The aged care sector must beef up cyber defences, or else risk exposing sensitive client information and substantial fines, writes Garrett O’Hara.
As every aged care provider knows, the information they hold on clients is particularly sensitive. It’s imperative that aged care professionals have secure access to this information – their clients’ health depends on it – but no one wants their personal health information exposed to the public or worse, to cybercriminals.
It’s for these reasons that the Office of the Australian Information Commissioner’s first quarterly statistics report about notifications received under the Notifiable Data Breaches (NDB) scheme is a sobering read.
Since the NDB scheme came into effect on 22 February 2018 to the end of March, the OAIC received 63 breach notifications.
Of concern to the aged care sector, is that the largest proportion of eligible data breaches reported to the OAIC was from health service providers, which could include aged care organisations, at 24 per cent.
While most aged care providers will be aware of their obligations under the NDB, it’s worth recapping.
Under the scheme, all agencies and organisations covered by the Privacy Act must notify the OAIC and affected members of the public if the personal information held by them is involved in a data breach that is likely to result in serious harm to any individual affected.
There are stiff penalties for failing obligations under the scheme including fines, as well as the reputational damage that can occur should an organisation have to notify the public of a breach.
According to the OAIC report, the most common personal information involved in breaches in the first quarter of this year was contact information followed by financial details then health information, which was involved in a third of reported breaches.
The source of half of the breaches reported was human error, such as sending an email containing personal information to the wrong recipient. This was closely followed by malicious or criminal attacks.
The report raises real questions for the aged care sector, such as why health service providers featured so prominently compared to other industries.
One of the reasons is that health and aged care providers rely heavily on legacy systems, such as old versions of Microsoft Windows. For example, during the WannaCry ransomware attack last year, the high prevalence of unpatched Windows systems left organisations vulnerable to hackers.
Organisations in the health and aged care sector also face the challenge of coordinating care between multiple parties – internal and external – while protecting the personal health information of their clients. And because the sale of medical records is so lucrative, the sector is an attractive target for attackers.
This all adds up to a situation in which aged care providers must implement a cyber resilience strategy. The alternative is to risk exposing sensitive personal information and substantial fines.
Putting up a defence
A cyber resilience strategy means organisations must take a holistic approach to their cyber defences. At the centre of any such program lies several tactics that organisations must undertake if they want to prevent external attacks and internal threats from becoming data breaches.
The WannaCry attack demonstrated that health and aged care organisations are bad at patching their software, so any cyber resilience strategy must have a patching regime at its core. Aged care providers should also look at application whitelisting, where only approved applications can run on an organisation’s systems.
As email is the root cause of many cyber-attacks, handling email vulnerabilities is essential.
This means implementing an effective cloud email strategy, as well as educating users about cybersecurity.
Aged care organisations should conduct regular cybersecurity awareness training for users that, among other things, teaches them to avoid clicking on emails they don’t recognise or that ask for sensitive information such as credentials, log-ins or client data.
There’s no question aged care remains particularly vulnerable to data breaches. The OAIC report demonstrates this.
Without a strategy that protects both aged care organisations and their clients, data breaches will simply become more common.
Garrett O’Hara is a principal technical consultant for Mimecast, which provides security, archiving and continuity cloud services for business email.