Cyber Security in The Australian Healthcare Sector
The healthcare sector continues to be the most targeted industry in Australia, reporting 15% of all data breach notifications in the Office of the Australian Information Commissioner’s (OAIC) latest data breaches report. These attacks can lead to serious breaches of sensitive hospital and patient data with widespread implications. With targeted attacks on the rise it's vital for security professionals in the industry to understand their responsibilities towards cyber security and how it will shape critical infrastructure.
In this blog, we’ll examine the current state of incidents affecting Australian hospitals and healthcare providers, highlight some cyber security challenges security professionals are facing and look at the regulations and guidelines proposed by the Australian Government to help protect the healthcare sector from emerging threats.
Cyber Attacks Against Australian Hospitals
According to the Australian Cyber Security Centre (ACSC) there was an 84% rise in cyber attacks in the healthcare industry in Australia between 2019 and 2020 however the true number could be even higher. An ongoing challenge is these attacks are often difficult for hospital and technology services providers to detect; many attacks involve long-lasting persistence techniques, with threat actors taking their time to dig into systems and data to assist in supporting targeted objectives.
One of the most serious recent examples was an incident affecting a Healthcare provider in 2022. Threat actors demanded a $10 million ransom from a health insurance provider for the return of sensitive patient information. With almost 10 million customers impacted, the breach was a huge wake-up call, showing the dire need for an overhaul of information and privacy protections in the industry.
Cyber Security Challenges in the Healthcare Sector
The healthcare sector is a lucrative target for threat actors due to the wealth of valuable data held in healthcare systems and applications, including confidential patient files or market-sensitive financial records. Securing personal and sensitive data is one of many challenges security professionals face on a daily basis. Some other key challenges of cyber security in Healthcare include:
- End-of-Life Systems - End-of-life systems such as networked medical equipment and workstations are frequently used by healthcare companies due to the high costs and complexities of transitioning to modern solutions. These systems often have outdated, weak or non-existent security measures and are more susceptible to exploit.
- Compromised Third and Fourth Parties - healthcare organisations often collaborate with various third-party vendors and partners, such as medical device manufacturers, insurance providers, and research institutions. These interactions create vulnerabilities and points of leverage for many threat actors, with these partners storing, processing or transmitting sensitive patient data or disrupting critical healthcare services.
- Hybrid Cloud Threats - with more healthcare companies using cloud services for IT solutions, the misunderstanding of roles and the shared responsibilities required through the adoption and consumption of third-party services are frequently misunderstood, and whilst network and operating system security becomes less visible through the increased consumption of externally hosted services the need to provide security controls remain critical.
- Limited Budget - healthcare providers, as with all organisations and agencies, have limited budgets to manage cyber security risks due to competing financial priorities including patient care and equipment upgrades. Fragmented IT services and ownership of security control can be expensive to acquire and maintain. This fragmentation often leads to higher operational costs, decreased productivity, and a lack of effective and targeted provision of security controls.
- Lack of awareness - the lack of awareness about IT and cyber security in healthcare organisations can be attributed to factors such as limited training and awareness activities for staff, a focus on patient care over IT services and security, and a surprising misconception healthcare data is not a primary target. This can result in inadequate investment and preparedness for cyber threats.
What is the Australian Government Doing?
The Australian government has released a new cyber security strategy that aims to introduce more rigorous regulations to protect personal data. The plan is set to take effect by 2030 and will include widespread measures to protect all Australian industries. As part of these reforms, the Australian Cyber and Infrastructure Security Centre (CISC) has recently published advisory information for critical infrastructure sectors including the medical and healthcare sectors; providing some guidance for effectively managing risks associated with the operation and ownership of critical infrastructure assets. A number of new obligations and regulations proposed include:
- CIRMP Obligations - the Security of Critical Infrastructure Risk Management Program (CIRMP) rules outline specific requirements that must be included within critical infrastructure, including cyber and information security hazards such as the improper access or misuse of information or systems.
- The SOCI Act - the government has made amendments to the Security of Critical Infrastructure Act 2018 (The SOCI Act) to strengthen the security of critical infrastructure by extending the sectors and assets classes it applies to; healthcare and medical is one of the eleven sectors now subject to an enhanced regulatory framework.
A primary purpose of these reforms is to improve risk management, prevention and resilience against the ever-growing and sophisticated attacks on critical infrastructure. By facilitating collaboration between the government, regulators and healthcare providers, the government is hoping to ensure vital services and sensitive data are protected.
How to Improve Your Maturity
When it comes to critical infrastructure, security is a shared responsibility. While the government is taking action Australian healthcare providers need to quickly improve their controls to keep up with growing cyber threats and similarly meet new regulations aimed to do the same.
At InfoTrust we offer consulting and advisory services to help uplift your security program, increase your capacity to meet any future mandatory legislative standards, and introduce and operate effective Information Security Management Systems.
If you are a professional in the healthcare sector and would like to know more about developing good risk management practices join our virtual session on Thursday, 28th September 2023.
To register click here.
see our
Related resources
Mimecast recently released its State of Email Security Report for 2021. The fifth edition of its annual report used interviews with over twelve hundred of information technology and cybersecurity professionals across the globe to gather vital cybersecurity insights. The report offers an insight into the latest email threats along with advice on how to build cyber resilience and mitigate the risks of email-borne attacks.
Cyber attacks and data breaches have been commonplace in the news headlines for some time now. Although a warning from the media is certainly helpful, there is so much more that can be done when it comes to threat intelligence sharing. Threat intelligence sharing is an important part of the global cybersecurity community effort to tackle cybercrime and should form a part of every organisation’s cybersecurity strategy. Sharing cyber threat intelligence enables organisations to make informed decisions about their cybersecurity, building more effective and robust cyber defences.
One of my favourite annual reports to read is the Verizon Data Breach Investigations Report. It’s packed full of insights about the threat landscape and security leaders, in my opinion, should read this report to get a pulse on what’s happening in cyber-scape.
After all, as cyber leaders, we are here to stop breaches – so the insights gained from real cyber incidents and breaches is gold in learning how to tighten up our defences.
All businesses, large and small, are under increasing pressure to demonstrate that they are managing the risk of cyberattacks. This means having the right processes and controls in place to identify risks and vulnerabilities, protect information, as well as detect, respond, and recover in the event of cybersecurity incidents. As such, many businesses are turning to certification authorities and security frameworks to demonstrate privacy and security best practice and achieve compliance with regulatory bodies. System and Organisation Controls (SOC 2) is one such compliance framework that can help organisations to create a structured approach to cybersecurity.
Frost & Sullivan has recently released its 2021 Frost Radar: Email Security report, where its findings provide a benchmarking framework to help businesses protect their email from cyber threats.
As we operate in an increasingly digital world, every business collect, store, and share more and more data. And, amongst that data is personal information. With the OAIC marking this year’s Privacy Awareness Week (PAW) from Monday 3 May to Sunday 9 May 2021, it’s time for us all to review how we protect our customers’ personal information.
We're Here To Help