The health sector has increasingly embraced digital solutions to improve patient care and maximise operational efficiencies. The last few years have seen the widespread adoption of Electronic Medical Records, the Internet of Medical Things, and wearable devices.
This activity was significantly accelerated during the COVID-19 pandemic, with a substantial increase in the use of telehealth and remote health care technologies.
And yet, as the world turned increasingly towards the health industry, the industry found itself facing a significant amount of cyber attacks. For the period of June to December 2020, the health sector faced more cyber attacks than any other, according to the OAIC's latest report. There were also a number of high profile cyber attacks, including those targeting vaccine development facilities and hospitals.
The Australian Cyber Security Centre considers the Australian health sector to be particularly vulnerable to such attacks, due to outdated infrastructure, the pressure of budgetary constraints, and the proliferation of internet-connected devices. Despite the high-tech nature of some cyber attacks, humans remain the prime targets.
Given the personal nature of information stored by healthcare organisations, cyber security is particularly critical.
Privacy breaches in health care can cause a loss of trust in the therapeutic relationship, reputational harm to the organisation and clinicians, and anxiety for patients.”
Sonja Read, Partner
Legislative and regulatory impacts on the health industry
On 12 December 2019, the Australian Government announced that it would review the Privacy Act to ensure that it empowers consumers, protects their data and positively services the Australian economy. The Review has identified a number of issues that go to the heart of the current privacy regime in Australia. Several of these directly impact the healthcare industry, including:
- A review of the scope of ‘Personal Information’
- An expansion or restriction of Permitted Health Situations
- New legal claims for breaches of privacy.
The Security Legislation Amendment (Critical Infrastructure) Act 2020 (Cth) (SOCI Act) requires certain ‘critical infrastructure assets’ to be included on a national register for reasons related to national security. Currently, only the electricity, gas, water and maritime ports sectors are affected. However, a new Bill will, if passed, require controllers of health and medical critical infrastructure assets as well (such as hospitals) to register those assets and comply with certain security obligations, including cyber security.
Many health insurance companies will be required to adhere to the Financial Accountability Regime (FAR). For these companies, boards and executives could face personal liability for breach of their obligations under section 180 of the Corporations Act if they fail to exercise their powers and discharge their duties in ensuring an appropriate standard of cyber security and cyber resilience.
Eight key steps for health providers to mitigate cyber risk
There are important steps that health service providers can take to mitigate the risk of a cyber attack. These include:
- Build employees' security awareness through the Commonwealth Government’s Digital Health Security Awareness eLearning course
- Install antivirus protection on all endpoint devices
- Require user authentication including strong passwords and multi-factor authentication
- Ensure that systems are regularly patched to prevent malicious actors from exploiting known security vulnerabilities
- Identify and back up critical information and systems to allow for faster recovery of data after an attack
- Restrict user rights to ensure only necessary individuals have access to particular servers, systems or datasets, and off-board users when they move roles
- Where a health service provider operates in a public space (such as a hospital), partition the provider’s networks
- Conduct privacy impact assessments for new projects or processes involving patient information.
Our report, Perspectives on Cyber Risk 2021, explores the trends and impact of cyber risk, and looks at ways for organisations to manage their cyber security.