Australia’s healthcare sector leads in data breaches year after year. A new report reveals why – and how smarter security can protect patient data without slowing care.
The Office of the Australian Information Commissioner’s latest report into data breaches released last month, and covering the second half of 2024, revealed an unprecedented volume of data breaches among Australian organisations.
Healthcare was, again, the most affected sector. In fact, healthcare has held top position for every single one of the six years the report has been produced.
This consistency is concerning given the highly sensitive nature of health, personal and sometimes financial data held by healthcare organisations, all of which can be used by cyber criminals for identity theft or extortion. Knowing this, why do healthcare organisations have such a poor track record?
Not just a big target
We often attribute healthcare’s cybersecurity problems to the value of the data, and it certainly paints a large target on its back. While health data sold on the dark web often has the highest price tag, other critical sectors hosting sensitive data have shown better resilience to high volumes of cyberattacks, suggesting there is more that can be done in defence.
Healthcare is a vast and fragmented ecosystem, made up of a range of sized organisations, and a range of differing levels of financial resources and digital maturity. In recent years, revenues have been growing slower than costs for many, and when available, funding and capital tends to be prioritised for clinical spend and improved patient care.
A drastic acceleration in digital transformation has also challenged security standards, driving innovation and requiring security to keep up.
IT teams have been kept busy with major system migrations to the cloud, technical integrations with the broader ecosystem (for instance My Health Record), and the deployment of AI tools to optimise processes.
Healthcare workers are also increasingly using digital tools and accessing sensitive data on-the-go and in the field. As a result, most healthcare organisations are left with an ever-changing (and sometimes completely eroding) digital perimeter to defend, and – with new cyber risks quickly emerging – keeping this environment secure is a tough task.
Understanding new behaviours
A recent report released by Netskope Threat Labs dedicated to healthcare observed the impact of some of those new risks. Workers in the sector are adopting cloud and generative AI at a rapid pace, with 88% of healthcare organisations detecting genAI usage among their teams.
The researchers behind the report observed regular attempts from workers to upload sensitive data to unapproved locations – spotted as data policy violations – and those unapproved locations are mainly popular cloud and genAI applications. Worryingly, a large majority of data policy violations (81%) involved regulated healthcare data, protected by national regulations.
The report also reveals that two-thirds of healthcare staff who use genAI at work do so via personal genAI accounts, which is a problem for cybersecurity teams as it can hinder their ability to monitor genAI related activity among their organisation, and to detect and prevent data leaks.
These behaviours illustrate the issue, but it would be a mistake to blame employees. Healthcare is a high-pressure, high-stakes environment that requires quick decision-making as well as efficient processes.
When prioritising immediate patient outcomes, cybersecurity can easily become an afterthought. Experience shows that cybersecurity training won’t achieve drastic change alone, and healthcare organisations need to accept that employees will always make mistakes and design security that serves as a safety net, helping prevent cyber incidents even when workers break security or data protection policies.
Related
Security that doesn’t break efficiency
Data Loss Prevention (DLP) is a tool that automatically blocks users’ actions when data policy violations occur. If a doctor unintentionally includes patient information in a genAI prompt, an intelligent DLP tool would block the action.
Real-time user coaching is also increasingly used by organisations, and a relevant complement to cybersecurity training. Real-time coaching is designed to detect risky behaviours as they happen, and present users with pop-ups giving context to the risk, asking if they would like to accept it, directing them to alternative services and approaches, or asking them to justify their action to receive exemption – whichever the security team chooses.
When planning security upgrades and assessing solutions, healthcare organisations should keep two priorities in mind.
Firstly, new security deployments shouldn’t force trade-offs in user experience. Improving security has often damaged employees’ digital journeys and productivity in the past, but new solutions must be designed to enhance both security and user experience.
Secondly, adopting individual security tools for each new risk is problematic, and results in costly, complex security stacks, where tools don’t work in unison and often leave gaps in defences.
Consolidating them into a unified platform for security is a better option for healthcare organisations seeking comprehensive and unified security with limited budgets.
Tony Burnside is senior vice-president and head of Asia Pacific, Netskope
