File sharing concept. Exchange information data with internet cloud technology.FTP files receiver and computer backup copy. File sharing isometric. Digital system for transferring documents

Over the last few years, Australian hospitals and healthcare providers have been battered by cyber attacks.

In 2021, a Victorian hospital network suffered a huge ransomware attack which left it unable to access patient files for over 2 weeks and delayed many surgeries. The same year, a Queensland hospital network was hit by a ransomware attack which forced them to turn to paper-based operations for over a month, significantly impacting workflows and the delivery of patient care.

In 2023, a major cancer treatment centre in Sydney was caught up in a cyber attack, with hackers threatening to release stolen data unless hospital administrators paid a ransom. Meanwhile, the personal details of patients at a major Melbourne hospital were compromised after cybercriminals hacked a staff member’s private email. These are just some of the many stories gracing the front pages of Australian newspapers.

The facts call for greater action by Australia’s healthcare industry

The healthcare sector recorded more data breaches than any other Australian industry in 2023, and more than twice the number reported by the financial services sector, according to the most recent Notifiable Data Breaches Report.

There are several important explanations for this. Firstly, the healthcare sector represents a highly attractive target for adversaries because of the high value of stolen patient records. Secondly, hospitals simply cannot afford to have their operations go down, meaning they are far more likely to pay the ransom to get critical patient systems back online.

Another contributing factor is that cybersecurity standards are weaker in healthcare than in other industries. The Australian Cyber Security Centre notes that the Australian healthcare industry in particular suffers from a lack of cybersecurity training, lax security practices and chronic underinvestment in technology and digital infrastructure.

An indication of just how vulnerable healthcare systems are can be gained from recent global research by Claroty, which looked at the cybersecurity levels of critical medical devices, ranging from imaging systems to infusion pumps and more.

The research found some alarming trends and statistics: One in four (23%) of medical devices—including imaging devices, clinical IoT devices and surgery devices—have at least one known security vulnerability, which has been previously exploited by adversaries.

Furthermore, 14 percent of connected medical devices were found to be running an unsupported or end-of-life operating system, along with seven percent of surgical devices whose failure might endanger patient safety.

The Australian Digital Health Agency (ADHA)—which is responsible for My Health Records data held by state or territory bodies—said in its 2022-2023 annual report it was strengthening its cybersecurity with a new, mandatory suite of security requirements that would harden clinical information systems against cybersecurity attacks, uplift information security and give better protection for consumer information. Every vendor with software products connected to the My Health Record system will need to supply extensive evidence to show conformance.

The ADHA has “a clear plan to meaningfully support Australian healthcare providers and health technology partners to protect themselves and the critical health information they hold.” To this end, its website provides comprehensive advice on cybersecurity covering how to set up a secure environment, how health service providers can protect information, and what can users do to secure information.

How we can improve the security levels of medical devices

In the meantime, much can be done to beef up the security of health IT systems and devices with some fairly basic cyber-hygiene measures. Below are some of the best ways to achieve this:

  • Avoid connecting any equipment to the internet unless such a connection is strictly essential.
  • Isolate your connected medical devices—patient and surgical—from your corporate networks.
  • Where remote access is needed by employees, ensure that this is secured with strong credential management and multifactor authentication.
  • Furthermore, where remote access to healthcare systems must be extended to third parties such as vendors and contractors, healthcare providers should ensure this is even further controlled. Specifically, healthcare providers should segment these networks and operate under a principle of ‘least privilege’ i.e. only giving users the minimum access level required to fulfill their assigned roles.
  • Maintain a comprehensive and up-to-date inventory of all assets throughout your facility and identify those that are internet-connected and most likely to be targeted by attackers.
  • Patch internet-connected devices and systems as soon as software updates become available, especially those systems that bridge enterprise and medical networks.
  • Prioritise risk management efforts based on the role of the equipment and its vulnerability as measured by the Exploit Prediction Scoring System (EPSS) a data-driven, machine-learning model that estimates the likelihood a software vulnerability will be exploited.

The takeaway

In summary, implementing and maintaining strong cybersecurity for healthcare systems is not rocket science: it is largely good housekeeping. However, the challenge is one of scale: a healthcare environment is a house with many rooms, all full of tempting targets for the bad guys. The good news is there are automated security solutions that can take the legwork out of this process, freeing up your time to focus on what matters most: patient care.