technology
“ Board members must realise that they are responsible for the impact of any risk .
Cyber secure
Mitigating the risks of cyber attacks in the health sector .
By Ajay Unni
The health and aged care sectors are facing an increasing onslaught of cyber attacks , often causing untold financial and reputational damage to their organisations .
Earlier this year , The Australian Cyber Security Centre ( ACSC ) reported cyber security incidents relating to the Australian healthcare sector increased by 85 per cent in 2020 . Outside of government and individuals , the health sector reported the highest number of cyber crime incidents to the ACSC in 2020 .
Back in April , a cyberattack at UnitingCare Queensland proved a cautionary tale , with the attack rendering the organisation ’ s digital and technology systems inaccessible , affecting multiple hospitals and aged care homes .
In the health and aged care sector , a cyber attack is not merely a business risk , but a serious health and medical risk . Unless health and aged care organisations start prioritising their cybersecurity now , they ’ ll be next in line to become the latest cyber attack headline .
Why is health a target ? The health and aged care industry is a valuable and vulnerable target for malicious cyber criminals . Highly sensitive personal data combined with valuable intellectual property on technology and research put a massive target on the back of any health-related business .
28 | nursingreview . com . au
COVID-19 has only increased these risks , with financially motivated cyber criminals targeting the sector thanks to increased reliance on telehealth and internet-enabled services .
With public mistrust of the government and vaccines reaching a fever pitch , there ’ s more than enough motivation for an anti-vaxxer hacker to take advantage of the sector ’ s vulnerabilities .
Clearly , there is a huge and very real pressure on health sector organisations to maintain their digital systems and , if disrupted , to rapidly restore them to full functionality . Despite this , cyber security is often pushed to the bottom of the never ending to-do list .
Implementing better cyber security So how can businesses begin to implement cyber security that actually works ?
Cyber security has some basic hygiene principles that all health and aged care businesses should follow . It all comes down to culture , enforcement and encouragement leading to a broad cultural change .
In order to assess their cyber security risks , health and aged care businesses should look in three main areas : people , systems and processes . Once they have established the weaknesses in these three areas , the next step is to see how those weaknesses can be exploited to cause damage to the business .
If there are no policies or processes for cyber security in place , it ’ s almost possible to prevent an imminent attack . For example , if your staff are not trained in ransomware , phishing and the signs to look out for , it ’ s more likely that they would click on a link that could install malicious software . If your systems don ’ t have the latest security patches installed , it ’ s easier for them to be breached .
Passwords should be rotated at the very least every 60 days , although every 30 days is even better . To make them even harder to guess , passwords should be at least eight to 10 characters long , have at least one number , one capital letter , and one special character , such as one of the following : ‘!@#$)’.
Multi-factor authentication ( MFA ) adds an extra layer of security by using two or more pieces of evidence to log in to a single location . Some common examples of MFA include an SMS message , phone call , or authenticator app to verify a browser login .
Board members must look at cybersecurity through the lens of risk and exposure , and realise that they are responsible for the impact of any risk — including cyber . In fact , personal responsibility could soon be a legal requirement as the federal government considers making company directors accountable .
Ensuring that cyber security is set as part of the board ’ s agenda needs to be a priority . Set aside time to build a cyber security strategy , which includes appointing someone in the management team to lead and be responsible for cyber security .
Check that your board ’ s risk register includes cyber risk , is updated regularly , and tabled at the board meetings . Provide leadership and take part in cyber security awareness and training .
The best way to deal with cyber attacks uses a combination of processes , people training and technology . Constant training , awareness and process flows are the only way for internal and external staff to spot any anomalies before they turn into a massive breach .
Health and aged care organisations hold a massive amount of sensitive , personal , and medical information about the people under their care . It ’ s the sector ’ s job to prioritise the safety and security of that information , now and into the future . ■
Ajay Unni is the CEO and founder of StickmanCyber .