What is Healthcare Cybersecurity?

The Optus and Medibank data breaches have got every business owner hyper aware of cybersecurity threats in all industries. Given the sensitive nature of medical information, cybersecurity poses unique fears and challenges for medical practice owners. The vast quantities of sensitive information in healthcare and potentially devastating effects that cyber-attacks can have on patient privacy makes the healthcare sector especially vulnerable. Many healthcare organisations have various specialised information systems such as e-prescribing systems, practice management support systems, clinical decision support systems and computerised physician order entry systems. Additionally, thousands of devices that must be protected as well include smart elevators, smart heating, ventilation and air conditioning (HVAC) systems, infusion pumps, remote patient monitoring devices and others. These are examples of some assets that healthcare organisations typically have, and need to protect.

Worse yet, many organisations in the healthcare sector are simply underprepared to defend their networks against cyber-attacks with an 84 percent rise in cyber incidents in Australia's healthcare sector.1 Additionally, 60 percent of healthcare organisations foresee experiencing a ransomware attack in the next 12 months, with the average cost of a ransomware attack being over $900,000.2 Cyber-attacks can often be avoided considering 41 percent of data breaches are due to human error.3 This lack of readiness against cyber-attacks is more than an inconvenience or a financial burden; it can impede critical services and put the health and wellbeing of patients at risk by affecting the continuity of care.

This article has an overview of the types of cyber-attacks the healthcare industry can face and those that are most widespread, how to protect against and prevent cyber-attacks, and what You Legal can do to help.

What is a Cyber-Attack?

A cyber-attack is an attempt by cybercriminals using one or more computers against a single or multiple computers or networks to disable computers, steal data, or use a breached computer system to launch additional attacks. Cybercriminals use a variety of different methods to launch a cyber-attack that includes malware, phishing, ransomware, man-in-the-middle attack, denial of service, among other methods.

Four Cyber Threats in Healthcare to be aware of:

1. RANSOMWARE ATTACKS

Ransomware is a malware designed to deny a user or organisation access to files on their computer. This malicious software, by encrypting files, restricts access to sensitive patient data until the practice pays the cybercriminal ransom fees which in many cases means hundreds of thousands or even millions. Cybercriminals place organisations in a position where paying the ransom is the easiest and cheapest way to regain access to their patient files.

2. DATA LEAKS

A data breach is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorised to do so. Other common terms include unintentional information disclosure, data leak, information leakage, and data spill. In your practice it looks like sensitive personal information being shared with or accessed by an unauthorised person. Medical data is the new gold on the dark web and can be worth up to $500 per piece of sensitive information. Sensitive personal details of your patients and team can be used to commit identity theft and fraud.

3. USE OF PORTABLE STORAGE DEVICES

In the case of loss or theft of a portable device, practices are faced with a breach of confidentiality due to possible unauthorised access to the data stored on the device, and/or a breach of availability if a backup copy of the data is not available. USB security software is a critical tool for preventing data breaches to portable storage devices within your practice. Adopting secured cloud storage for all your patient information is the best way to keep the information secure.

4. PHISHING ATTACKS

Phishing is a social engineering attack whereby a hacker tricks an unsuspecting target into performing a self-harmful action. It involves scammers sending communication (usually email but may also be a phone call or SMS) disguised as being from a trusted source in order to steal confidential information. Where you suspect an email to be a phishing attempt, contact your IT team. Do not open any attachments, click any links or forward the email to another device and do not provide any information to unverified sources.

How to prevent Cyber-Attacks in your Practice?

Here are some easy prevention tips to help avoid a cyber-attack in your Practice:

1. RANSOMWARE ATTACKS

  • Staff Training
  • Web Filtering
  • Anti-Virus Software and Anti Ransomware
  • Maintain Backups

2. DATA LEAKS

  • Restrict the Use of Removable Media
  • Monitor the Computer Activity of Employees
  • Security Awareness Training
  • Encrypt Sensitive Data
  • Restrict Who Can Access Sensitive Data
  • Ensure That Repositories are Secure
  • Perform Regular Vulnerability Assessments
  • Use a Secure Email Gateway to Prevent Accidental Disclosure

3. USE OF PORTABLE STORAGE DEVICES

  • Prioritise What Data Needs to Be Secured
  • Use Encryption on Storage Drives and Individual Files
  • Limit Data Collection and Retention
  • Limit Access to Sensitive Data
  • Block Employees from Using High-Risk Applications
  • Update Confidentiality Clause with Employees

4. PHISHING ATTACKS

  • Use Email & Web Filters
  • Utilise Two-Factor Authentication
  • Avoid Sharing Company Emails Publicly
  • Teach Employees How to Spot a Phishing Email & What to do if They Click on a Phishing Link

Suspect a Patient Data Breach from a Cyber Attack?

If you suspect a data breach it is important to know your legal obligations. At You Legal we have a Fast Track solution to help you prepare for a potential Data Breach which includes our:

  • Notifiable Data Breach Manual,
  • Breach Assessment Process, and
  • Patient Notification Letter

to deploy in your business and ensure you're meeting your obligations as an APP entity.

5 steps to be prepared:

There are 5 steps you can take today to ensure that you are ready if one does happen in the practice, they are:

  1. Know what a patient data breach looks like
  2. Be aware of your obligation to notify
  3. Initiate a potential breach assessment
  4. Investigate the potential data breach
  5. Evaluate

If you want to know more about these five steps, read our article which explores these steps more in-depth.

Our Recommendation

It is imperative for medical practices to protect their business from cyber-attacks and meet their legal obligations. There are three main overlapping areas that medical practices should consider covering, depending on the way you run your business:

  1. Confidentiality clauses in employment and independent contractor agreements are critical (not just for the team but also for the owners);
  2. Obligation to notify of Suspected Data Breach (if applicable), and
  3. Privacy Polices which can also cover confidentiality on a broader scope as well as details of ownership of intellectual property.

It is likely that all three of these areas will apply to your practice at one time or another, but no two medical practices are the same, which is why it is essential that governance documents be specifically tailored to your medical practice.