May 6, 2020
Strained health systems struggle to keep up with hackers
New research published by Intelligence and National Security has found that training programs and tighter regulations would strengthen the cybersecurity of Australian health systems.
The research was conducted by a multi-disciplinary UNSW team including Dr. Elena Sitnikova from UNSW Canberra Cyber, Professor Raina MacIntyre from the Kirby Institute, Masters research student Kim Offner and Dr. Keith Joiner from UNSW Canberra Capability Systems Centre.
The team compared the cybersecurity landscape of Australian health systems with their international counterparts and examined recent trends in healthcare breaches.
They demonstrated that cyber technology by nefarious actors has raced ahead, while health systems have struggled to keep up. Often hospitals run outdated, legacy operating systems that allow hackers an easy way in.
"We now see almost all systems, such as radiology, pathology and patient records being digitised," Dr. Sitnikova said.
"The corresponding cybersecurity requirements have not evolved as fast sensitive data, such as HIV status or sexual history, has also been obtained by hackers and used against individuals."
Dr. Sitnikova said interconnected systems such as My Health Record can be life-saving tools as they provide immediate access to patient data when it's needed most.
However, they can also place lives at risk due to ransomware attacks that cripple hospital functioning to targeted attacks on critical data records.
An increase in attacks against hospitals and public health data has been recorded when health workers are subject to extra stress and stretched resources.
"Digital health records can also be used for precision harm against individuals," Professor Raina MacIntyre said.
"It has been shown, for example, that CT scans can be hacked and altered so that evidence of cancer can be removed or added—imagine the harm that could cause if an individual were targeted in this way."
Professor MacIntyre said training health managers would be a step in the right direction form securing this data.
"There are currently no cybersecurity training programs stipulated by health management accrediting bodies in Australia such as RACMA or ACHSM, and those in the healthcare profession may be inadequately equipped to manage cybersecurity threats or breaches," she said.
Dr. Sitnikova said "cybersecurity is everybody's business—from health administrators in the reception area to surgeons in the operating theatre.
"A culture of cybersecurity maturity must be proactively developed within healthcare systems to help mitigate cyber threats."
She said the systems themselves also need to be strengthened to improve the protection of sensitive data against theft, loss or corruptions.
Dr. Sitnikova points to the US Healthcare Insurance Portability and Accountability Act (HIPAA) as a good example of more stringent regulations.
The HIPAA mandates encryption, reporting of breaches, education and risk assessment.
"We need to follow best practices which already exist and customise them to our own needs in Australia," Dr. Sitnikova said. "Even with the HIPAA, the US still faces cyber-attacks on hospitals—so we are even more vulnerable."
"There is an expectation of the public that their medical records are safe."
"Towards understanding cybersecurity capability in Australian healthcare organisations: A systematic review of recent trends, threats and mitigation" was published in the Journal of Intelligence and National Security (FINT) Article ID: FINT 1752459, Taylor & Francis Production.