Cyber threats are real for two main reasons: legacy systems and the steep price, and perpetuity, of health data.
Health data, like diamonds, are forever, making them invaluable to cyber attackers.
Amid a “significant increase” in cyberattacks in healthcare, understanding motive is crucial, chief information security officer for Eastern Health Roshan Daluwakgoda told delegates at Victorian Healthcare Week’s digital health convention in Melbourne.
“There are two main reasons,” he said.
“One is that medical records are being sold at a very high price on the dark net.
“Medical records are generally being sold at an average of $250, whereas passport and credit card numbers are sold at $1-$5.”
The other motivator: outdated legacy systems.
“The software is outdated, and it’s very hard to maintain [data] in a contained manner [while] at the same time you have to provide clinicians with easy access,” said Mr Daluwakgoda.
Unlike a credit card or a passport number, health data are forever, added NT Health’s chief clinical information officer Dr John Lambert.
“Health data is biometric data,” he said.
“You can’t change your diagnostic profile, you can’t change which diseases you have once it’s on the internet.
“The fact that you have HIV is indelible. Once the insurance companies know, you’re uninsurable, it’s indelible.
“So, it’s a different class of risk. I think that’s underappreciated.”
Alfred Health’s chief medical information officer Sudeep Saraf said clinicians can often be their own worst enemy when it comes to cybersecurity.
“Clinicians come to work expecting [iPhone] level intuitiveness in how they interact with the IT systems, and we know that no system – it doesn’t matter which vendor – meets that level of intuitiveness,” he said.
“That’s just in the base EMR platform.
“Then you have a plethora of systems that sit around [the EMR], which need to interface with that EMR to make your life easy.
“Now, none of that is available to anyone.
“So, what do people do? They take shortcuts: sticky notes, WhatsApp, text messages. They put data in chatGPT to write discharge summaries.”
While never malicious in intention – all in the name of efficiency – this puts patients at risk and may be breaking the law.
“The other big topic as we know in health is the burnout in all the staff groups,” said Mr Saraf.
“[Clinicians] want to do the task, they want to do it efficiently, and they want patients to benefit from it.
“They don’t realise that [their actions] are actually putting patients at risk, patients’ data at risk. It is breaching legislation. [Data] is leaving Australian shores when it’s not meant to leave by using some of these systems.
Related
“[But] when we go to [doctors] and say, ‘don’t do it’, they say, ‘okay, so then what should we do?’ And we don’t have an answer.
“This is the dilemma we find ourselves in, where people do the right thing if you tell them to do it, as long as it’s not 50 clicks to get there.
“This will be the perpetual dilemma, I suspect, for at least for the foreseeable future in this country.”
We must learn from large-scale health data incidents, added Mr Daluwakgoda.
“When you look at the impact perspective and speak to some of the clinicians who have gone through [cyberattacks], [some] took almost 46 weeks from the recovery perspective.”
Incidents of this nature must be used to uplift infrastructure, embed mechanisms to detect breaches quickly and processes to isolate individual data environments, he said.
