Aussie Healthcare Scrambles to Catch Up

Assessing the cybersecurity outlook for Australian Healthcare.   Photo: Paul Carmona, Sydney.

Australian Healthcare providers are scrambling to defend against increasingly well-armed and financially-motivated opponents in the battle between good and evil going on across cyberspace. After years of staying out of the spotlight, healthcare is now being targeted by cyber gangs looking to get rich quickly, and foreign nation states seeking leverage over individuals.

Fifteen to twenty years behind other industries like banking and financial services, Australian Healthcare is suffering from a case of 'Too Little, Too Late' in its build-out and investment in robust cyber defences and is now beginning to pay the price.

Well publicised attacks against flagship hospitals such as Royal Melbourne and others have finally alerted the Australian general public and health system leaders alike, to the looming threats facing the healthcare sector. Its not just the big city hospitals either; ransomware and other cyber attacks have been reported right the way across the country and even in small GP practices in remote rural communities.

Theft of lucrative personal information and personal health information, especially as medical records go digital, is a rising threat, as is attack by ransomware and other forms of extortion.

Surveys suggest that presently most Australians are not that worried if their medical records go up for sale on the web, though most have not really considered the possible impact of identity theft. What is more concerning to Australians, is a denial of service attack such as ransomware, that could take critical systems off-line when needed to treat someone or to save a life. Most Aussies simply haven't given that much thought to the security of their medical records or a possible attack on their doctors office or local hospital. Very few people surveyed were even aware of the growing number of network connected medical devices and the threat they pose to patient safety.

These and other cybersecurity concerns have been the subject of discussions this week at executive workshops led by the author in a series of meetings with healthcare leaders stretching from Brisbane through Sydney and Melbourne to Perth. From State healthcare systems through to private providers and payers of health services, the message is pretty much the same. "We have failed to invest in information security in the way we probably should have over the past five to ten years", said one State CIO. "That includes technology infrastructure and the skilled resources to manage our security program."

While government Ministers stress the importance of making improvements to healthcare security, additional capital and operational budgets have not yet been made available to hospitals to make changes claimed the leaders of several hospitals in a workshop in one major city.

In a meeting with the leaders of one of Australia's largest private healthcare providers, the CIO acknowledged the critical need for improvements to be made to the organisation's security program, adding that security investments would probably have to wait till next year as he already had a heap of even more critical needs in front of it.

A stormy outlook has caused Australian Healthcare to play catch-up. Photo: Kieren Andrews, Melbourne.

The need for improved security to protect hospitals, doctors and patients from cyber attack is finally being recognised across the country, though it remains to be seen just how much of a priority it will be to secure patient health information, and prevent cyber attacks that compromise critical clinical information systems needed to treat patients. "It may take another one or two Royal Melbourne Hospital sized incidents before security gets the kind of funding and support that is really needed" suggested one healthcare senior leader who asked not to be named.