With massive data breaches occurring on home soil with growing frequency, organisations in Australia and New Zealand can no longer look the other way or believe that “it’s not going to happen to us”.
In light of the attacks on companies like Optus, Medibank Private, and the Dialog Group, momentum for the reform of Australian data security, privacy, and management laws is growing. Nowhere are these changes more important than the healthcare sector–which holds the dubious distinction of being the most-breached industry, according to the Office of the Australian Information Commissioner (OAIC).
We all recognise the importance of protecting personal data–especially information regarding our health. So why is the healthcare sector falling short? In this article, we’ll take a look at both the security challenges affecting private health practices, as well as the compliance and controls needed to keep them and their patients safe.
In particular, the challenges we’ll discuss include those associated with:
- Digital health delivery
- Mobility in the workplace
- IT systems complexity
- Fear of consequences
- Staff reluctance and education
Cyber Security Challenges in the Private Healthcare Sector
From our observations working with private health institutions, the healthcare sector–including both public and private entities–is particularly vulnerable to cyber attacks for a number of reasons.
Digital Health Delivery
During the COVID-19 pandemic, the uptake of telehealth solutions in Australia doubled over a roughly three-month period. But while the digital delivery of health services provided–and continues to provide–critical support to patients, it also risks introducing potential security vulnerabilities where appropriate security measures aren’t taken.
A Mobile Workforce
These days, it’s common for doctors to work across multiple practices, clinics, and hospitals. As a result, some resistance to security measures stems from concerns that any steps taken to increase security will disrupt productivity (for example, by requiring multiple logins).
As Matthew Jarvis, Daraco’s national sales lead explains, “We know doctors will have many different accounts running on a single device. So you have to apply an appropriate security policy that’s not going to create an issue with another account”.
Few outside of the healthcare sector understand exactly how complex hospitals’ IT systems can become over time. But this added complexity can lead to unanticipated security risk.
“You’ve got many points of intersection where there is overlap between systems,” explains Jarvis. “You can have 4-5 different software packages within a single cardiology practice–all of which will run separate systems that are provided by software vendors that don’t keep up with the overall picture”.
If even one of these systems has a vulnerability that goes undetected, patient data can be compromised. Staying across all vendors and solutions ensures that workflows aren’t duplicated and that available technology gets implemented.
Despite security breaches making headline news, we still see a remarkable lack of urgency amongst private health practices to drive real security change.
In some cases, this may come down to a lack of awareness around the risks of operating in an insecure manner–or of the potential negative outcomes practices, clinics, and hospitals might face. In others, a lack of clarity around the organisation’s specific risks–or who will be addressing them–contributes to the sluggish adoption of security measures.
In still others, acting to implement cybersecurity best practices feels daunting due to the scope of the potential consequences. “Doctors know that this is important and that they need to be focusing on security”, Jarvis notes. “But they don’t have the time to do that–and it’s a scary prospect”.
Staff Education & Reluctance
For a cyber security initiative to succeed, all team members must be on board. Unfortunately, it isn’t uncommon to encounter staff who are set in their ways and reluctant to change their workflows during implementations–not just in private health practices, but in all industries and sectors.
These guidelines may be a helpful starting point for your staff education efforts, though they may need to be adapted to your practice’s unique circumstances.
Cyber Security Compliance and Controls in Private Health
Ultimately, the challenges above contribute to a lack of patient data compliance and controls in private health. In this context:
– ‘Compliance’ refers to the policies organisations have in place to protect personal information or to align with applicable governance and regulatory frameworks.
– ‘Controls’ includes the means by which organisations prove that their compliance measures are in effect.
The private health sector is subject to the Privacy Act, which means individual practices, clinics, and hospitals have a responsibility to keep patients’ private information safe and secure. What we’ve found is that few private health entities succeed on both counts.
In fact, it’s not uncommon to hear of patient data like home addresses, mobile numbers, and Medicare details being shared in an insecure manner such as email.
Fortunately, stronger compliance and controls are easily achieved with technology that already exists–and that many practices have already adopted. Within the Microsoft platform:
– Compliance rules can be established regarding how and where patient data can be used.
– Systems can be set up in Microsoft so that files, emails, and other types of information can’t be sent by email, shared via OneDrive, or downloaded to a USB drive if it contains private data (such as a Medicare number, address, or credit card number).
– Controls over these compliance rules can then be implemented through data classification and labelling for different information types.
– You can also train systems on different keywords, dictionaries, and rulesets. For example, it might be fine to say the word ‘Medicare’ in an email–and even to say ‘Medicare number’–but not to have a number following.
The Benefits of Implementing Cyber Security Compliance and Controls
Not only do steps like these improve your practice’s security posture, but they may also help:
– Protect against the types of cyber-attacks that could lead to reputational damage.
– Increase visibility into potential risks that could leave your organisation open to breaches, enabling you to identify the individual users that pose the biggest risk to your practice, clinic, or hospital.
– Support forensic investigations in the event of a breach so that you can determine right away exactly which data was breached.
– Ensure you qualify for cyber security insurance. General business insurance doesn’t typically cover cyber-attack losses. But without the right compliance and controls in place, you may not even qualify for cyber-specific insurance (at least not at an affordable rate).
With the recent spotlight on cyber security and the need for increased compliance, it is not enough for practices, clinics, and hospitals to take an ad-hoc approach to patient data protection. Embedding strategic risk management practices provides a strong framework for regulatory compliance and shields against the prospect of disciplinary action and reputational damage.
Taking Action on Cyber Security
With these issues in mind–and with cyber-attacks increasingly on the rise across Australia–taking action on cyber security in private health has never been more important.
Yet implementing stronger security practices doesn’t have to involve remembering complex passwords and logging in every time you sign on. Even simple steps like setting up two-factor authentication (2FA) or single sign-on (SSO) policies can make a meaningful difference in protection without compromising your practice’s productivity.
We can help you get started by taking you through an IT security audit that will identify your potential risks and determine the compliance and controls that are appropriate to your circumstances. Reach out to our team to start assessing your security maturity today.