Article by Ajay Unni, in Aged Care Insite
You can read the full content on the report below:
The health and aged care sectors are facing an increasing onslaught of cyber attacks, often causing untold financial and reputational damage to their organisations.
Earlier this year, The Australian Cyber Security Centre (ACSC) reported cyber security incidents relating to the Australian healthcare sector increased by 85 per cent in 2020. Outside of government and individuals, the health sector reported the highest number of cyber crime incidents to the ACSC in 2020.
Back in April, a cyberattack at UnitingCare Queensland proved a cautionary tale, with the attack rendering the organisation’s digital and technology systems inaccessible, affecting multiple hospitals and aged care homes.
In the health and aged care sector, a cyber attack is not merely a business risk, but a serious health and medical risk. Unless health and aged care organisations start prioritising their cybersecurity now, they’ll be next in line to become the latest cyber attack headline.
Why is health a target?
The health and aged care industry is a valuable and vulnerable target for malicious cyber criminals. Highly sensitive personal data combined with valuable intellectual property on technology and research put a massive target on the back of any health-related business.
COVID-19 has only increased these risks, with financially motivated cyber criminals targeting the sector thanks to increased reliance on telehealth and internet-enabled services. As organisations remain distracted by the ongoing demands of the pandemic, criminals are using the opportunity to take advantage.
With public mistrust of the government and vaccines reaching a fever pitch, there’s more than enough motivation for an anti-vaxxer hacker to take advantage of the sector’s vulnerabilities.
Clearly, there is a huge and very real pressure on health sector organisations to maintain their digital systems and, if disrupted, to rapidly restore them to full functionality. Despite this, cyber security is often pushed to the bottom of the never ending to-do list, always competing with the demands of running a health organisation in a pandemic.
Implementing better cyber security
So how can businesses begin to implement cyber security that actually works?
Cyber security has some basic hygiene principles that all health and aged care businesses should follow. It all comes down to culture, enforcement and encouragement leading to a broad cultural change.
In order to assess their cyber security risks, health and aged care businesses should look in three main areas: people, systems, and processes. Once they have established the weaknesses in these three areas, the next step is to see how those weaknesses can be exploited to cause damage to the business.
If there are no policies or processes for cyber security in place, it’s almost possible to prevent an imminent attack. For example, if your staff are not trained in ransomware, phishing, and the signs to look out for, it’s more likely that they would click on a link that could install malicious software. If your systems don’t have the latest security patches installed, it’s easier for them to be breached.
Passwords should be rotated at the very least every 60 days, although every 30 days is even better. To make them even harder to guess, passwords should be at least eight to 10 characters long, have at least one number, one capital letter, and one special character, such as one of the following: ‘!@#$)’.
Multi-factor authentication (MFA) adds an extra layer of security by using two or more pieces of evidence to log in to a single location. Some common examples of MFA include an SMS message, phone call, or authenticator app to verify a browser login.
Board members must look at cybersecurity through the lens of risk and exposure, and realise that they are responsible for the impact of any risk — including cyber. In fact, personal responsibility could soon be a legal requirement as the federal government considers making company directors accountable, as reported in the SMH.
Ensuring that cyber security is set as part of the board’s agenda needs to be a priority. Set aside time to build a cyber security strategy, which includes appointing someone in the management team to lead and be responsible for cyber security.
Check that your board’s risk register includes cyber risk, is updated regularly, and tabled at the board meetings. Provide leadership and take part in cyber security awareness and training.
The best way to deal with cyber attacks uses a combination of processes, people training and technology. Constant training, awareness and process flows are the only way for internal and external staff to spot any anomalies before they turn into a massive breach.
Aged care organisations hold a massive amount of sensitive, personal, and medical information about the people under their care. It’s the sector’s job to prioritise the safety and security of that information, now and into the future.