With the expansion of telehealth and more recently electronic prescribing in Melbourne, computer systems have become more important than ever for general practice.
The estimated losses from cyber attacks and data breaches in 2019 for the healthcare industry are $25 billion with the average cost of ransomware attacks on businesses being $133,000. The Health sector is increasingly being targeted by criminal organisations, individuals and state actors with attacks up 151% in the last ten years and 15% of all breaches involving Healthcare organisations. In Australia from July–December 2019, Australia’s health sector accounted for 22% of all data breaches, making it the highest reporting sector in the country. Given the sensitivity of the data held and managed by health care providers there is additional risk to healthcare providers reputation, the possibility of legal action by distressed patients as well as fines from regulatory bodies for any breaches.
What is it that makes the Healthcare sector so attractive to hackers?
Firstly a hacker can expect to receive $250 per health record on the black market vs the next highest paid record being $5.40 per record for Payment card records.
Secondly healthcare is vulnerable due to the high number of interconnected devices and third-party vendors, meaning that hackers have many entry points to test for weaknesses that they can exploit. 59% of data breaches in the healthcare sector are attributed to third-party vendors. Additionally once in a hacker has access to a large quantity of personal information in the one location.
It won’t happen to me!
Healthcare is unique in that it has the largest number of breaches attributed to internal actors which stands at 53%. Denial of Service attacks are less frequent as are ransomware, although there was several instances of this in Australia in February (2019) alone. The internal actor’s motivations are not often malicious and mostly comprise phishing incidents and sending the information to the wrong recipient (Misdelivery) – the most common error type. Here are some Health related security events that show just how easy it is for mistakes to be made when managing patient data:
South Australia Health (SA Health) -2005-2018 - From 1996 to 2005, 7200 pathology tests relating to childhood infections were processed at Adelaide’s Women’s and Children’s Hospital. An academic used this data in a presentation which was subsequently posted online, displayed in a graph format. Somehow, the source date including names, date of birth and test results were revealed at just the click of a button.
Melbourne Heart Group had 15,000 medical files stolen - According to the report the syndicate attacked the clinic’s server with malware and demanded a crypto-currency payment in order to supply a password to break the encryption.
An internal actor compromised the personal health information of 317 people applying for Australian visas by accidentally emailing them to a member of the general public.
In June, Spec Savers Qld lost data – the names, dates of birth, addresses, phone numbers, email addresses, clinical records of optometry tests, and Medicare details of its clients when a password protected server was stolen from storage during a fit-out.
ABC reported that sensitive patient health records were found on a busy road after they had been picked up by a provider to be securely destroyed.
The Prognosis is GOOD
There are many things that you can do to protect your business. Take a deep breath and start by taking care of the small things. The cumulative effect will be that your business is protected in a BIG way
Know who is accessing your systems, when they’re on it and why as well as what they did while they were there.
All access points must be monitored and secure and minimum access given to all parties – client, user, end user and vendors.
Make sure you back up your data. If your running a GP practices the RACGP has published a helpful guide to help you understand more about backing up your data.
Train your staff on a regular basis to keep top of mind the right type of practices they should employ when sharing or managing patient data.