Saturday marked one year since the WannaCry ransomware first hit the world. The massive global attack was a shock for many, infecting over 300,000 computers and impacting organisations in 150 countries. Suddenly, those predicted cyber threats were very real, with unprecedented impacts on business operations, infrastructure, service delivery – and human lives.
Like the rest of the world, WannaCry was a wake-up call for Australia. Dan Tehan, Minister Assisting the Prime Minister for Cyber Security, stated at the time that he wasn’t ruling out calling in the military to help tackle the issue.
In the aftermath of the attacks, many organisations made plans to to ramp up their cyber security capabilities. The reality is that most still aren’t truly ready to face today’s complex cyber threat landscape. And healthcare is in the front line.
Our healthcare systems at risk
In healthcare, the consequences of a cyber-attack is where it is most life threatening. When the WannaCry attack hit, several health organisations around the world were affected. For organisations such as the UK National Health Service, for example, the attack meant cancelled surgeries, diverted ambulances and much more.
In Australia, there are no exceptions. According to the latest reports from the Office of the Australian Information Commissioner, nearly a quarter of data breaches reported under Australia’s new mandatory data breach regime took place in the healthcare sector.
Recently, speaking at the Australian Cyber Security Centre Conference, President of the US National Health Information Sharing and Analysis Centre Denise Anderson said that as we put more medical information online, healthcare is becoming one of the preferred targets.
The increasing numbers of connected medical devices used to enhance care for patients and assist doctors, plus data-sharing initiatives in Australia such as My Health Record are fantastic steps forward. However, they also make life a lot easier for hackers with more entry points to exploit and more data than ever to pursue. Reports say that personal health information offers 10 times the pay-out on the black market compared to stolen credit card numbers.
If we want for our healthcare system digitisation to be successful, it is imperative healthcare leaders continue to make cyber security and data protection a top priority.
Budgets might be stretched but a proactive and effective defence is possible
IT is still seen as a transactional and support function, which means IT teams often lack the resources – and time – to put in place basic security practices such as manual patching of machines.
But as cyber threats become more virulent it is vital healthcare organisations make security a business priority, not just a ‘nice to have’ add-on to their existing IT strategies.
The first step is to focus on prevention: it costs more to recover from a hack than to proactively prevent it from happening, both from a financial standpoint, where records and critical business or financial data can be held at ransom, and a productivity point of view.
Businesses should take a holistic and proactive approach to limiting their exposure and vulnerabilities in terms of network security. This includes ensuring all operating systems and virus definitions are kept up to date.
It’s also important to have in place effective disaster recovery techniques such as keeping critical data backed up in a separate location, segregating data and the principle of least privilege. If you have your data backed up, there’ll be no need for you to pay up in the case a ransomware occurs.
In addition, healthcare organisations should look at:
Hacking their own systems: many organisations think their security systems are fool-proof. But until they recruit professional ethical hackers and involve their employees in a simulated real-world cyber-attack, they won’t really know how robust their defences are.
Employing a defence in-depth approach to security: while some healthcare providers understand the need to keep their physical and digital assets secure, they realise they lack the expertise to do so. It is recommended to partner with cybersecurity experts that will deep dive into their company’s systems to ensure information at every layer – network, device, software – is truly secure.
Training your workforce: ask any cybersecurity expert and they will tell you employees are probably most organisations’ weakest link. It is crucial to keep staff abreast of the latest cybersecurity best practices and the company’s latest cybersecurity protocols, starting from day one.
Healthcare institutions need to expect the unexpected as no one knows when the next attack will be. Hackers never sleep. But you can be prepared and take proactive, preventive steps to avoid the worst outcomes.
Mitigating your risk and exposure will help to put you one foot in front of the hackers and, most importantly, help to safeguard sensitive, personal information.
Shantanu Srivastava is vice-president of BlackBerry Enterprise for Asia Pacific.