Which industry is Australia’s worst offender when it comes to data breaches and cybersecurity threats? If you answered healthcare then congratulations, you’re on the money.
Health service providers were responsible for 54 of the 262 notifiable data breaches reported in the last quarter of 2018, according to the Office of the Australian Information Commissioner (OIAC), Australia’s privacy watchdog. The story was similar in the second and third quarters of 2018, with healthcare providers accounting for 49 of 242 documented breaches and 45 of 245 documented breaches, respectively.
These are unsettling statistics, particularly given public concern about patient privacy in the era of My Health Record, the controversial Australian electronic health record rolled out nationwide in 2018. The system appears ripe for large scale data breaches, given the number of parties that have electronic access to a rich seam of personal and medical information.
A healthy disregard for cybersecurity infections?
Despite the healthcare sector’s well documented standing as the sick man of the cybersecurity sphere, research suggests it continues to take a cavalier approach to the business of protecting core business systems and sensitive data.
A recent Frost & Sullivan study found that 49 percent of healthcare organizations in the Asia-Pacific Region either wait to take cybersecurity into account after they’ve begun digital transformation initiatives or don’t factor cybersecurity into their security strategies at all. Many took a ‘bolt on’ rather than a strategic approach to cybersecurity.
That approach is surprising, seeing as the patient information that healthcare providers typically have is worth more to cybercriminals than almost any other form of personal data.
As Forbes.com points out, fraudulently obtained electronic medical records (EHRs) can be worth thousands of dollars on the black market.
Used in combination with other personal data, medical records can provide the detailed and reliable personal information necessary to commit identity theft and obtain products and services by deception.
Unfortunately, the threat to patient privacy often comes not from hackers and cybercriminals outside the organisation but from within. The 2018 Verizon Data Breach Investigations Report found an astonishing 56 per cent of cyberattacks in the healthcare sector were inside jobs, with financial gains being the most common motivation.
Diagnosis and treatment
Stringent security isn’t implemented by accident. When enterprises place a high value on systems and data security, they devote considerable resources to understanding their vulnerabilities, the threats they face, and the means by which these can be mitigated.
Conducting a comprehensive security audit of systems and processes is a good starting point.
Many healthcare organisations lack the expertise to carry out this exercise and will find it helpful to work with external consultants with the skills to augment existing security arrangements.
Cybersecurity auditors don’t just look at software solutions. They also give processes and practices a comprehensive examination. Encouraging employees to use secure channels of communication, for example, will reduce the likelihood of data being lost or compromised in transit.
It’s also essential to monitor where data is stored, whether it be on internal servers or offsite through a cloud-based service provider, and to ensure data security.
While education and training won’t prevent rogue staff from attempting to steal patient data, it can reduce the likelihood of their honest colleagues instigating an accidental data breach.
Regular awareness training helps employees understand the dangers of phishing, malware, and physical loss of data, such as a misplaced USB drive, lost laptop, or unprotected smartphone. Such training will also keep employees current on the practices they can implement to ensure the organisation does not become a statistic.
Ensuring patient data is in safe hands
The compromise of sensitive patient data can cost healthcare providers dearly – both financially and in reputational damage. Adopting comprehensive protection strategies, including stringent cybersecurity measures and regular staff training, will do much to boost the immunity of the healthcare sector.