The COVID-19 pandemic has fundamentally shifted the cyber threat landscape for Australia’s health sector.
The Australian Cyber Security Centre (ACSC) reports an 84 per cent increase in the number of cyber security incident reports relating to the health sector between 2019 and 2020.
As custodians of vast volumes of highly sensitive information, the industry continues to find itself at the mercy of cyberattacks that paralyse systems until a ransom is paid — threatening the security of patient data and jeopardising the delivery of care.
As the transition online continues to gain momentum in healthcare — most notably with the extension of support for telehealth services announced last month — new points of vulnerability are emerging, further exposing the industry and intensifying risk.
While the expansion of telehealth services was introduced during the height of the pandemic to help reduce community transmission and protect patients and healthcare workers, it’s likely to remain a permanent feature of Australia’s healthcare system. There’s now work to be done to ensure this change doesn’t come at the expense of patient privacy and data security.
What’s more, beyond the protections and best practice that can be put in place to help defend providers from the threat of cyberattacks, there is also a considerable program of work that must be deployed to effectively manage the aftermath of an attack or data breach and restore the reputation of the impacted provider.
The expansion of telehealth and the implications for security
In its transition to telehealth, much of the healthcare industry is rapidly adopting a cloud-first model within their IT infrastructure, and the security of these systems must evolve accordingly to reflect modern healthcare services. Yet, many in the industry continue to work with legacy Internet of Things (IoT) devices with inherent security risks that are well understood and easily navigated by cyber criminals.
The security of telehealth solutions will depend on many factors, including the configuration of the solution (e.g., on-premise, SaaS-based), data storage locations, authentication, video encryption, video recording and integration with electronic health record (EHR) systems.
Many of these solutions are SaaS-based, which for the un-initiated, makes it more difficult to obtain a complete understanding of how well the solution is secured.
For healthcare providers looking to make telehealth services a permanent fixture of their offering, it is essential they have a good third-party risk assessment program to ensure all security risks are considered from the start, and contracts with third-party vendors are reviewed for security-related provisions and general terms and conditions.
What’s at risk – beyond a cyber attack
What’s been observed from recent healthcare attacks is that once the “news” value of the incident dies down, little is said about what goes on in the aftermath to effectively mitigate the longer-term impacts for the provider involved.
In terms of the financial costs, the average total cost of a data breach in Australia in 2020 was estimated to be AU$3.35 million — or AU$163 per lost or stolen record — an increase of 9.8 per cent year-on year. Yet, beyond the impact to a provider’s bottom line, the loss of consumer confidence and trust, while harder to quantify, can be even more devastating and long-lasting.
According to a 2020 survey on consumer privacy sentiment, data security breaches are now Australians’ biggest concern, with nearly 90 per cent considering privacy extremely or very important when choosing a digital service. Identity theft and fraud, and data security and data breaches, were cited as the two biggest privacy risks by Australian consumers.
Providers should keep in mind that for data-rich sectors like healthcare, consumer confidence and trust is not solely based on the services provided but also the belief that personal information is adequately safeguarded. Providers must take steps to ensure this is the case.
The outlook for healthcare
While many healthcare providers have ramped up investment in their people, technology and general security measures, the capabilities of cybercriminals continue to outpace these efforts.
Threat actors are also changing the ways in which they gain access to health systems — whether through a phishing link, a third-party vulnerability or by misconfiguring a system — which can be done to exploit known weaknesses in an organisation’s defence.
Between January and March 2021, we have identified ransomware as the top threat incident type impacting the health sector in the APAC region, with phishing links used most commonly as a way for attackers to gain access to systems.
The ability to detect and respond to a ransomware attack in a timely manner can lessen the impact of, and in some cases even thwart, an attack.
While it’s not possible to completely prevent a ransomware attack from occurring, it’s critical health providers plan for the worst-case scenarios. This should include having an incident response plan that is practiced and updated regularly, as well as putting in place key controls that can help reduce the potential risk and impact, including:
- Patching vulnerable systems
- Ensuring viable backups
- Enabling multifactor authentication
- Ongoing awareness and education of practice staff around cyber risks
As the gatekeepers of patient records and sensitive data points, the healthcare industry plays a fundamental role in ensuring the privacy and security of patient health information. Addressing cyber risk must form part of good governance for all Australian providers.