The healthcare sector continues to be the most targeted industry in Australia, reporting 15% of all data breach notifications in the Office of the Australian Information Commissioner’s (OAIC) latest data breaches report. These attacks can lead to serious breaches of sensitive hospital and patient data with widespread implications. With targeted attacks on the rise it's vital for security professionals in the industry to understand their responsibilities towards cyber security and how it will shape critical infrastructure.
In this blog, we’ll examine the current state of incidents affecting Australian hospitals and healthcare providers, highlight some cyber security challenges security professionals are facing and look at the regulations and guidelines proposed by the Australian Government to help protect the healthcare sector from emerging threats.
According to the Australian Cyber Security Centre (ACSC) there was an 84% rise in cyber attacks in the healthcare industry in Australia between 2019 and 2020 however the true number could be even higher. An ongoing challenge is these attacks are often difficult for hospital and technology services providers to detect; many attacks involve long-lasting persistence techniques, with threat actors taking their time to dig into systems and data to assist in supporting targeted objectives.
One of the most serious recent examples was an incident affecting a Healthcare provider in 2022. Threat actors demanded a $10 million ransom from a health insurance provider for the return of sensitive patient information. With almost 10 million customers impacted, the breach was a huge wake-up call, showing the dire need for an overhaul of information and privacy protections in the industry.
The healthcare sector is a lucrative target for threat actors due to the wealth of valuable data held in healthcare systems and applications, including confidential patient files or market-sensitive financial records. Securing personal and sensitive data is one of many challenges security professionals face on a daily basis. Some other key challenges of cyber security in Healthcare include:
The Australian government has released a new cyber security strategy that aims to introduce more rigorous regulations to protect personal data. The plan is set to take effect by 2030 and will include widespread measures to protect all Australian industries. As part of these reforms, the Australian Cyber and Infrastructure Security Centre (CISC) has recently published advisory information for critical infrastructure sectors including the medical and healthcare sectors; providing some guidance for effectively managing risks associated with the operation and ownership of critical infrastructure assets. A number of new obligations and regulations proposed include:
A primary purpose of these reforms is to improve risk management, prevention and resilience against the ever-growing and sophisticated attacks on critical infrastructure. By facilitating collaboration between the government, regulators and healthcare providers, the government is hoping to ensure vital services and sensitive data are protected.
When it comes to critical infrastructure, security is a shared responsibility. While the government is taking action Australian healthcare providers need to quickly improve their controls to keep up with growing cyber threats and similarly meet new regulations aimed to do the same.
At InfoTrust we offer consulting and advisory services to help uplift your security program, increase your capacity to meet any future mandatory legislative standards, and introduce and operate effective Information Security Management Systems.
If you are a professional in the healthcare sector and would like to know more about developing good risk management practices join our virtual session on Thursday, 28th September 2023.