Cyber Security - The Healthcare sector

Proven precautions to help protect health organisations and patients from cyberattacks

By Richa Arora, Jason Smart, and Jamie Wiggins, PwC Australia - 12 April 2022

^{Share this article}

Cyber threats are on the rise in the healthcare sector. Staggeringly, approximately half of the world’s hospitals experienced an IT shutdown as a result of a cyberattack in the first half of 2021. The critical nature of healthcare services, combined with the shift to virtual care and relatively low levels of cyber controls in the sector, makes these organisations a prime target for cybercriminals.

Unlike credit card fraud, it is often years before medical identity theft is spotted by a patient or provider, giving criminals ample time to exploit such credentials. Large batches of data (containing names, birth dates, patient numbers, policy numbers, diagnosis codes, billing information, etc) provide the means for fraudsters to buy medical equipment or drugs for resale, or make up claims with insurers.

In this article, we explore the cyber threats to healthcare, as well as the considerable upsides of cyber resilience, before outlining practical precautions and solutions for health leaders.

Cyberattacks are increasing

There was an 84% rise in reported cyber incidents in Australia’s healthcare sector between 2019 and 2020, and 85 reported data breaches in the first half of 2021 alone. While the cost of cybersecurity inaction in any industry includes financial loss, operational disruption and reputational damage; a cyber breach in healthcare comes with added risk of harm to patients.

If there’s one thing that unites healthcare workers, it’s their unswerving dedication to patient care. But such commitment and effort can be severely hampered by a cyberattack. In some instances, hospitals have been forced to turn members of the public away. At other times, there have been even more tragic consequences. These are painful reminders of why cybersecurity is now a vital part of any health organisation’s duty of care to patients.

Australia’s healthcare sector is lagging

For health organisations, ransomware attacks are one of the biggest cyber threats, with 137 ransomware attacks in healthcare globally in 2021. Five of these attacks were in Australia. And in Victoria alone, seven major regional hospitals were simultaneously locked down by a ransomware attack in 2019. Cybercriminals are increasingly targeting the healthcare sector and, at the same time, they’re expanding their operations and increasing the sophistication of their tools, techniques and procedures (TTPs), generating more revenue, and so enabling further attacks.

PwC’s 2021 Global Digital Trust Insights Survey found almost 60% of respondents from the healthcare industry believe it’s very likely that a ransomware attack will target their organisation in the next 12 months.

As for who is responsible for securing and managing data, the public is in no doubt. A recent PwC Australia survey showed that the community expects essential service providers to protect personal data from cyberattacks, and that the majority (85%) want providers to be upfront when an attack affects their service.

The risk exposure of Australia’s health system means more needs to be done. During the initial outbreak of the COVID-19 pandemic, for instance, entire virtual health services were ushered in – under pressure and at great speed – and the cybersecurity of these services was often ad hoc, at best. In many cases, the security of these services was bolted on, rather than embedded at the design stage. No wonder, then, that cyberattacks on US healthcare firms shot up 150% from the start of the pandemic to late 2020.

And yet if COVID has taught us anything, it’s that we’re able to achieve more in the healthcare space than we ever thought possible, and at speeds we never dreamed of. What the sector needs, now, is to take this momentum – and some investment – into cybersecurity.

The upsides of reinforcing cybersecurity

When health leaders are faced with a strategic choice about spending on patient outcomes or spending on cybersecurity, the answer is: choose both. The two aren’t mutually exclusive and, in order to provide patient care, healthcare organisations need to guarantee patient confidentiality, safety, data integrity and system security. Which is why executives increasingly consider cybersecurity to be a core deliverable.

While there are risks and downsides to mismanaging cybersecurity, the reverse is also true. Getting your cybersecurity strategy right is a gamechanger and, given the health sector’s relative immaturity when it comes to cybersecurity, any improvements will see the sector benefit more than most.

Consider, for instance, the additional impact and reach that telehealth and virtual care systems could have in remote and rural areas of Australia. Imagine a scenario where clinicians fully trust the service delivery models, and so they unreservedly recommend those models to their patients. Access to services and support networks would improve in remote and rural Australia, as would patient health outcomes. Meanwhile, clinician workloads would be alleviated, freeing up valuable medical resources. All of this hinges on trust in the system which, in turn, is underpinned by cybersecurity.

Trust is the currency of the healthcare sector, and the upshot of getting your cybersecurity strategy right is a precious injection of trust.

The barriers to healthcare cyber resilience

Health organisations typically face a number of challenges when seeking to improve cybersecurity. These include cost, skills shortages, ageing infrastructure, multi-agency healthcare delivery, and new legislation and reporting requirements. Let’s look at each of these in turn.

1. Cost

Ask most health leaders what their biggest cybersecurity barrier is, and they will answer ‘cost’. And it’s true that a robust security setup can come with an equally robust price tag. But when you consider that the average cost of a ransomware attack (including downtime and network cost) is more than AUD$900,000 – not to mention the possible impact on patient welfare – then it’s clear the cost of inaction is infinitely greater.

The question, then, becomes: How much is enough? Because it’s impossible to guard against all cybersecurity attacks. Here, you’ll need a comprehensive understanding of your critical assets and your risk exposure, in order to be strategic about your cybersecurity spend. We discuss this further below.

