David Sandell: building resilience in health cybersecurity

12 minute read


There’s a $6.4m grant on offer to help the healthcare sector fight cyberattacks. CI-ISAC is just one of the outfits bidding for that opportunity.


As Australia moves inexorably, if slowly, towards a more interoperable, digitally mature health system, one thing has become increasingly clear. 

Without better, stronger, more enforced cybersecurity standards across the country, it will all be at risk of never gaining the public trust necessary for patients to buy in to the sharing of their data across healthcare providers. 

Last weekend another data breach came to light, this time at Healthed, whose website proved vulnerable when GP contact details were accessed. Fortunately, that problem was quickly fixed. And while it’s never good when doctors’ details are public, at least their credit card details were secure. 

Medibank, St Vincent’s, Optus … it’s been a bad couple of years for big-end breaches. 

On 1 July the federal government announced it would be setting up the healthcare sector’s first information sharing and analysis centre (ISAC) with a $6.4 million grant. 

The grant application process closes next Thursday and HSD had a chance recently to catch up with a man who hopes his organisation is a frontrunner. 

David Sandell is co-founder and CEO of CI-ISAC, a not-for-profit which says it is “dedicated to building communities to leverage the network effects of risk-based intelligence sharing, while also building central capabilities to help resource-constrained entities and their service providers participate effectively”.  

When did you start CI-ISAC? 

We incorporated in December 2022, formally launched in February of last year, so we’ve been in operation now for roughly 18 months.  

We’ve just hit 100 members, which is pretty good.  

Who are your clients? 

We did a collective deal with the Local Government Association of Queensland to bring on 75 of the Queensland councils. There’s a couple of stragglers out there, but that’s quite a nice big collective deal.  

It’s very hard to do as a small NFP reliant on volunteers, but those kinds of deals help us to onboard at scale and that reduces the actual fees.  

We’re very passionate about inclusivity, making the services available and accessible to people. So that’s the real reason for it being a not for profit is no one’s making any money out of this.  

Last month you announced a partnership with Cloudflare. How does that partnership help GPs, for example? 

We launched the Project Secure Health. That’s an initiative in partnership with Cloudflare, a very big international cloud security firm, to give free access to GP clinics in Australia.  

The idea is we’ve started with a smaller pilot group, because we need to understand, can they get value out of the services? We believe they can, because just understanding cyber-threats is a great first step.  

The Cloudflare side of the equation, which is the carrot that’s missing from a lot of these initiatives, is actual supporting capabilities, things that actually help stop the threats, not just, “here’s a threat, here’s the information about it”.  

But if you don’t have any way of dealing with that – resource or capability wise – you can’t protect yourself.  

So the Cloudflare services – free to GP clinics under 50 members – they get on board with us, then we pass them to Cloudflare. They get access to some protections against phishing, ransomware, secure browsing, that kind of thing.  

So, it’s a start, and it’s one of these things we’re trying to build up more through partnerships to start with.  

The federal government has announced a $6.4 million grant to set up a health ISAC. Are you trying for it? 

Yes, we’re going hammer and tongs to try and get hold of that.  

Because we’re an operational ISAC, we don’t have all the overheads of spinning this thing up. We’ve already got penetration across a number of the actual critical infrastructure sectors.  

It means we can invest more time and effort in those protective capabilities, the supporting resources, the information-sharing on cyber threats.  

With the fragmented health sector, there is not a lot of cyber maturity, and that is not a criticism at all. It’s the state of play.  

We leverage the more mature players. And that’s why the cross-sectoral approach is so powerful because by having financial services companies like the ones I’ve always worked in, they’re very mature, they know the stuff, they’ve got the teams, they spend millions of dollars on cybersecurity. The things they don’t even break a sweat over, they can feed into this ecosystem that can share information on what they’re seeing at scale.  

I mean, National Australia Bank has quoted the number of threats that they block on a monthly basis. It’s in the millions.  

Getting that kind of information into this ecosystem, having CI-ISAC as the central glue that makes sense of the information is a key part of it. 

We build the context that helps smaller and medium maturity entities prioritise. And then we also put the recommendations in.  

It might seem blindingly obvious, but if there’s a cyber-threat, and you’re not a cyber professional, or you don’t understand the nuances of that threat, you then need to take time to research and understand what can be done about it. 

But that’s all work that needs to be done. Part of what CI-ISAC does is we do that centrally. So we help articulate the nuances of the threat, what it relates to, if there’s a specific configuration or change you could make in your environment, just raise the bar to make yourself that much more secure.  

We put all of that into these threatened vulnerability advisories. They’re basically little intelligence reports that we send out when there’s a specific threat. And then that’s usable by the members. So, you get that in your inbox, you can quickly understand, is this something I should care about? If it is, how quickly do I need to do something?  

That’s the contextual piece. Are there ransomware groups that are already exploiting this? Is there another company that’s seen this already, and it’s active in Australia? All these things help build that sense of urgency.  

Because if we just constantly respond to every single threat, we’re just running around like headless chickens.  

We try and empower the members of CI-ISAC with that information to be more effective. 

What about the healthcare sector is unique in terms of the threats that are out there and what needs to be done to get everybody ready? 

There’s a unique piece, and there’s a common piece.  

