Cybersecurity challenges in the healthcare and community sector

Cybersecurity has become a pressing concern for industries across the board, with healthcare and community organisations among those facing increased vulnerabilities and attacks in recent times. 

The latest Cyber Threat Report from the Australian Signals Directorate (ASD) places healthcare and social assistance in the top five sectors for cybersecurity incidents, which are not just random attacks but deliberate attempts to extract sensitive information or disrupt essential services for various nefarious reasons.

The opportunity to exploit private data and gain financial rewards is an obvious motivation, and the broad attack surface – which includes third parties in the ICT supply chain – makes these organisations an attractive target for cyber criminals.

For organisations that do fall prey to an attack, paying hefty ransom amounts or attempting to recover data with help from experts doesn't always guarantee a positive outcome. In the past few years, we’ve seen many cases where both primary and backup data were completely unrecoverable and victims were left to pick up the pieces.

In response to these types of escalating cyberattacks in critical sectors, the Australian Government has intensified pressure on organisations to bolster their security measures. The Security of Critical Infrastructure Act (SOCI Act) has now been extended to encompass healthcare and other sectors, essentially imposing greater security obligations on asset owners and operators.

Some of the new obligations include:

• mandatory reporting of cyber incidents
• maintenance of a current Critical Infrastructure Risk Management Plan
• extended reporting requirements

Failure to comply carries the weight of substantial civil penalties, adding urgency to the need for adherence.

Barriers to strengthening cybersecurity

Despite the growing imperative to enhance cybersecurity resilience, healthcare and community organisations face significant challenges.

As technology continues to advance at a rapid pace, many still rely on legacy infrastructure. This presents a dual risk as new niche digital software and applications – which potentially contain vulnerabilities – are introduced on top of legacy systems that are already struggling to withstand the sophistication of modern cyber threats.

Securing the resources to achieve the necessary level of cybersecurity resilience is also a daunting task. Uncertainty about where to begin, coupled with reluctance to divert funds away from customer-facing initiatives, can result in fragmented efforts that end up causing more harm than good. As well as squandering resources, this lack of planning fails to address the full scope of cyber challenges that exist in today’s landscape.

For example, leaders in healthcare and community organisations can become entirely focussed on preventing external cyber criminals from penetrating their critical systems. Meanwhile, as highlighted in the ASD Cyber Threat Report, insider threats pose the same (if not more) of a threat to these organisations. These include threats due to human error, disgruntled employees, or vulnerable staff seeking financial or other gains.

Building cyber resilience

Commitment from senior leadership is vital to improving the cyber resilience of any organisation. Real and lasting change can only occur when executives are aligned and commit to uplifting organisational maturity and internal cyber culture.

Once there is alignment, a structured framework goes a long way towards breaking down the complexities of achieving robust cybersecurity outcomes. By categorising initiatives into People, Processes and Products (PPP), comprehensive current state assessments can be conducted to understand where gaps exist and need to be addressed.

These gaps and their associated risks can then be categorised based on severity or urgency, enabling organisations to allocate resources efficiently and quickly mitigate critical vulnerabilities.

Mitigation activities may include one or all of the following:

• Technological solutions.
• Process enhancements.
• Specialised expertise.

While multi-million dollar investments may not be feasible for all organisations, smaller-scale solutions and stop-gap measures can help to bridge the gap until more substantial investments are possible if they are needed.

Working with RSM to improve cyber resilience

As technology becomes increasingly intertwined with our daily lives, safeguarding sensitive personal information from the relentless efforts of cybercriminals is as important as any other measure you take to protect the health and wellbeing of patients or clients.

RSM’s Risk Advisory division has extensive experience working with healthcare and community organisations – from hospitals and GP clinics to allied health, non-profits, and local councils – to enhance their cyber resilience.

We are often engaged to:

• conduct comprehensive audit and state assessments
• perform gap analyses
• prioritise and implement controls
• evaluate and enhance supply chain controls
• develop recovery plans
• carry out live scenario testing

The vast depth and breadth of expertise across the RSM ecosystem enables us to tap into technical experts who can also assist with activities such as penetration testing or solution implementations, to ensure a seamless and fortified result.

Our aim is to guide your organisation through a best practice approach to achieving cyber resilience, and ultimately give you and your patients and clients the confidence that confidential data will remain that way.

FOR MORE INFORMATION

To learn more, or to review case studies of similar clients, please call our Risk Advisory team in Melbourne on (03) 9286 8225 or contact your local RSM office.