As with your health, when it comes to cyber-security, prevention is always better than cure.
When it comes to cyber-attacks, no sector is safe â not even one as vital as medicine.
In fact, the health sector in Australia reports the second-highest number of cyber-security incidents both overall and for ransomware-related cyber-security incidents.
The sector has faced enormous pressures in responding to the pandemic, and malicious cyber actors have capitalised on this vulnerability. As a result, medical staff have been locked out of patient records, surgeries have been delayed, and patients seeking emergency care have been diverted to other facilities.
This threat only grew as covid vaccines were developed and the Australian health sector started to rely on entities involved in the vaccine supply chain. But despite the serious risks, cyber-security is often pushed to the bottom of the to-do list, always competing with the demands of running a health organisation in a pandemic.
Medical practices hold a huge amount of sensitive personal and medical information about the people under their care and priority needs to be given to the safety and security of that information. So, whatâs the solution?
Train, train, train
Thoroughly train your staff on the various forms of cyber-attacks to help them understand the best techniques for protecting your practice. Organisations have traditionally used either enforcement or encouragement to get staff to take cyber-security more seriously. The most effective option, however, is a combination of the two.
Enforcement in areas such as training and awareness campaigns should be made mandatory, followed up with encouragement and guidance that helps team members feel supported. The goal is to deeply embed cyber-security awareness into the heart of your organisation, stopping attackers before they get a chance to wreak havoc.
Staff should be aware of the different types of cyber-attacks, and how they can happen. Some of the most common forms of attack include malware, phishing, ransomware, trojan, keystroke logging, insider threats, drive-by download, spear phishing and person-in-the-middle attacks.
Secure your security devices
The leap in technological capability has made physical security easier than ever before. Surveillance systems are now connected to the internet, making footage easily accessible and storable. Access-control systems now monitor and keep a log of who enters and exits a building digitally.
All security devices that are interconnected via the internet need to be secured properly; otherwise, hackers can gain complete control over all of them, even if only a single device is hacked into.
Devices such as sensors or cameras need to be secured and segmented appropriately to prevent hackers from turning off surveillance such as cameras, enabling unauthorised access to critical rooms that store servers or databases.
Put the right processes in place
If there are no processes in place for cyber-security, itâs almost impossible to prevent an imminent attack. Passwords should be rotated at least every 60 days, although 30 days is even better. To make them harder to guess, passwords should be at least eight to 10 characters long, and include at least one number, one capital letter and one special character, such as one of the following: â!@#$)â.
Multi-factor authentication (MFA) adds an extra layer of security by using two or more pieces of evidence to log in to a single location. Some common examples of MFA include an SMS message, phone call or authenticator app to verify a browser login.
What to do if your practice experiences a data breach
Even if your practice and its employees implement all the best processes when it comes to cyber-security, there is a chance that you can still suffer a data breach. Below are five steps that you can follow to minimise the damage a breach can have on your practice:
- Notify your information security team
As part of your data breach response plan, your first step should be to alert whomever is responsible for handling your information security, whether that be an individual, team or external organisation. Alerting them as soon as possible gives them the best chance of stopping the breach, complying with the law and ensuring business continuity.
- Isolate the affected machine, server or system
Secondly, you should try to disconnect or isolate the machine, server or system affected by the cyber-attack to prevent the breach from spreading. Many cyber criminals try to compromise a single system or network in the hopes of gaining access to the larger network they are connected to. By identifying an attack early and isolating the affected entity, your practice can minimise the impact of the attack.
- Investigate the breach and correct any flaws
Investigating what sensitive data has been lost or compromised, how it happened, and if you can do anything to prevent further damage are crucial steps when youâve had a breach.
To carry out the investigation, you could seek the help of a cyber-security expert on staff, or you may want to hire external help as data breaches are often complicated and technical.
- Notify key stakeholders, as required by law
State laws will require you to notify your customers, vendors and other affected parties about the breach. In Australia, under the Notifiable Data Breaches (NDB) scheme, any organisation or agency the Privacy Act 1988 covers must notify affected individuals and the OAIC (Office of the Australian Information Commissioner) when a data breach is likely to result in serious harm to an individual whose personal information is involved. Finally, announce the data breach on your website so people know that it’s happened, and you’re aware of it and are taking steps to fix it. Include your company’s contact information so people can reach out with any questions.
- Conduct a postmortem
Once your practice has successfully stopped the breach, patched the vulnerabilities that caused it and addressed the impacts of the attacks including the individuals who were affected, it is time to evaluate your response. This evaluation is crucial as itâs important to understand if your data breach response plan was effective and analyse how it can be improved for the next time.
Cyber-security starts at the top
Leadership teams need to be aware of how a data breach can affect them and their practice. Not taking these responsibilities seriously can have severe legal, reputational and financial implications.
Leadership should take part in cyber-security awareness courses and training so that they have a deep understanding of the true nature of the threat and can take the right preventive steps.
As with your health, when it comes to cyber-security, prevention is always better than cure. By planning ahead and implementing regular updates, medical practices can secure their facilities now and into the future.
Ajay Unni has more than 30 years of IT industry experience, with over 15 years as a cyber-security specialist. He is the founder of StickmanCyber and a board member of CREST ANZ, and was appointed to the 2020 NSW Governmentâs Cyber Security Task Force