Cybersecurity – A Brave New World

As a tragic lover of all things Harry Potter, the following quote from the Chamber of Secrets sums cybersecurity up for me: “Fear of a name only increases fear of the thing itself.

We tend to think of cybersecurity as not our problem, that it belongs to IT. But does it really? Cybersecurity needs to be lifted out of the realms of I, it is everybody’s responsibility. Good cybersecurity knowledge is a key component in keeping an individual’s private information safe in the new digital age.

Today organisations generate and have access to much more information than in the past. When we are admitted to hospital, a mass of personal potentially sensitive clinical, identity and financial information, is collected. In addition, organisations themselves store masses of health and related information on their systems…it is little wonder that cybersecurity is a growing threat to the healthcare industry.

The Privacy Act 1988 regulates how organisations collect, maintain and use personal information. As the digital age is rapidly evolving clinicians have an even bigger balancing act between clinical need to share while respecting an individuals’ right to privacy and willingness and consent to share. There are multiple regulatory and policy considerations, from mechanisms like opt-out controls to regulation beyond the Privacy Act requirements, such as those around the handling of children’s data, considerations from Royal Commission into Institutional Responses to Child Sexual Abuse and those in the Records Storage and Retention Act that also influence sharing of information.

Data breaches can be of different forms. For example, in NSW there was a high-profile privacy breach with over 1,000 NSW Health medical records abandoned in a derelict building (2018)[1]; Victoria’s Auditor General used basic hacking tools to access sensitive patient data at Barwon Health, the Royal Children's Hospital, and the Royal Victorian Eye and Ear Hospital to demonstrate "the significant and present risk to the security of patient data and hospital services"[2].

brandon-holmes-GofYo51GQ_4-unsplash.jpg

In their latest quarterly Statistics Report (May 2019), the Office of the Australian Information Commissioner’s (OAIC) notifiable data breach scheme (DBS)[3],  reported the number of breaches for the healthcare sector[4] had steadily increased. For the first quarter of 2019, 26% of all notifications to the OAIC were from the healthcare sector. Human error (52%) and malicious or criminal attack (45%) were the two biggest sources of notification. 

An interesting paper[5] from last years’ HIMAA conference, discussed how they do an audit of the digital medical record (DMR) metadata as well as the medical record itself to determine if the staff that accessed the records were directly involved with the care of the patient. NSW Health have developed mandatory online education course Cyber S.A.F.E.  (Security Awareness for Everyone) for all staff.

Healthcare sectors are starting to use tools and data analytics and be proactive in education, training, and policy enforcement as risk mitigations to reduce the incidence and severity. Risk management on basis of continual improvement is becoming the norm. When it is done well, it provides organisational resilience as those organisations understand their security risks and can make informed decisions.


Figure 1 - Forcepoint.com - Data breaches in health industry (2019)

Figure 1 - Forcepoint.com - Data breaches in health industry (2019)

So, where to from here? What’s needed is the holistic identification of an organisations’ cybersecurity risks – from compliance controls to required resource training - so they can be addressed in a strategic, sustainable and cost-effective way. Doll Martin Associates make use of unique and dynamic policy framework tools that address the complex intersections between cybersecurity, data protection, ICT and policy. We establish the pathways that draw together these areas of concern and identify strategies to improve cyber security management. We work with clients to develop a targeted, organisation specific cybersecurity plan to incorporate key features of our approach, such as the use of innovative visual teaching tools designed to educate and assist clients working towards updating their cybersecurity governance.

If you want to contact Doll Martin Associates to talk about cybersecurity , or any of our other services, feel free to email us at contact@dollmartin.com.au or via the button below.

[1] https://www.abc.net.au/triplej/programs/hack/privacy-breach-revealed-nsw-health/10062426

[2] https://www.abc.net.au/news/2019-05-30/victorian-hospitals-vulnerable-attack-auditor-general-hack-finds/11162352

[3] Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) commenced on 22 February 2018

[4]  Australian Government, Office of the Australian Information Commissioner, 1 January to 31 March 2019

[5] ‘Investigating breaches of confidentiality in the Tasmanian Health Service Digital Medical Record’ Mark Upton, 2018. [Presented: 2018 HIMAA Conference]