An international expert in cybersecurity has warned against complacency in the Australian healthcare system, claiming Australia is the target of hackers but a lack of reporting legislation means the attacks remain secret.

Cisco Cybersecurity’s global industry leader, Richard Staynings, said the failure of the federal government to implement rigorous breach reporting requirements had led to patients believing their data is safe when instead they are being kept in the dark.

“Lack of breach notification has kept patients woefully ignorant,” Staynings said.

“It’s a massive problem, most of which is obscured from view in Australia by a lack of visibility.”

Despite little information available on cybersecurity failures in Australian healthcare organisations, he said hacks are occurring behind closed doors.

Attacks seen in Australia have included a Qbot outbreak in January last year that took out a pathology department and spread laterally across the network, and a 2016 Medicare breach in which patient health information was stolen.

Phishing emails aimed at healthcare professionals account for 86 per cent of all attacks, while human error includes the faxing of patient information to wrong numbers.

Ransomware has also hit GP clinics and dental offices across Australia, Staynings said, at alarming levels.

“Perhaps more so than in any other country in terms of the standalone small physician clinics,” he said.

Healthcare is considered an easy and lucrative target by hackers, claimed the global expert, with the sector 20 years behind financial services in terms of security protections and staff skill levels, making it a “a low-hanging target,” while a stolen medical record is worth 200 times that of a credit card number and has a long shelf life, hence the appeal for cybercriminals.

Staynings said patients would be concerned if they were informed of breaches to their records.

“If patients knew just how many times their medical records and personal 
information had been breached and by whom, they might have a different view 
of this problem. It’s not just the theft of PHI and PII and the selling of that information on a Russian language wares site, it’s the fact that their records and other personal information may have been viewed by a neighbour, relative or their worst enemy who has access to that information in a hospital or by some other means,” Staynings said.

“Most Australians have no idea of the magnitude of the problem, and by and large are uninterested in the whole subject because they have been kept in the dark.”



White papers