Last month, in just one week, no fewer than three Australian healthcare organisations suffered data breaches, posing a potential threat of identity theft or extortion for affected Australians in the near future.

For the last two years, healthcare has constantly led—by a large margin—the ranking of industries reporting the most data breaches to the Office of the Australian Information Commissioner. 

It would be easy to blame the industry for its lack of preparedness, but the reality is more complex than this. Healthcare organisations are among those hosting our most sensitive data, and as such, are a very appealing target. The details contained in our medical records are a boon for identity theft, and healthcare records are selling at higher prices than any other type of data on the dark web. 

Modernising with security at the core

In order to improve operations, the pace of IT transformation within the healthcare industry has accelerated in recent years, mostly through sustained cloud adoption. Clinical and practice management software has migrated to the cloud, as have electronic health records, and new applications are regularly being deployed for efficiency among medical teams and departments. Facilitating the exchange of information among medical entities—and between medical entities and key stakeholders such as Medicare or digital ID services—also requires technical integrations mostly supported by cloud computing. 

Cloud is incredibly useful in supporting the digital goals of healthcare organisations, but the ubiquity of the cloud is also creating new risks, with attackers targeting these environments to deliver their payloads, and compromise healthcare organisations. Netskope’s Threat Labs researchers revealed in their latest healthcare report that half of all malware downloaded by staff in the sector comes from the cloud applications they use at work. 

The configuration of the workforce is also creating security challenges, and a single employer may need to anticipate potential security issues for dozens of different disciplines and scenarios. Clinical staff often work from multiple locations, or (perhaps through collaboration in research projects) may work with different teams, at labs or universities. Front-line workers are also constantly on the move, serving in the community. All will likely access and manipulate medical data or confidential research from a range of different locations, devices and over numerous networks, with inconsistent levels of security. 

In this context, digital transformation is necessary, but has to be done with security at the core, as the growing complexity of organisational networks—as well as the continued evolution in work conditions, environments and behaviours—creates new risk factors and vulnerabilities that cyber criminals are well-trained to identify and exploit. 

A modern workplace requires modern security, especially when you sit at the centre of cyber criminals’ target. Healthcare organisations struggling to identify and anticipate their own risks and vulnerabilities should turn to organisations able to audit the security of their tech infrastructure and deliver recommendations.

Based on my own experiences securing organisations in the sector, I believe these priorities are good places to start: 

• Architect for full visibility over the network and its traffic, as well as detection capabilities to identify suspicious activity.
• Prioritise Data Loss Prevention (DLP) tools to insure against sensitive data leaking outside the organisation.
• Implement zero trust access, which restricts employees access to only the systems and data needed to do their work. 

Critical support for critical infrastructure

Funding and budget priorities are regular blockers to improving defences. While there are segments of the Australian healthcare and medical industries that are thriving financially, looking across different segments of the market, we can identify disparities. Front-line organisations such as hospitals, clinics or practices (often primary targets), have seen revenues grow slower than expenses in recent years, and the situation could become more dire, exacerbated by the influence of inflation. And when they have cash available, healthcare organisations understandably tend to primarily invest in health outcomes or medical equipment, creating a discrepancy between the level of threat they are under, and security investments. 

Government funding is a key pillar of the Australian healthcare system, and Australia has always dedicated a sustained proportion of its budget to the sector. But how much of this budget goes to cyber security is a decision that has been left to the industry. The government has been taking initiatives to foster collaboration and intelligence-sharing between industry stakeholders, but there is more that can be done to drive consistency and improvements. 

If Australia wants to see fewer data breaches impacting the industry, the next Government might want to consider incentives for healthcare organisations to invest in security. The idea is not to spend more on healthcare, but to make sure that part of the existing budget goes to improving the sector’s security posture. 

How to make healthcare more secure is a conversation that deserves much more than a single article. But the bottom line is that the amount of focus and resources from both the industry and government are often at odds with the level of threat and focus cyber criminals are giving it, and this needs to change if we don’t want more Australians to suffer the consequences.

Over to you: Share your view by Commenting below or going to our Poll:

Is your organisation investing enough to combat data breaches?

and if NO do you think cybercrime is taken seriously enough in Australian healthcare?