becoming a huge issue – specifically for aged care. This has been evidenced by high-profile attacks on Regis Healthcare, the Gippsland Health Alliance and Anglicare Sydney.

With the rise of more advanced exploits, and ambiguously-motivated attackers, healthcare institutions need to up their game when it comes to security posture. It’s no longer the case that hackers are just trying to make a quick buck from large, wealthy private organisations – they could just be out to cause harm.

Legislature changes

As attacks on the healthcare industry grows and becomes more sophisticated, the data regulation and compliance landscape surrounding it looks set to tighten.

As part of the federal government’s cybersecurity framework, a consultation paper was launched recommending amendments to the Security of Critical Infrastructure Act that would expand the laws definition to include more industries, including healthcare.

This would likely encompass hospitals, healthcare providers and life sciences organisations and possibly medtech vendors, as tech is also part of the list.

Rather than relent these incoming changes to legislation, healthcare providers should embrace them as an opportunity to apply more rigorous data protection standards.

Developing an effective governance, risk and compliance (GRC) framework to align with the necessary legislation and ensuring it’s routinely audited is the best way forward to protect patient information. There is also no better time to pitch this to the board, with regulatory upheaval on the horizon.

Addressing the unique risks of Australian healthcare

Healthcare carries a unique set of risks that aren’t necessarily applicable to other industries. According to the AOIC, healthcare leads the pack in human error breaches by a long margin compared to other industries, with more than double the amount reported compared to the next-highest sector (government). This may be due to the difficulties of healthcare providers and hospitals in obtaining necessary digital skills.

There are also many security challenges for healthcare to reckon with given the complexity of the hybrid public/private system in Australia. For instance, in addition to the risks of storing highly sensitive personal information and intellectual property, pharmaceutical companies face increasingly complex supply chain challenges that create greater vulnerabilities.

Budget constraints also plague healthcare institutions looking to heighten their cybersecurity practices. According to a 2018 national survey, community care providers reported having no budget for managing cybersecurity, with aged care providers coming in second for lowest security budgets.

In order to address these challenges, healthcare organisations need to ensure security is part of the everyday operations within all aspects of their organisation.

Rather than just instituting checkbox compliance, organisations should use incoming regulatory changes to develop a GRC framework that accounts for all third parties and supply chain partners.

This facilitates a long-term cybersecurity approach that will save a lot of headaches, while improving patient trust and wellbeing.

Rupert Taylor-Price is the CEO of Vault.

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at editorial@governmentnews.com.au.  

Sign up to the Government News newsletter