Apps, telehealth and wearables mean health data is everywhere, and we need to be more vigilant or patients will suffer.
Last year a patient at a Melbourne hospital underwent what was deemed a preventable amputation.
This didn’t happen because of the resource shortages that have been plaguing Australia’s healthcare sector since the start of the pandemic. It also wasn’t down to a misdiagnosis or any fault in the care provided by staff.
It was because the hospital fell victim to a cyber-attack that took its IT systems down and prevented access to patients’ medical histories. In this case, the patient was unable to verbally communicate where he was experiencing pain, and doctors were helpless in preventing the spread of an infection.
Cyber-attacks against Australia’s healthcare organisations are becoming alarmingly commonplace. The majority of breaches reported to the Office of the Australian Information Commissioner (OAIC) last year were from the healthcare sector.
There have been numerous examples of these breaches recently, each one wreaking significant damage while the nation battled with the challenges of covid and extreme weather events.
In April 2021, Uniting Care in Queensland, which operates health and aged care facilities across the state, experienced a ransomware attack that took its digital systems offline. This took more than six weeks to restore, and staff were forced to revert to paper-based methods to deliver patient care.
Six months later, Macquarie Health Corporation, which runs 12 hospitals across the eastern seaboard, suffered similar consequences when a ransomware attack led to the personal information of 6700 people being posted to the dark web.
If we look abroad, the stories become even scarier. In 2020, a ransomware attack caused a German hospital to close its doors and turn away a patient experiencing an aneurism. The patient was directed to a hospital 23km away, which delayed her surgery by an hour, and she died shortly afterwards.
Back in July 2018, Singapore’s largest group of healthcare organisations experienced a breach involving the personal information of 1.5 million patients – including the Prime Minister. This was attributed to poor employee training, as well as weaknesses throughout the network.
Digital health presents new security challenges
The raft of attacks against healthcare institutions shows the depths to which cyber-criminals are willing to sink. An intrusion, compromise or data exfiltration can put the lives of society’s most vulnerable at risk, and push an under-resourced and vital sector even further towards the brink.
If we allow ourselves to get inside the mind of a ruthless criminal, hospitals make sense as a target for cyber-crime.
Issuers of ransomware have considerable bargaining power when peoples’ lives are at stake. Also, with patients’ medical histories, financial information and other personal data increasingly stored online, a successful hack opens the doors to boundless opportunities for financial theft and identity fraud.
To put it into perspective, My Health Record, Australia’s digital repository of health information, stores more than 680 million patient and staff records. That’s a lot of valuable information ripe for the picking.
The dispersed nature of modern healthcare systems also means security staff no longer have the luxury of managing network infrastructures in-house. Applications, data and devices are no longer confined to a well-defined perimeter, with data instead residing in countless apps, both on-premises and the cloud.
This limits control and visibility, creates even more entry points for criminals, and heightens the chance of patients and staff accidentally clicking on nefarious links or sharing sensitive information.
The most obvious example is the widespread and rushed adoption of telehealth services during the pandemic, which saw hordes of patients and staff freely exchange financial and personal information online.
It’s also now common for people to make bookings through their smartphones, receive text message appointment reminders, exchange electronic prescriptions and use wearables to track their health and wellbeing. This is creating endless opportunities for people to send personal information to the wrong hands, and for criminals to impersonate healthcare organisations.
Health practitioners also use messaging apps such as WhatsApp to share private information, diagnoses and images of injuries as quickly as possible, stretching the hackable digital footprint even further.
Dispersed hospital systems require holistic protections
As is the case in any battle, changes in the environment and your enemy’s playbook require a complete strategic rethink to adequately fortify your defences.
It’s no longer logical or effective for hospitals to approach their security measures in a silo when those seeking health services are spread across a vast range of locations and using an almost limitless number of unmanaged devices and networks to do so. Further, the recent breach against Optus shows how quickly criminals can pounce on a single weakness in an organisation’s cyber defences, with devastating consequences for stakeholders.
The healthcare sector, from hospitals to GPs, need to engage comprehensive data protection that covers the entire spectrum of digital activity, including each user, their behaviour and the devices and applications they’re using. If they don’t, criminals will have free rein over unprotected digital information.
Attaining visibility and control over the entire system will reduce the risk and impact of ransomware and other cyber threats, and ensure that personal information is better protected.
Hospitals across Australia urgently need to strengthen their cybersecurity posture – it’s literally become a matter of life or death. But the approach needs to take into account the dispersed and digital nature of modern healthcare, or criminals will continue exploiting weaknesses in hospitals’ defences and endangering peoples’ lives. Â
Don Tan is senior director, APJ at Lookout, an endpoint-to-cloud security company purpose-built for the intersection of enterprise and personal data.