2. Workforce

Cyber literacy is relatively low in healthcare. For instance, 89% of initial hospital compromises still occur through emails, and 57% of cyberattacks begin with trusted insiders. To achieve a cyber conscious workforce, healthcare organisations must sufficiently educate, equip, and motivate their people to be vigilant.

Every employee needs to understand why and how they should contribute to cybersecurity in their specific job. This is about more than one-size-fits-all training courses; many organisations require a comprehensive culture change.

Leaders need to understand the critical behaviours that drive people’s decision-making (e.g. low attention, cognitive bandwidth, self-control, etc). Then security frameworks, training, and work environments can be tailored with a better understanding of human behaviour, reducing the risk of decisions or behaviours that undermine cybersecurity.

3. Ageing infrastructure

Globally, 83% of medical imaging devices still rely on legacy technologies that are too old to update. What’s more, these vulnerabilities are known to cybercriminals, making the sector an attractive target for opportunistic attacks.

Health leaders should ensure systems are upgraded and updated wherever possible. Where that’s not possible, operating systems and software should be patched regularly. Where patching isn’t possible, consider re-platforming those systems. Can they be outsourced, if internal capabilities are not available? Do alternative operating models exist?

4. Multi-agency healthcare delivery

Many patient journeys involve interactions with multiple health institutions and providers. Along the way, each organisation could be a potential entry point for a hostile actor. From medical equipment manufacturers to insurance providers to government agencies, healthcare incorporates a vast network, and the more unsecured health data that is shared with third parties, the greater the risk.

There are steps you can take to engage reliable third parties and have visibility over your end-to-end supply chains. We recommend undertaking extensive know-your-supplier background checks and understanding their policies around reporting and data privacy. Once engaged, conduct your own periodic testing to ensure all third-party providers are upholding their service-level agreements.

5. Legislation and reporting requirements

Health leaders are well versed in matters of regulation and compliance. It’s part of daily life in healthcare institutions. So, it’s worth noting that Australia’s governments are now seeking greater cybersecurity assurances from critical infrastructure providers.

In the wake of incidents such as 2019’s Medicare data breach,¹ health authorities must now comply with the Commonwealth Privacy Act and relevant state legislation (e.g. the Health Records Act in Victoria, the Health Information Privacy Act in New South Wales). They must also meet reporting requirements of the critical infrastructure bill.²

The new legislation provides government with significant powers to respond to cyberattacks on health services and requires health leaders to (promptly) report to the government any cyberattacks that affect the supply of services.

With cybercriminals constantly evolving their strategies and tactics, it’s inevitable that regulation will keep evolving too. So, proactive health leaders are already thinking ahead, to anticipate and pre-empt future compliance requirements.

Cybersecurity 3-step action plan

In addition to the tactics we’ve discussed above, we recommend health leaders take three strategic steps to elevate cybersecurity and better protect their services, people, and patients.

1. Prepare a cyber roadmap

Step one is to align your organisation on guiding principles for example secure by design and create a cyber roadmap, also consider:

Do we have business continuity plans in place?
Do we have incident response plans in place?
Do we have backup and data-restoration plans in place?
And do we test these plans regularly?

Your answers to these questions will help you to prioritise your cybersecurity investments for short, medium and long term, and your guiding principles and roadmap will become your decision-making framework.

You don’t have to design that roadmap from scratch. Existing strategies to mitigate cybersecurity breaches can be instructive, such as the Australian Cyber Security Centre’s Essential Eight mitigation strategies.

2. Security by design

Pursuing digital transformation and virtual care enablement, and then bolting on cybersecurity later, is fraught with danger. Instead, follow the principles and processes of ‘security by design’. This ensures all software, products and capabilities have been designed to be secure, with security built-in from day one. The focus here is not just on products and processes, but on people too. Leaders need to embed a security-by-design culture throughout their organisations.

3. Create an ecosystem of expertise

There is a global shortage of cybersecurity talent so, even if payroll budgets were limitless, it would be impossible to rely solely on in-house capabilities. Instead, cybersecurity requires a joint effort involving internal and external specialists.

Health leaders should establish an ecosystem of expertise made up of strategic partners such as vendors and suppliers, as well as industry specialists. This ecosystem can also include internal technology staff who are constantly training and upskilling.

Cybersecurity: a long-term investment

Different organisations sit at different points on their roadmap of cyber maturity, and your cybersecurity development may take years. In the short term, you’ll need to undertake vulnerability scanning to work out what needs immediate protection, and what patching must happen, and when. In the longer term, there’s an opportunity to innovate and look for new operating models and new ways of thinking around cybersecurity.

Today’s investment of time and money will pay dividends tomorrow. Greater cyber resilience helps ensure your patients and clinicians trust your services, increases accessibility and adoption of your services, decreases the chances of disruptions and remediation costs, and – most importantly – helps achieve better patient outcomes.

_{1 https://www.theguardian.com/australia-news/2019/may/16/australians-medicare-details-illegally-sold-on-darknet-two-years-after-breach-exposed

2 https://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/Result?bId=r6657}