Life support for public healthcare IT
With consumer trust shaken, Australia’s convalescing healthcare IT ecosystem needs a shot in the arm.
A series of high-profile data breaches during 2016 exposed IT problems in Australian healthcare agencies, which joined peers around the world in being ravaged by human error and targeted by data-hungry hackers. As if that wasn’t enough, the Australian Taxation Office’s core data infrastructure collapse offered a stark reminder to all large government organisations that data security in this day and age is about more than just stopping hackers.
That would have been an empty reminder for the IT teams at Melbourne Health, where a malware attack paralysed pathology services at the Royal Melbourne Hospital (RMH) last January. Or the Red Cross Blood Service (RCBS), whose IT service provider Precedent made 1.28 million healthcare records, containing the sensitive medical information of over 550,000 blood donors, available online. An investigation by the Australian Privacy Commissioner is underway and the findings are unlikely to be complimentary.
The RCBS breach was Australia’s largest to date, but it pales in comparison to recent compromises at US health insurers such as Anthem, which lost 78.8 million patient records in an attack given a risk-severity rating of 10 out of 10 by the Breach Level Index, or the Korea Pharmaceutical Information Center (43m records), Excellus BlueCross BlueShield (10.5m) and an unnamed US healthcare insurer that suffered an identity-theft attack that saw 9.3m records compromised.
Australia’s lack of breach-notification laws — already well enshrined in other countries and due to be legislated here soon — means that we just don’t know how many breaches are happening behind closed doors. But “from my work with health bodies in Australia, we are seeing thousands of attempted ransomware attacks per day”, said Keith Holtham, ANZ emerging technologies lead with security firm Check Point Software Technologies.
Close linkages between healthcare institutions and university research organisations have created a matrix of vulnerabilities that is “a fairly unique environment in Australia”, Holtham said, with so-called ‘shadow IT’ particularly problematic. “We have traditionally seen monolithic systems where people have had records and data repositories, and they’re not necessarily under the control of IT or IT security.”
The haphazard nature of healthcare IT security has helped compromise the public’s trust in an entire industry. Recent research by technology consultancy West Monroe Partners (WMP) found that just 48% of respondents to a survey said they completely trust their healthcare provider with their personal information.
This, despite findings that patients are enthusiastic adopters of healthcare portals and mobile apps — used by 86% and 91% of consumers respectively. Such findings suggest a significant disparity between consumers’ desire for digital health care, and providers’ ability to deliver those services.
“Government CIOs need a sense of urgency and a willingness to take calculated risks to survive,” Gartner analyst Rick Howard noted, “particularly as they are laden with more responsibilities than their private-sector counterparts.”
While some government programs will thrive based on participation from citizens — Gartner believes half of all citizens will voluntarily share personal data to drive smart-city programs by 2019 — healthcare programs will only be successful if citizen-related data can be guaranteed safe. Building those guarantees will be crucial to the recently announced National Digital Health Strategy (NDHS), which was opened to public consultation in November by the fledgling Australian Digital Health Agency (ADHA).
The ADHA’s creation is the latest stage in a stop-and-go e-health transition that was for years managed by the National E-Health Transition Authority (NeHTA), whose My Health Record has arguably been a modest success — some 4 million Australians currently use the system. But broader adoption will require healthcare CIOs to reassert their legitimacy and capabilities in a climate where healthcare and other personal data are being actively targeted for harvesting by bots on a 24x7 basis.
All together now
As if the threats weren’t bad enough, Australian healthcare organisations are being plagued by bad habits and deficiencies in areas such as skills and committed resources. They also face stricter-than-usual limitations around the adoption of Internet of Things (IoT) technologies — which are being snatched up in other parts of government, but must be adequately secured to guarantee they won’t lead to potential compromises of sensitive healthcare data.
That’s proving harder to guarantee than one might expect. Their curiosity piqued, hackers spent much of 2016 probing all manner of IoT devices and specialised medical equipment, and found a range of vulnerabilities that could have life-threatening consequences.
Despite healthcare organisations’ indisputable reliance on technologies of all types, the threat of equipment hacks has created a level of risk that, surveys suggest, Australian organisations are poorly equipped to manage. Some 85% of respondents to Capgemini Australia’s recent 2016 World Quality Report, for example, said IoT applications were important to their organisations — but 68% admitted they weren’t ready to deal with the additional workload the IoT presents.
Cloud computing — which has been enthusiastically embraced by many levels of government — is also lagging in health care, where requirements for data security and control have forced CIOs to kerb their enthusiasm.
While 28.4% of Australian organisations in the Capgemini study were running applications in the public cloud — leading the world — they were well behind global averages when it comes to use of DevOps, the emerging discipline focused on keeping operational procedures in lockstep with development practices.
Such deficiencies will increase drag on Australian healthcare organisations’ ability to innovate, even as their less encumbered peers pivot towards a future built around new technologies. Navigating these unique circumstances will require healthcare CIOs to carefully straddle the gap between citizen expectations and their own capabilities. But that won’t be easy, warned Richard Staynings, principal and cybersecurity healthcare leader with Cisco Systems.
“Australia has really dragged its feet around breach notification” legislation, said Staynings. “As a result there has been lower prioritisation of healthcare and a general lack of understanding of the magnitude of the risk with which providers are being faced.”
