The belated announcement this week that the hack on St Vincent’s Health Australia (SVHA) first reported in mid-December had not involved the release of personal health information from medical records or information from identification documents was a welcome relief.
Coming in the same week that the federal government had for the first time used Magnitsky-style sanction powers on the alleged hacker of Medibank’s systems in 2022, it put a spotlight on cyber security in the healthcare sector once again.
It also brought to the fore two things: the singling out of healthcare for a pilot for new Information Sharing and Analysis Centres (ISACs) in low maturity sectors in the federal government’s cyber security strategy released in late November; and St Vincent’s own precarious situation when it comes to not just cyber but financial security as well.
The hack on SVHA’s network came just as more news began to emerge about the organisation’s long-rumoured precarious financial situation, particularly centred around St Vincent’s Hospital in Sydney, which has raised doubts about the organisation’s plans for new electronic medical records (EMR) for its hospitals.
SVHA has set up an EMR team and we understand that plans were afoot for a different instances of a well-known clinical EMR to be implemented at the Sydney and Melbourne public hospitals, with the private hospitals to receive a less expensive EMR that another big private hospital provider is shortly to announce it will roll out. However, the cost of this sort of IT investment, allied to the brand damage from the hack – however limited – could see these plans put on the backburner for the time being.
Coming as they do with more news about the Medibank saga, and the much less severe but nonetheless ongoing drama at Crace Medical Practice – about which as of yesterday there is still no news – reminds us that healthcare was singled out in the national cyber security strategy for a very good reason.
It is understood that almost $10 million has been allocated to running a pilot of an Information Sharing and Analysis Centre (ISAC) in the health sector, funded through a Threat Sharing Acceleration Fund to enable the sharing of actionable threat intelligence and cyber best-practice.
Some of the plan is detailed in the 2023-2030 Australian Cyber Security Strategy. “The Threat Sharing Acceleration Fund will start with an initial pilot for the health sector,” the plan says.
“Australians are rightly concerned about the cyber security of our health system – our hospitals and general practitioners hold some of the most sensitive data about Australians and their families. However, the health sector also has one of the lowest cyber maturities across industry.”
The plan is to set up sector-specific ISACs in Australia and build industry capabilities for intelligence collection and dissemination compatible with Australian Signals Directorate’s existing Cyber Threat Information Sharing platform and run knowledge-sharing programs to exchange best practice between industry members.
It’s a start at least. However, while big hospitals and health systems and certain other health data storage systems are of the most concern as targets of attack and have long had very mature cyber security provisions, it’s the community healthcare providers who are most in danger. Cyber awareness programs and health checks are all well and good but it might be time for some serious, centralised investment for primary care.
That brings us to our poll question this week:
Is the federal government’s Health ISAC trial to share intelligence a good idea?
Vote here and leave your comments below.
Last week, we asked: Are the action plan milestones achievable? Two thirds said no.
We also asked: if yes, are there any extra initiatives you’d add in? If not, why not?
Penalties for hackers should be increased. Every attempted fraud to steal data is the same as an attempt to “break and enter” Hence – anyone caught hacking would likey have committed enough break and enter attempts to serve a life sentence. The world should be putting these people behind bars with no chance of ever coming out. The impact that they have on people’s lives and on the costs to our society would easily justify these types of (not) harsh penalties.
The fact that this process has occurred largely without industry buy in from the start is an issue. The attacks to date have bought cyber security matters to the fore, but driving the investment in small to medium businesses is an issue at a time when the government has entirely lost control of the economy.