Industry providers must act now to deflect the damage of data breaches
Cyber breaches are rising across Australia's healthcare industry faster than many others.
Yet this increasingly vulnerable sector stands apart for the dangers such attacks can pose to human life.
Cybercriminals are attracted by healthcare's large attack surface, one filled with sharing vast amounts of sensitive, time-critical information over largely aging and incohesive systems. But despite this worrying rise in attacks and the ramifications, healthcare sector managers continue to resist new government measures requiring mandatory risk management programs and reporting.
Cost, of course, is the primary argument agencies are using against the new regulations. Yet this argument needs to be reframed through the lens of much larger financial losses suffered because of a cyber attack. For the truth is, costs of mitigation strategies are relatively minor when compared to the multi-million-dollar financial outlays generally involved with detecting, dealing with and then rectifying a cyber breach in its entirety.
There is no denying cyber attacks in healthcare are on the rise. During the 2020 calendar year, the Australian Cyber Security Centre (ACSC) received 166 health sector-related cybersecurity incident reports – almost twice the 90 reported incidents received the previous calendar year.1 This marked rise prompted the ACSC to embark on an awareness raising campaign for healthcare industry executives and cybersecurity professionals around what they could do to protect their organisations, no matter how large or small, from cyber threats.
Australia's healthcare system is basically going in the same direction as the United States where cyber breaches last year cost the industry an average USD 9.23 million – the highest total average cost of a cyber attack of any industry for the eleventh year in a row.2 Almost 45 million health records were exposed or stolen in the process. 3
Not surprisingly, the US is also acting to prevent the spread of serious cyber incidents. As of March, a new US government Act has required healthcare and public health entities to report any significant cyber incident to the Cybersecurity and Infrastructure Agency (CISA) within 72 hours, and any ransom demands within 24 hours.4
Those of us in the cybersecurity community are only too aware of the true extent of the costs and damage taking place via these spiralling incidents. It is important to know from a financial risk perspective what the overall costs could be (preventative and possible breach scenario) and how to strategically reduce these costs.
Discovering a compromised system is just the tip of the iceberg, and only lengthy and costly investigations can reveal how severely an IT environment has been compromised. For this reason, Australia's healthcare managers and IT professionals cannot continue to throw up their hands and refuse to comply with regulations now being imposed on critical infrastructure as a whole.
Some healthcare providers also need to face the fact their systems may be so archaic they are impossible to upgrade. This, of course, makes them especially vulnerable to a breach, and latest research shows that this puts them among cybercriminals' primary targets.5 Others must recognise that letting their own systems reach such a state is to be avoided at all costs.
Instead of recoiling from new mandatory cybersecurity requirements, healthcare providers need to first realise their arguments around such processes being cost prohibitive are flawed and that embracing even the simplest of cyber risk management principles is entirely possible. For example, having an incident response plan at the ready is a key step forward in the right direction. This is a straight-forward list of initial measures an organisation needs to take immediately following the discovery of a data breach. Educating staff of the common attack vectors, such as malware, viruses, email attachments, web pages, pop-ups, instant messages and text messages, and how to discern unusual activity is imperative.
Healthcare providers should also be availing themselves of official guidelines around containing and managing a breach, such as those provided by the Office of the Australian Information Commissioner (OAIC).6Joining the ACSC Partnership Program7is another highly beneficial move for any healthcare provider. This will ensure executives and cybersecurity professionals have awareness of key cybersecurity threats currently occurring in the healthcare sector.
The seriousness of damage caused by any cyber attack cannot be ignored. At the very least, healthcare providers need to take time identifying weaknesses in their technology systems and then do the work to mitigate those risks as quickly as possible.
1Australian Cyber Security Centre, 2020 Health Sector Snapshot (10 February 2021) < https://www.cyber.gov.au/acsc/view-all-content/reports-and-statistics/2020-health-sector-snapshot >
2 IBM Security, Cost of a Data Breach Report 2021 (28 July 2021) < https://www.ibm.com/downloads/cas/OJDVQGRY >
3 Catherine Chipeta, Top 8 Healthcare Cybersecurity Regulations and Frameworks (12 April 2022) UpGuard < https://www.upguard.com/blog/cybersecurity-regulations-and-frameworks-healthcare >
4 Steve Cagile, New Requirements Increase Cyber Risk Management and Reporting Expectations for Healthcare Entities (18 April 2022) Clearwater < https://clearwatercompliance.com/blog/new-requirements-increase-cyber-risk-management-and-reporting-expectations-for-healthcare-entities/ >
5 Australian Cyber Security Centre, Joint cybersecurity advisory released on 2021's top routinely exploited vulnerabilities (28 April 2022) < https://www.cyber.gov.au/acsc/view-all-content/news/joint-cybersecurity-advisory-released-2021s-top-routinely-exploited-vulnerabilities >
6 Office of the Australian Information Commissioner, Data breach action plan for health service providers (11 February 2020) < https://www.oaic.gov.au/privacy/guidance-and-advice/data-breach-action-plan-for-health-service-providers >
7 Australian Cyber Security Centre, ACSC Partnership Program (n.d.) < https://www.cyber.gov.au/partner-hub/acsc-partnership-program >
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.