Cyber attacks on health care are here to stay

Data breaches have notably been an ongoing and increasing threat in Australia across all enterprises and organisations.

With the recent waves of cyber attacks compromising the data of millions of Australians, it has never been more important to have measures in place to protect sensitive data.

To bring greater awareness to cybersecurity issues, The Office of the Australian Information Commissioner (OAIC) started the Notifiable Data Breaches (NDB), a scheme where all organisations under the Privacy Act 1988 are required to disclose all data breaches involving personal information.

NDB statistics

The most common source of data breaches varied for the top industry sectors, while, historically, the most attacked industries have reported that most data breaches are caused by compromised credentials, followed by malicious or criminal attacks.

Since the very start of the NDB in 2018, it has been interesting to see that healthcare service providers have been reporting the most data breaches compared to all other industries, followed by finance.

Out of 464 notifications received in the last NDB report (July–December 2021), the healthcare sector reported 83 attacks (18%), with an equal number of breaches from malicious or criminal attack and human error (47% each).

As a comparison to the second latest NDB report (January–June 2021), the scheme reported on 446 overall, while the healthcare sector had informed of 85 breaches.

Why are malicious attacks increasing in health care?

Just in the last five years, the state of Victoria reported two major cyber attacks, affecting several hospitals.

The recent Medibank attack allowed criminals to obtain access to the details of approximately nine million customers, including personal information and health claim-related data. Medibank is not the only healthcare organisation to have fallen victim to cybercrime. Australia Clinical Labs was also hit with a cyber attack earlier this year in which data of approximately 233,000 people was accessed. In an incident which occurred in 2021, elective surgeries at some Melbourne hospitals had to be postponed as a precautionary measure. During the same time, the Australian Cyber Security Centre issued a warning regarding the significant increase of cyber attacks in the healthcare industry, recommending a variety of strategies to combat the issue.

Experts have since wondered why these attacks got so predominant, and the answer is quite simple.

Patients need to share sensitive information with their hospitals, doctors and other healthcare providers to receive care. This information includes full names, identification details, medical histories, credit card details, public and private insurance details, and more. Because of this, experts have found that medical data can be between 10 and 20 times more profitable than credit card or banking details alone, resulting in a major impact for not only health facilities but also their patients. Attackers can sell this data on the dark web for profit, or to facilitate identity theft, blackmail or extortion.

Another potentially contributing factor as to why malicious attacks have increased is due to the rapid digitalisation of processes across multiple business units, which accelerated during the pandemic.

The pandemic was a challenging period for healthcare organisations and specifically hospitals and their staff as most facilities were unprepared for COVID-19 spikes. The priority and focus for health care and management had to be reallocated to patient care. Unfortunately, attackers see this as an opportunity to strike, thus making healthcare organisations more vulnerable to cyber attacks.

However, there is light at the end of the tunnel as there are solutions that can be implemented to protect the healthcare sector.

How to prepare for and prevent these incidents?

With the constant rise of data breaches, as well as their severity and consequences for not only big companies but also their consumers and customers, organisations are highly encouraged to take measures to ensure their data, applications and people are kept secure.

This particularly applies to healthcare providers, as the data breaches become a constant threat to the sector. With that in mind, here are just some of the actions that can be taken for effective preparation and prevention for these attacks:

• Investment in education on basic cybersecurity best practices and defences against phishing and social engineering attacks.
• Multifactor authentication for all users accessing from any location to any application.
• Implement password management best practices.
• Patching and keeping systems up to date.
• Review processes and technology to ensure they are still fit for purpose.
• Secure access to sensitive information and systems.
• Implement robust auditing and logging across systems.

Changes in legislation

In light of the recent breaches in Australia which have impacted millions of Australians, one area which we predict will change and evolve is legislation and regulatory requirements.

The Australian Parliament passed the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 earlier this year with mandatory periods for cybersecurity incidents to be reported by organisations categorised as critical infrastructure and a new obligation for responsible entities to create and maintain a critical infrastructure risk management program.

In addition, and as a consequence of the recent breaches, new legislation is being introduced to increase the penalties for repeated or serious privacy breaches. Under this new legislation, organisations could be fined $50 million, or 3x times the value of any benefit of misuse of information, or 30% of annual turnover.

Cyber attacks and threats to health care, and to all industries, have evolved to new levels which pose significant consequences to people and organisations. Unfortunately for many organisations, the attackers have been successful in their mission in compromising their defences and obtaining access to their data. Cybersecurity needs to be a top priority at the board and management levels to enable organisations and their cybersecurity teams to implement the strategies and technologies to mitigate the risks of cyber attacks.

Image credit: iStock.com/ipopba