Less than a quarter of aged care industry organisations are providing workers cyber security training and support, an aged care forum has heard.
The Aged Care Industry Information Technology Council has been funded by the Department of Health to undertake a three-month research project to evaluate the sector’s technology capabilities and readiness.
The Capabilities in Aged and Community Care Readiness an Evaluation of Innovation and Technology (CARE-IT) project, which was completed at the end of June, involved a survey of 421 aged and community care industry service providers and software vendors.
It found that just 22 per cent of the aged care industry provides cyber security and support to its workforce, including on phishing, data sensitivity and malware, the ACIITC’s forum on cyber security and safety heard on Friday.
Just over half of survey participants indicated they have cyber security insurance (53 per cent) while 11 per cent have no cyber insurance and 28 per cent are unsure.
ACIITC chair of the CIO Forum committee Gavin Tomlins said the proportion of respondents with cyber security insurance was good to see.
However “the council believes that there is some work to be done on this area,” he said.
“In this day and age, the council believes that cyber security insurance is important to cover all aspects of disaster situations in relation to technology, with ransomware and hacking falling into that category,” Mr Tomlins told the forum.
Mr Tomlins said it was “pleasing to see” that 44 per cent of respondents had governance structures in place to manage key information around technology risks and cyber threats at a board level.
Approximately one-third of those surveyed are regularly providing generic technology training and support.
Almost 85 per cent of respondents indicated they are using antivirus software for end-point protection while 79 per cent are using firewalls and 75 per cent have protection against spam emails.
Only half of respondents are using Virtual Private Networks, and 40 per cent are looking at undertaking encrypted data transmissions in the future, the survey found.
The findings highlight a digital divide across the sector, Mr Tomlins said.
“It is clear that there is education that needs to be done as a whole and this will lead to a wider recognition of the importance around data information as being critical digital assets that need to be secured and protected.”
Tips to avoid cyberattacks
Elsewhere the forum heard from cyber security experts about how to protect against cyberattacks.
Australian Cyber Security Centre first assistant director-general cyber security services Karl Hanmore said ransomware attacks were a key cyber risk for aged care providers.
“What we’ve seen change over the years [about ransomware] is when this sort of crime first came out, it impacted a single computer, it was almost at random. Today there are organised criminal groups who… are getting paid by the hour or by the contract, who will deliberately target organisations.
“They will break in through a weakness, like an unpatched server or a phishing email, where they can convince someone unfortunate to click on a link and they’ll break into the network,” Mr Hanmore told the forum.
For aged care providers to protect themselves, they need to ensure they have backups of their data, he said
“Make sure your IT staff or your chief information officer can assure you that your backups are up to date, not connected to your network and able to be recovered. That means they need to test these things regularly. There is nothing more damaging to a business than not being able to get your data back,” Mr Hanmore said.
Mr Hanmore also recommends providers use multifactor authentication and regularly update all technology systems.
“When a new bug came out and 15 years ago, people would say ‘okay we’ll fix that bug in a month’s time in our normal patching cycle.’ Today bad guys will turn that around in 48 hours and use that against the Australian networks,” he said. “Once they’re in it doesn’t matter if you’ve patched it, it’s like shutting the gate after the horse has bolted.”
Mr Hanmore also advises aged care providers not to pay ransom demands.
“I would colloquially say it’s almost like you don’t negotiate with terrorists. If you pay, you’ve got no guarantee that you get your data back and the other thing you’re showing them is that you’re willing to pay whenever they hold your data or your systems at risk,” he said.
NBN Australia chief security officer Darren Kane said paying a ransom raised legal issues, including money laundering and terrorism financing. Providers need to ask themselves the following question before paying a ransom, he said.
“Because you don’t know who you are giving the money to, are you breaking the law by paying the ransom?” Mr Kane said.
Security tips for working from home
The increased number of people now working from home has introduced different cyber risks, Mr Kane said.
“With this working from home environment that we’re all forced into, we’ve gone from a protected corporate facility environment where a lot of this stuff is known, to an unprotected residential or private environment where a lot of this understanding of personal security hygiene is totally unknown,” he said.
One simple way to improve protection at home is to avoid allowing family members to use work devices.
“They can accidentally erase or modify any of your pertinent information, or of course infect your device,” he said.
Other cyberattack prevention methods include having passwords for wireless networks, never reusing the same password and never leaving devices unattended in public, Mr Kane said.
The ACIITC National Forum cyber security and safety – Is your front door unlocked? took place on 28 August.