Hospitals are increasingly prone to cyberattacks.
Here’s how IRAP* can change that.
*Infosec Registered Assessor Program
As digital systems become more sophisticated, so does criminal cyber activity that can take advantage of it and wreak havoc. This is now a concern for every organisation and hospitals are no exception. However, when you consider how much is at stake with hospital systems and patient health, the implications are enormous. And unfortunately incidents are on the rise.
Around half the world’s hospitals experienced a cyberattack within the first half of 2021. In Australia, we experienced an 84% increase in attacks on the health care sector from 2019 to 2020. There were also over 85 data breaches in the first half of 2021.
Why hospitals? With the event of COVID-19 many hospitals adopted a more digital approach to record keeping, communications and information. New systems were rolled out rapidly to avoid infection transfer, cater for staff working from home and to offer virtual care services for many consultations.
Given the speed of these digital transitions, however, it’s understandable that some security measures may have gone untested; a predicament that hasn’t escaped savvy cyber criminals. Additionally, the critical nature of the industry means they can inflict more pain with an attack, making hospitals very vulnerable indeed.
Apart from financial loss, disruption to operations and damage to reputations, a cyberattack can do profound damage to:
- health procedures
- medical records
- patient health
- sensitive personal data of staff and patients
- third-party businesses (such as external specialists and allied health suppliers)
- communication systems
- integrated AI systems
- hospital equipment
- HIM departments.
And often, it’s not until some time later that the extent of the damage is discovered in terms of false health care claims, illegal purchases of drugs and equipment, and unrecoverable data sets.
Ransomware attacks are growing
During 2021, there were 137 reported ransomware attacks in the healthcare industry worldwide. Five of these happened in Australia.
One of these was on a ‘well-known Australian health corporation’** that provides surgical procedures, rehabilitation and mental health clinics, skin imaging and dermascopy, medical systems, cosmetic procedures, e-health informatics and data solutions.
The attack was conducted by Hive (also known as HiveLeaks), which is a double-extortion ransomware group that targets public sector organisations in healthcare and education. Effectively, Hive makes money from exfiltrating sensitive data and then locking up victim’s systems. For the particular health corporation in question, the outcome was loss of medical records, research, and personal data of 6717 people.
A similar scenario played out in 2017 when a ransomware attack called WannaCry affected more than 200,000 computers in at least 100 countries. The UK’s National Health System (NHS) was severely compromised as a result, with over 80 of 236 trusts across England either infected by the ransomware or being turned off for extended periods. A further 603 primary care and NHS organisations, plus 595 GP practices were also infected.
Conduct a Google search and you’ll see that the list of such events is long.
**Name withheld to protect reputation
Implementing an IRAP.
Arguably, the most effective step towards cyber security
IRAP stands for Infosec (or Information Security) Registered Assessor Program. Many people in the health sector have never heard of this acronym, but with cybercrime becoming more prevalent and its implications more problematic, there’s no doubt IRAP will become a well-known with hospital management, HIMs and digital departments very soon.
What it is
Whilst this program has been in existence for a few years, it is now more comprehensive and, to gain endorsement as an assessor, quite rigorous.
It ultimately ensures that “Endorsed IRAP assessors assist in securing your system and data by independently assessing your cyber security posture, identifying security risks and suggesting mitigation measures.
IRAP assessors can provide security assessments of SECRET and below for:
Some of the processes and infrastructure that IRAP assessors will look at include:
- Analysis of information security arrangements
- Review of the System Operator and infostructure policies
- Internal digital procedures and data governance
- Storage and security of personal and sensitive information
- Hardware and software in use
- Training protocols
- How personal information is destroyed or de-identified on request
- ICT access and security
- Email security
- Third party providers
- Data breaches and incident reporting
- Meeting hospital and government legislation
- Malicious macros
- Remote access protocols
- Information classification
- Password security and ISM standards of complexity
What are the considerations?
As you would expect, exacting and comprehensive assessments come at a cost. However, if you consider the damage a cyberattack can do (both financially and in patient welfare), the expense of an IRAP assessment fades in significance.
There’s also the cost to reputation.
The community naturally expects essential service providers to protect their personal data. They also expect hospitals to uphold confidentiality, safety, data integrity and system security – as do third party suppliers dealing with the hospital. From a management perspective, there’s little wonder so many executives now view cyber security as a core deliverable.
There’s little point in running an IRAP assessment unless your whole organisation is willing to take on the learnings and adapt their culture. For hospitals, this requires considerable training across the board to educate, motivate, and equip staff so that they know how to be vigilant with cyber security.
For leaders, it also means understanding behaviours that affect staff decision making (such as low attention spans when stressed, and poor self-control with social media) and adjusting training, frameworks and work environments to reduce cyber risk.
Cyber criminals know that many medical imaging devices still rely on technology that’s old. This means upgrading systems wherever possible. If it’s not possible to upgrade a system, managers will need to consider whether they can be patched regularly. And if that’s no longer possible, re-platforming a system or outsourcing a service may be necessary.
Risks through third-party suppliers
Patients aren’t the only ones that make use of GPs, allied health professionals and the likes. These suppliers can also act as a gateway for ransomware and cyberattacks if their own system security isn’t up to scratch.
An IRAP assessment will identify ways to block malicious content from these outside sources. We also recommend you talk to all suppliers about their security processes and ensure they meet a specified standard.
Legislation and reporting
In 2019, Medicare was subject to a data breach. Now, the Australian government requires greater cybersecurity assurances from hospitals and other critical service providers.
Health authorities must comply with the Commonwealth Privacy Act, relevant state legislation, and meet reporting requirements of the Critical Infrastructure Bill. This new legislation allows governments to respond to cyberattacks on health services. It also means that health leaders need to report any cyberattacks that affect their services.
Where to start
If you’re thinking that upgrading your cyber security is looking like a minefield, you’d be pleased to know that there are IRAP specialists that can take the reins so that you can get on with your job.
Data Agility’s Code Focus team has up to date IRAP assessment accreditation and can work with you to thoroughly assess the status quo, identify gaps, and put in place an action plan that takes into account:
- Current infrastructure capabilities
- Current protocols and policies
- Risk assessments and weaknesses
- Ongoing governance measures
- Meeting legislative and reporting requirements
- Cost efficiencies