- Cyber Security is a major concern and a necessity for all businesses, regardless of their industry.
- The healthcare sector is not an exception and the threats that the cyber attacks carry for healthcare practice managers are huge.
- Find out everything about cyber attacks and how you can prevent their negative effects on your practice.
There’s lots of talk at the moment about cyber attacks but what are they, what risks does your healthcare practice face, and what should you do about it?
What is a cyber attack?
Cyber attacks are varied and come in a range of forms, however, some of the most common are:
- Ransomware – hacking into your systems and encrypting data then demanding a ransom in return for unlocking it
- Malware – applications that are (usually unwittingly) downloaded onto your system, which then sit and collect data such as passwords and login details
- Social engineering – can come in different forms, but basically involves using emails that look to be from a legitimate source to obtain people’s login details, personal information or fraudulent access to systems (e.g. they are designed to look like an email from a government department requesting you follow a link or an email purporting to be from a Director or manager in your organisation requesting a payment to a different bank account)
- Denial of Service – essentially shutting down of your website or systems
- Threats against third party providers (such as cloud providers) to gain access to the systems and data of their customers
- Attacks against Internet of Things (which is essentially our other devices connected to internet such as smartphones and watches)
Current State of Affairs
Earlier this year, the Australian Cyber Security Centre released their report detailing the cyber threat to Australia as well as emerging trends/threats. 6 key points to come out of the ASCS 2017 Threat Report are as follows:
- The frequency, scale, sophistication and severity of incidents are increasing
- Many incidents are preventable with relatively basic cyber security measures
- However increasingly trusted third parties, such as service providers, are being targeted ‐ some cyber criminals are very advanced evidenced by attacks resulting in IT security providers being compromised
- Development of ‘ransomware as a service’ (where ransomware programmes and services can be purchased on the darknet) means criminals no longer need the technical ability to run a campaign, they can just buy it
- Credential‐harvesting malware (e.g. that steals your login details) is an increasing threat and includes software that intercepts text messages to bypass two‐factor authentication
- Use of social engineering is also on the increase through both broad and specifically targeted campaigns
Healthcare: What makes you a target?
The substantial amount of both personal identifiers as well as the sensitive nature of the data:
- Personal identifiers (i.e. name, address, DoB, contact details) are a precious commodity due to their use in identity fraud. The targeting of personal identifiers can either be done by criminals hoping to use the info themselves or by criminals who on‐sell the information on the darknet
- The sensitive nature of the data increases the risk of extortion due to the potential for reputational damage, if data is damaged or stolen
What are the risks?
Such as costs of:
- regaining access to your systems,
- paying for IT and forensic specialists to establish how the attack happened and what can be done to prevent a recurrence,
- paying for specialists if there is a ransom or extortion negotiation,
- restoring records,
- notifying breach to anyone potentially affected ‐ Of course, effective 22 February 2018 any data breach is notifiable under Privacy Amendment (Notifiable Data Breaches) Act 2017 (NDB scheme). This means any individual whose data may have been compromised needs to be individually notified. For a healthcare practice this is potentially an enormous task both in costs and time, given the amount of records retained.
- Distress caused to your staff by the potential breach,
- Distress caused to patients by the potential for their medical information to be disseminated (including through threats of extortion),
- Distress caused to patients by the potential for identity theft,
- Loss of trust and damage to the reputation of your practice.
Such as fines and penalties related to Privacy breaches.
Such as costs of upgrading hardware and software to prevent future attacks.
What can you do?
Two main strategies that work hand‐in‐hand:
- Make it hard for an attacker to be successful
Just as with home security, we can use different strategies such as having deadlocks on the doors or key locks on our windows, which will deter burglars looking for an easy target. But we also know that if a highly skilled burglar wants to get in badly enough, they’ll find a way. It is just the same with cyber security. The WannaCry cyber attack that had such a huge impact on Europe mid 2017 was a mass targeted attack that used a very simple flaw, i.e. people not updating their Windows software to the newest version, so anyone who hadn’t updated was hit, whilst anyone who had updated was unscathed.
These are the types of attacks that are easily preventable. The Australian Signals Directorate has The Essential Eight strategies that they recommend everyone use to avoid these types of attacks. Some of these essential eight may require assistance from your IT specialists to implement (and understand!) but all are relatively easy and cost‐effective.
- Use insurance to mitigate the impact of an attack if it happens
The average cost of a cyber crime attack to an Australian business in 2014 was $276,3235 so whilst preventing an attack is important, ensuring you have the funds to mitigate the effects of a successful attack is equally important. There are numerous providers of cyber insurance in Australia and at this stage premiums are relatively inexpensive for the level of cover provided. Most insurers cover all of the financial and regulatory costs described above, as well as PR and crisis containment costs to minimise the impacts of reputational damage.
The types, frequency and severity of cyber attacks against Australian businesses are increasing dramatically, but there are some simple and cost‐effective strategies you can use to minimise your risk. Nonetheless, a successful attack can cause hundreds of dollars of damage financially, cause substantial distress to staff and patients, and long‐term damage to the reputation of your practice. As a result, cyber insurance is becoming an essential tool for all businesses in mitigating the impact of a successful attack.
Are you implementing any cyber security strategies in your healthcare practice? Is it effective?