According to the Office of the Australian Information Commissioner (OAIC), the health sector reported the most breaches under the Notifiable Data Breach scheme, making up 23 per cent of all breaches from July to December 2020.
For more evidence of the fragile state of cybersecurity in healthcare, we need to look no further than the cyberattack on hospitals in Melbourne in March this year.
The healthcare sector suffers from the twin threats of possessing highly valuable data and lagging cybersecurity measures, which makes them an extremely attractive target for malicious threat actors. The pandemic has only made matters worse, with hackers pouncing on healthcare organisations already creaking under the pressure of increased demand and tighter budgets. Any disruption to vital healthcare services can put lives in jeopardy, making the consequences of any attack that much more severe.
Why cyber threats to healthcare so dangerous
Cybersecurity in the healthcare sector is unique due to the type of data at risk and the consequences for patient safety. If a credit card number is stolen, the bank can cancel the card, issue a new one, and reimburse the victim for any damages. However, when a patient’s Protected Health Information (PHI) is stolen, they can’t change their date of birth, blood type, or health condition. Any unauthorised changes to this information, or its theft, can directly threaten a patient’s life.
Which also makes PHI a very valuable prize for an attacker. Stolen PHI can be used for anything from identity theft to medical scams to insurance fraud. In fact, a person’s PHI can be 10 times more valuable on the dark web than their credit card information.
And that’s just when data is stolen. Cyberattacks that delay and disrupt hospital operations directly endanger patients’ lives. When the British National Health Service hospitals were attacked in the global WannaCry attack of May 2017, surgeries had to be delayed and patients diverted to nearby hospitals. 2020 saw what may have been the world’s first fatality from a cyberattack.
In the event of a ransomware attack, the question of liability is also complicated. It’s hard enough to determine the identity of the attackers but identifying where and how the security lapse occurred is a huge challenge. The healthcare ecosystem is complex, with an intricate network of suppliers, manufacturers, service providers and third parties, any one of which may have been the source of the breach. This can lead to third parties becoming defensive and stonewalling investigation efforts. Without determining where and how the breach originated, it can be next to impossible to fix the issue.
Why healthcare infrastructure is so vulnerable
The healthcare sector has a unique set of risks that other industries don’t have to deal with. In other fields, like say the financial sector, cyberattacks have been a well-known threat for decades. Most organisations in the space already have established policies and dedicated resources for cybersecurity. The healthcare sector is new to the digital space and is still in the early stages of digitisation. That also means there is relatively low awareness of cybersecurity risks among the people working in the sector. According to the AOIC, healthcare leads the pack in human error breaches with more than twice the number reported compared to the next-highest sector (government). The government, through the Australian Signals Directorate and ACSC, has also stepped up efforts to support the healthcare sector through pre-emptive threat advisories and closer collaboration with the Department of Health.
Couple that with historically low investment in technology and we can see why the healthcare sector struggles with cyber risk. And yet, medical technology continues to evolve much faster than IT systems in hospitals and clinics. There are already thousands of IoT medical devices in use in healthcare facilities across the country, running on clunky and aging technology infrastructure.
Connected medical devices introduce a host of vulnerabilities in a hospital’s cybersecurity, especially when there’s a lack of uniform cybersecurity standards for both medical devices and healthcare IT systems. Healthcare organisations also need to have some degree of data interoperability in order to share health records across multiple organisations, which creates even more security gaps.
Recommended approaches to cybersecurity in healthcare
While implementing effective cybersecurity in healthcare organisations can seem impossible, there are concrete steps they can take to minimise their exposure to cyber threats.
Invest in a strong IT foundation and infrastructure
At the very least, healthcare organisations need to have a stable application base and IT setup that complies with government regulatory requirements and supports a baseline IT infrastructure. “IT infrastructure” in this context means any related resources and services used to deliver and support healthcare IT services (e.g., hardware platforms, software applications, operating systems, networking and telecommunication tools).
Adopt a preventive and proactive mindset
Healthcare organisations need to accept that cyberattacks are inevitable. Prevention is better than cure, and the practices below are proven ways to minimise the risks of a cyber incident. Even better, these measures don’t need to be expensive.
Risk management – cybersecurity should be a part of your organisation’s overall business risk management process
Vulnerability management – regularly identify, evaluate, treat, and report security vulnerabilities in your system
Patch management – keep all software on devices and systems patched with the latest security updates
Administrative privileges and multi-factor authentication – give users the minimum levels of access/permissions needed to perform their job function
Incident response plan – Develop one and review it annually
Commit to training and awareness
Humans are the weakest link in cybersecurity. Regular awareness training should be mandated for all employees, from clinicians to billing and scheduling staff, to caregivers who connect their personal devices with the hospital network. Decision makers should enforce the proper policies and factor in cybersecurity in their purchasing decisions. This won’t guarantee bulletproof cybersecurity, but will dramatically reduce the risk of a cyber incident.
Healthcare cybersecurity needs to be viewed as a business concern
Building the cyber resilience of a hospital is vital and is an operational risk that management cannot afford to ignore. Policies start at the top, and cyber risk is a very real business risk that can bring entire hospitals to a standstill and risk the well-being of both patients and staff. It must be a part of every healthcare organisation’s risk assessment process and allocated enough budget to not just ensure adequate cybersecurity, but also enough cyber resilience to keep critical operations ongoing even in the event of an attack.
It is ultimately a shared responsibility, but the vision and policy need to be championed by executive leadership for a cybersecure culture to take root. Cyber adversaries are setting their sights on our healthcare system, and as it stands, there’s precious little standing in their way. The only way forward is an infrastructure-wide overhaul of security practices across the sector, but right now, it is up to individual organisations to take the appropriate steps to ensure the safety of their patients, their staff and their organisation.