The statistics are stark: since the Notifiable Data Breach (NDB) scheme came into effect earlier this year, 63 breaches have been reported to authorities in the first two months alone. Providers of health services were responsible for almost a quarter (24 percent) of these notifications.
Most recently, a cyber attack on the Family Planning NSW website exposed the personal information of up to 8,000 clients, including women who booked appointments or sought advice about medical services. The exposed information included full names, contact details, dates of birth and the reason for their enquiry.
Healthcare organisations are seemingly prime targets for cybercriminals because of the wealth of personal data they possess and process, as well as the sensitive nature of their data. Taking a global look, the healthcare industry has been hit hard by cyber attacks in other countries, too.
The ransomware outbreak in 2017 caused by the WannaCry malware impacted both the UK National Health Service as well as over 40 general practices, locking medical practitioners out of critical patient data. Incidents like these shine a light on the potential implications of such an outbreak in Australia.
With the Australian government pursuing its “My Health Record” program, unless they explicitly choose to opt out, every Australian will have their personal health details held online, and thus at potential risk of having that data compromised or stolen. In this climate, cybersecurity in the healthcare sector suddenly becomes that much more critical for everyone in Australia.
Digital health in Australia
Australia is currently on a fast track to overhauling its digital health strategy. The government is beginning a four-year plan to focus on a patient-led healthcare system in 2018, starting with the rollout of the National Digital Health Strategy.
“My Health Record” already has over 5.77 million people signed up, with over 5.58 million clinical documents held in the system. The amount of health-related data stored by the system is phenomenal, and holds the potential to transform Australia’s healthcare system. However, it is imperative to make sure this rapid transformation is done securely.
The benefits of medical technology & connected devices
The positive impact of digital transformation on Australia’s healthcare system makes its rapid adoption virtually irresistible. As Australia shifts towards a national online health database, we mustn’t overlook the role of networked devices which are making the patient experience seamless.
Connected medical devices can monitor the current condition of a patient and notify healthcare providers, family members and the patients of critical changes; problems can be identified and addressed remotely. Appointments and procedures can be scheduled on-demand, and medical records kept up-to-date and accessible to those who need them.
However, with the astronomical growth of connected medical devices comes a growing risk of new threats and vulnerabilities. These devices are now part of the expanding attack surface and can be leveraged as a potential attack vector. Just like any other connected IT or IoT device, networked medical devices must be regularly scanned to ensure continuing safety and security for patients and their data.
Secure health records for everyday Australians
It’s now imperative that Australian healthcare businesses, large and small, protect themselves from the new threats created by this emerging technology.
Cyber exposure is essential to understanding where organisations are exposed, to what extent and what they can proactively do to reduce their exposure, This starts with knowing what’s on the network. With connected medical devices and IoT now part of healthcare as we know it, simply knowing how many assets an organisation has and where they’re located becomes more difficult.
Cyber exposure provides organisations with holistic visibility across their attack surface, enabling them to prioritise their remediation efforts based on asset criticality and potential business risk. After all, one compromised, high-value system, can lead to a major breach.
Businesses, consumers and the industry at large need to ensure that they are aware of the potential risk for data loss and theft, and take suitable measures to prevent this from happening.
Act now to keep Australia’s health data secure
The message is clear: in order to protect itself and patients, the healthcare industry needs to implement a holistic security approach to manage, measure and reduce cyber risk across the modern attack surface.
A good starting point for healthcare businesses looking to increase cybersecurity is the Australian Signals Directorate (ASD). The ASD has published a cybersecurity baseline known as the “Strategies to Mitigate Cyber Security Incidents” aka the “Essential Eight,” which is a prioritised list of initiatives recommended for every Australian business to enhance their cyber security.
Businesses in the healthcare industry, like others, should implement all the essential eight directives to ensure good cyber hygiene across their organisation.
Knowing your network, understanding and reducing your attack surface and continuously monitoring it for vulnerabilities is an absolute must for the healthcare industry in Australia to protect vital industry and patient data, helping us work towards a more secure digital health system.
Article by Tenable A/NZ country manager Bede Hackney.