“There is very little in the way of security operations capabilities and visibility tools,” he added, “and there is quite little from a regulatory compliance perspective that is forcing people to look into that, or to provide repercussions when data is not secured.
Staynings also noted, “[There is] a general feeling that most attacks against health care are against US healthcare entities. But Australian health care is also a very lucrative target for cybercriminals.”
Reports tracking the sale of stolen healthcare data support that contention. Intel Security’s recent McAfee Labs Health Warning report, for one, found medical records selling for anywhere from a fraction of a cent to US$2.42 (AU$3.32) per record — well below the cost of financial data, largely due to factors related to economies of scale.
“Medical data adds value to the [financial services] transaction,” the report noted. “Stolen medical data … already has a higher per-record value than in markets of non-financial account data.”
Cost versus benefit
Even as cybercriminal market forces progressively monetise the data held within Australian healthcare organisations, those same organisations are facing some far more pedestrian issues.
Ever-present budget limitations, for one, have forced healthcare organisations to drag out the value of their IT assets for much longer than would normally be recommended. Witness the Windows XP systems breached in last year’s RMH malware attack, which had not had official support from Microsoft for nearly two years at that point.
Such systems are sitting ducks for hackers. The thought that they are being relied on to protect extremely sensitive healthcare information is rightly a cause for concern. Even environments that are supposedly well protected — such as the ATO’s core infrastructure, which scrambled to recover from the loss of nearly 1 petabyte of data after a catastrophic failure of its HP Enterprise storage — remain susceptible to major problems that have nothing to do with security breaches.
Yet with budgets tight and cloud alternatives still representing too high a risk for many healthcare environments, healthcare CIOs have few real options.
Some are considering ways to revisit their on-premises infrastructure, which allows them to retain citizens’ healthcare within internal databases while using technology like virtual desktop infrastructure (VDI) to reduce exposure to client-side issues such as outdated and vulnerable desktops.
“The more people digitise their businesses, the more they worry about patient data getting into the wrong space,” explained Pat Devlin, ANZ regional director with infrastructure provider Simplivity, which recently expanded its OmniStack platform with explicit VDI support for healthcare institutions running the widely used EPIC Systems Hyperspace patient management system.
Explicit support for that platform allows the VDI environment to be tuned for the rapid responsiveness that’s critical for everyday performance in healthcare environments, while “allowing infrastructure teams to be able to lock down their endpoints a little tighter”, said Devlin, noting that the platform will soon be certified to Common Criteria and FIPS defence-level security standards. “There are some environments that just cannot tolerate high levels of latency, and VDI delivers very consistent VDI performance regardless of scale.”
Such upgrades require a major change in healthcare IT philosophy, however, since they necessarily involve a major overhaul of operating infrastructure. And while the technology is established, mustering the willpower and resources to implement it is another issue altogether.
Senior leaders “are in a sticky situation because they don’t have the money or the mandate to fix what needs fixing”, said Staynings. “Security is competing for scarce resources around increased digitalisation and improved patient-outcome initiatives. They’re in a bit of a catch-22.”
The results of this situation are hardly conducive to digital revolution. Forecasts of key IT trends in 2017 all revolve around cloud technologies, IoT, virtual assistants and the like. But none of these technologies can be properly exploited within healthcare environments without some serious infrastructure overhauls. The net result is likely to be that many healthcare providers will stand still and watch the technology state-of-the-art recede into the distance.
If budget limitations are one complicating factor for healthcare IT, management support is another. Gartner, for one, recently warned that many executives are using inappropriate benchmarking practices to gauge their security spend against other industry players.
This approach — particularly when used to manage costs in budget-sensitive government agencies — may seem appropriate for managers schooled in unit-based expense tracking; witness the catastrophic failure of management that led to the Queensland Health Payroll System Commission of Inquiry fiasco. When similarly absolutist metrics are applied to cybersecurity risk, these methods can obscure natural organisational idiosyncrasies and gloss over some very real risk indicators.
“General comparisons to generic industry averages don’t tell you much about your state of security,” Gartner research director Rob McMillan warned. “You could be spending at the same level as your peer group, but you could be spending on the wrong things and be extremely vulnerable. Alternatively, you may be spending appropriately but have a different risk appetite from your peers.”
Even as healthcare providers continue to climb the learning curve around data security and infrastructure reliability, the people seeking to steal their data will continue redoubling their efforts to do so. This, Staynings warned, is likely to keep tightening the screws on healthcare CIOs through 2017 and beyond — forcing them to step away from traditional operationally focused models of IT to develop, and execute on, broader strategy and governance frameworks.
“The Australian healthcare market probably needs a jolt,” he said, citing breach-notification laws as well as expanding potential for civil remedies from individuals harmed through data breaches.
“As long as people can make money from harming the rest of us, they are going to continue to do so,” Staynings added. “It’s going to take greater visibility and a greater understanding of the true magnitude of the threats facing today’s healthcare organisations — and it’s going to take increased funding, government oversight, regulation and mandates to improve Australian health care.”
Building secure AI: a critical guardrail for Australian policymakers
While AI has the potential to significantly enhance Australia's national security, economic...
Building security-centric AI: why it is key to the government's AI ambitions
As government agencies test the waters of AI, public sector leaders must consider how they can...
State government agencies still struggling with securing user access
Audit reports have shown that Australian government agencies in four states experience challenges...