News
Health sector remains biggest reporter of data breaches
A new RACGP resource is designed to help GPs and practice staff prepare for and respond to a cybersecurity incident.
Despite the rising number of cybersecurity incidents, only a third of Australian healthcare organisations have embedded awareness and training into their policies and procedures.
It was only in May that the Federal Government warned of cyber attackers taking advantage of the coronavirus pandemic to try to hack the computer systems of hospitals, medical services and crisis-response organisations.
As the health sector is increasingly digitised, cybersecurity incidents are becoming more common, from attempts to steal data or intellectual property, to preventing computers or networks from operating.
Such an incident in general practice can have a ‘tremendous’ impact, according to Dr Steven Kaye, Deputy Chair of the RACGP Expert Committee – Practice Technology and Management (REC–PTM).
‘If there’s an intrusion that disrupts their computer systems of whatever sort – it can be electrical, it can be intentional hijacking – there’s an enormous disruption to the practice,’ he told newsGP.
‘[To the] continuity of the business process, but also of the care of the patients with potential loss of private data that relate to the patients and the practice as a whole, both financial and clinical.’
In general practice, cybersecurity incidents commonly occur in the form of phishing, malicious software, ransomware, or website defacement.
From July–December 2019, Australia’s health sector accounted for 22% of all data breaches, making it the highest reporting sector in the country. Yet only a third of Australian healthcare organisations embed cyber security awareness and training into their policies and procedures.
Dr Kaye recommends that every practice ‘should have a plan’.
‘As a pre-attack process [it is important to] have regular tested backups, which have been restored into the system or into another system at various times,’ he said.
‘Usually a backup system should be taken off site in order to protect the practice as best as possible – often twice daily works very well to protect.’
But for it to be effective, Dr Kaye stresses that all software needs to be properly updated.
‘You can’t leave out-of-date software functioning in the system, and out-of-date hardware as well,’ he said.
‘A lot of practices still have Windows XP running, for instance … which is open and vulnerable to attack.’
With the expansion of telehealth and more recently electronic prescribing in Melbourne, computer systems have become more important than ever for general practice.
Dr Kaye says that in addition to having secure hardware, it is integral to be across any clip-on software packages that are run alongside a practice’s database.
‘They are often extracting data [and] sometimes we don’t know that,’ he said.
‘The HealthEngine debacle that’s just occurred is an example of a software package which has been given permission to access the database and then has been used inappropriately without the practice’s permission. That can happen quite frequently.
‘So it doesn’t need to be malicious cyberattack. Sometimes it can be applied in the best of spirits, but used inappropriately.’
Such an oversight, he says, can cause ‘monumental’ damage to a practice’s reputation.
Dr Kaye believes it is critical that every staff member understand their responsibility, as well as potential weak points.
‘At every point they need to be fully aware and understand what they’re doing,’ he said.
‘Often it’s opening emails and clicking on links that will be the main weakness, [but] bringing in USB memory sticks or portable hard drives can also be a weakness.
‘Practice owners and managers need to think at a higher level about how to protect the whole system – so educating the staff members, but also putting those security systems in place to stop access as best as possible.’
When a cybersecurity incident is suspected to have occurred, Dr Kaye recommends acting quickly to enact the practice plan.
‘The first thing is to analyse what is thought to be happening to get the IT experts involved quickly – sooner rather than later – to disconnect the system from the internet potentially if that’s seen as a protection mechanism,’ he said.
The RACGP has released a new fact sheet, Responding to a cybersecurity incident, that provides GPs and practice staff step-by-step information on how to respond in the aftermath of a cyberattack. It also offers guidance on how to prepare and prevent an incident.
‘Security of the practice and security of the data needs to be a very high priority,’ Dr Kaye said.
‘Because of the level of disruption that it causes, it is a very serious issue that needs serious protection and, at the end of the day, serious money spent on proper IT support and cyber protection.’
RACGP resources
Log in below to join the conversation.
cybersecurity eHealth patient data
newsGP weekly poll
What is your chief concern with role substitution?