This article is part of a series of articles about Telstra Health’s Layered Approach to Cyber Security. You can access practical guidance on implementing a Layered Approach to Cyber Security at the People layer, the Process layer and the Technology layer.
An increasing number of cyber incidents against health organisations have cast a spotlight on the role cyber security plays in healthcare. Understanding the risks of delivering digitally enabled care and protecting health information has never been more crucial for healthcare organisations. In this article, we suggest that applying a layered approach is a practical approach to increasing your healthcare organisation’s cyber security maturity and defending against increasingly complex cyber threats.
Why cyber security should be a top priority for healthcare organisations
Australian healthcare organisations are increasingly being targeted by cyber criminals, with data breaches occurring because of human error, system failure and malicious attack. Statistics reported by various Australian cyber security organisations all convey the same message: healthcare organisations need to do more to defend against evolving cyber threats.1,2,3
Figure 1: Indications of the Australian healthcare industry as a lucrative target for cyber criminals
So why healthcare organisations? There is a high level of intrinsic and extrinsic value associated with healthcare data. Stolen healthcare data is typically worth more than records from other industries because of the high value associated with personal information. An attacker can use this data to access private health care benefits, steal and utilise credit card details, sell the data on the black market to other cyber criminals and/or use it to extort patients. Healthcare sector plays an important role in Australian society, some hostile actors may try to cripple these critical services to create social havoc.
Healthcare organisations often have a low level of cybersecurity maturity making them vulnerable to attacks. The use of legacy and/or unsupported systems with outdated security controls continue to prevail. A limited security culture and cyber awareness across healthcare organisations can lead to data breaches caused by human error. Also, accessibility to health information systems can be challenging for clinicians as they must manage a variety of credentials, adding to the complexity of maintaining rigorous cybersecurity controls.
Cyber security is often perceived as an IT problem that warrants an IT response. In this series of articles, we turn this common misconception on its head, and explain why cyber security is an organisational concern which requires an organisational response.
What are the risks of complacency?
As new and disruptive technologies become more prevalent, the volume and complexity of cyber threats is expected to escalate. An increasing demand for information sharing, and interconnectivity introduces additional attack types.
For example, the increasing interconnectedness between end user devices with Bring Your Own Device (BYOD) solutions and Medical Internet of Things (IoT) has contributed to end point complexity, which has introduced vulnerabilities that cyber criminals can exploit. Maintaining a ‘wait and see’ approach is no longer feasible in defending against evolving cyber threats.
The impacts of a cyber incident or data breach on a healthcare organisation can be crippling. This is illustrated below in figure 2.
Figure 2: The impacts on a healthcare organisation can be detrimental and far reaching
Recognising a cyber threat when you see one
Cyber criminals are highly organised and can take advantage of a rapidly changing digital health landscape. Attack tactics can be layered, aiming to exploit vulnerabilities within healthcare organisations. The following tables outline the common sources of threats and types of attacks that impact the healthcare industry.1
Adopting a layered approach to cyber security in healthcare
Cyber criminals can use multi-layered and highly sophisticated attack tactics to target vulnerabilities in healthcare organisations. In response, healthcare organisations should apply multiple layers of defence by leveraging a well-equipped framework. This involves being proactive with cyber security, and applying controls for cyber threat identification, prevention, detection, response and recovery dimensions, across the People, Process and Technology layers.
In this series of articles, we will explain Telstra Health’s Layered Approach to Cyber Security in depth and provide you with practice advice on what you can do to uplift your cyber security maturity across the People, Process and Technology layers.
Figure 3: Telstra Health’s Layered Approach to Cyber Security is a holistic framework, encompassing People, Process and Technology
This blog article is informational in nature and is not intended to be a substitute for professional advice.
References
1. Office of the Australian Information Commissioner, 2021, ‘Notifiable data breaches statistics’, available from: https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/.
2. Australian Cyber Security Centre, 2020, ‘Ransomware in Australia’, available from: https://www.cyber.gov.au/sites/default/files/2020-10/Ransomware%20in%20Australia%20%28October%202020%29.pdf.
3. Health Informatics Society of Australia, 2018, ‘Cybersecurity across the Australian Healthcare Sector’, available from: https://www.hisa.org.au/wp-content/uploads/2018/07/HISA-Healthcare-Cybersecurity-Report_June-2018.pdf.
4. Verizon, 2020, ‘Data Breach Investigation Report’ available from: https://enterprise.verizon.com/en-au/resources/reports/dbir/
5. Australian Cyber Security Centre, 2020, ‘2020 Health Sector Snapshot’ from: https://www.cyber.gov.au/acsc/view-all-content/reportsand-statistics/2020-health-sector-snapshot