The unique – there are a lot of complex sectors, there’s a lot of fragmentation, there’s a lot of complexity.  

You’ve got medical devices, and you’ve got a lot of racks and kits sitting in doctor’s surgeries. There’s just a lot of complexity.  

There’s a massive spectrum in terms of the maturity scale and even technology maturity. It’s a model of complexity, which is the case in a lot of sectors, at the end of the day.  

The opportunity is that the cyber-threats are not unique to healthcare. 

There are specific threats to healthcare technology, but the threats that make the headlines across the different sectors – there’s a lot of commonality. 

Sixty to 70% of the threats are common across various sectors.  

So if you use the whole Pareto 80/20 rule, even just protecting and raising awareness against the 80% of the threats, and then for those that are able, helping them focus on that smaller 20% – that’s a much better position to be in because of that commonality, even though there is all this complexity in the background.  

This is why we’re so big on the cross-sectoral, collective defence, working together with less mature players who can learn and leverage those with the knowledge and experience from across the various sectors.  

The previous approach that the American ISACs have taken is single sector – very siloed in its approach. And the ISACs don’t really talk and share with each other. They might share a couple of technical indicators, but they’re all doing their own thing.  

And when you look at an economy like Australia, which is nowhere near as big as the US, it’s not an effective way to do it. 

How does the health sector compare in terms of maturity with, say, the banking sector? 

There aren’t really many sectors that are equivalent to the banks, and even then, within the banks there are different tiers of organisations.  

A tier one versus a tier two has a very different level of maturity.  

The top healthcare providers have excellent maturity – your big health funds, entities that run private hospitals – they have great capabilities, with really good people. They have the budgets. They have the technologies and tools. 

But as soon as you go two streets back from the High Street it’s a real struggle, because you just don’t have those IT budgets. 

It’s a very expensive capability, cybersecurity, and tools and products are expensive; the threat intelligence that helps you understand where and what is important, and understanding those threats and how you need to deal with them – the people are expensive, the technology is expensive, the feeds are expensive.  

So it’s just not an accessible capability, which is why we started. It has this massive potential to empower organisations and people to be more effective, because that knowledge is information – is power, basically. 

If we understand your environment, we can clearly articulate what a specific threat is, so that you can overlay that with your environment, then you’re empowered to do something about it.  

If you just have to figure it out yourself, you’re going to put your head in the sand and not do anything about it. 

It’s not an easy challenge. 

What keeps you awake at night? 

Trying to get this done with no funding is the honest answer.  

We’ve had no outside funding. As I said, we have day jobs. We’re very reliant on volunteers and we’ve delivered an operational service from 6 February last year.  

Unlike a lot of other NFPs and cyber type startups, where you’re kind of running in stealth mode, we’ve been delivering threat advisories for 18 months now, building technical capabilities, acquiring new members, maturing operational processes.  

It’s really the amount of stuff that needs doing that keeps me awake at night.  

It sounds like a $6.4 million grant would be welcome. 

It does present a great opportunity.  

I’m very excited to try and leverage what we’ve already built to support the health sector.  

I mean, don’t get me wrong, we’re doing this regardless, but it would be a massive pity if we didn’t come out in the front because we’re the only sovereign Australian ISAC.  

Globally, we’re the only cross-sectoral ISAC and we have a number of unique features. And that’s because we took a long time to talk to our peers and industry and design how this entity needed to be in the not-for-profit sector.  

It’s a public company limited by guarantee, so every member owns an equal portion of the company. All the membership fees are reinvested to benefit the members.  

The beautiful upside is all the other sectors will benefit without any additional work. So, if we build up this deep specialisation in healthcare, all those capabilities and products and services, they benefit the other sectors. But conversely, the information coming in from the other sectors also benefits healthcare, so it’s quite a nice symbiotic relationship really. 

The big breaches we’ve seen in the last couple of years – what do they tell us? 

One of the objectives of the grant is to make these organisations more resilient. So yes, there are specific things that could have been prevented. But the whole premise behind security is its defence in depth.  

You should have multiple layers of security. If something fails at the front door, there should be three or four checkpoints before you can actually damage things.  

Also, if there is the impact, how resilient are your systems? How quickly can you recover? Can your business continue? 

This is all the kind of stuff that we want to be wrapping more supporting resources around. 

This is where we can make more resources available, both human, technical and the supporting down the line as we grow, to help these entities.  

Because at the end of the day, while we’re trying to potentially make a real impact, it’s really hard to do as a single entity, which is why we’re trying to federate out and crowdsource the whole knowledge side of things and support. People are all contributing into the ecosystem. 

It’ll be a long, slow, hard challenge to try and solve, but we’re giving it a go. And we know we’ve got the right structure to enable this.  

We would still do a pilot with members from across the various pieces of health because while we know how an ISAC works, there’s going to be nuances that come out from working with additional health players.  

So, we’ll go through a pilot phase to identify any gaps or uplifts, codesign with the health industry, and then you move into building that operating model for the health ISAC.  

We never profess to know everything but it’s very consultative. It’s leveraging people that know various aspects of security of health and it’s really just bringing it all together. That non-competitive, cooperative nature of what we do is a real enabler.  

We are literally the glue between the partners, the members, the volunteers, government, all the current industry groups.  

Good luck with the grant process! 

End of content

No more pages to load

Log In Register ×