22 November 2024

Getting to the heart of the cyber security and privacy issues impacting Australian healthcare.

Laura McVey
Manager
Rahul Prasad
Manager
Melanie Marks
Director

Protecting privacy and ensuring cyber security in healthcare is particularly challenging in Australia, where the healthcare sector is vast, interconnected, and operates under multiple regulatory systems at once. The sensitivity of health information, coupled with operational constraints and the reliance on legacy systems, makes healthcare one of the sectors most vulnerable to cyber threats.

Imagine you are booked in for a procedure, you’ve taken leave from work, organised someone to look after your kids for a few days, fasted for 12 hours and psyched yourself up to face surgery or a general anaesthetic or whatever your results may be… Then, in the morning, you receive a notification: ‘Your procedure can’t go ahead today as our IT systems are down, due to a cyberattack’. This would be heart breaking and frustrating, scary and inconvenient. Not only are you unable to have your procedure but also you are now worrying whether your information has been exposed, maybe your medical records have been exposed, maybe you’re at risk of identity theft? This is occurring across Australia as cybercriminals continue to target the healthcare industry, trying to steal our most sensitive information and holding these organisations to ransom.

You don’t have to look far to see the impact this has on our health services and community. In only the last 24 months, MediSecure revealed 12.9 million Australians had personal data stolen in a cyber-attack, St Vincent’s Health Australia said it had data stolen in a cyber-attack, Melbourne’s Eastern Health was hit by a suspected cyber-attack and Crown Princess Mary Cancer Centre in Westmead Hospital also suffered a cyber-attack, with hackers threatening to release stolen data.

In this blog, we explore the Australian healthcare system, the specific challenges that it faces and why maintaining privacy and cyber security in healthcare remains a difficult and ongoing task. We also examine why it is so critical to build trust in the sector and how that might be done.

The healthcare system is complex

The first issue is that the Australian healthcare system is a complex web, comprising different health professionals, working in and around various healthcare organisations (and sometimes across multiple). It involves government and non-government entities, and the supply chain is vast.  

For example, most specialists work in both a public and private capacity within the public hospital system and will also have private rooms. Information sharing is necessary across these spaces, but it also introduces points of weakness in information management and security.

Regulation is inconsistent

The second issue is that regulation is a patchwork. The lack of unified standards across public and private sectors adds complexity to data protection efforts and hampers effective, coordinated responses to security incidents. Public and private healthcare organisations operate under different regulatory frameworks and legislation, with public hospitals following state and territory-based regulations and legislation and private entities adhering to federal legislation i.e. the Privacy Act 1988 and international standards like ISO 27001 for security. This division leads to inconsistencies in data handling, breach reporting, and incident response protocols.

Information technology adoption is piecemeal

Now add in the quagmire that is information technology in healthcare. The digital journey for most healthcare organisations has been slow and, in many cases, organic in the worst way; that is, sprouting different systems to support specific specialties or aspects of healthcare without a streamlined plan. This has led to healthcare organisations using multiple systems, both old and new, as they grapple with the costs and benefits of maintaining or implementing new digital health systems.

For these reasons, there are a lot of weaknesses in the sector.  Poor security practices, heightened risks due to the large number of end points and inadequate access controls, and an operational need to access information quickly, all make healthcare providers particularly vulnerable to cyber security and privacy risks.  

The cyber threat landscape in healthcare is also constantly evolving. Attackers are employing increasingly sophisticated methods to breach systems. Techniques such as phishing, advanced malware, and social engineering have become more targeted, and the rise of AI-driven cyberattacks further complicates defence efforts. Further, the dependence on third-party vendors for key services also increases healthcare providers’ vulnerability to cyber threats. In some situations, limited oversight of vendor security and privacy practices means that a single weak link can compromise the security and privacy of the ecosystem. Considering the sensitivity of the data, cyber criminals have the sector (and patients) over a barrel.

AI in healthcare

Finally, we are starting to see how the rapid adoption of AI in healthcare brings unique risks to patients and their data. Many AI systems require extensive patient data to function effectively, increasing the potential for data exposure and misuse. Insufficient regulation and oversight of AI algorithms may lead to inconsistent results, biases, and errors in patient care. These risks make it essential for healthcare organisations to implement rigorous validation, governance, compliance checks, and transparent practices as they integrate AI into their operations.

However, the issues surrounding information technology adoption also apply to AI adoption in the healthcare system — many healthcare services may not have the maturity to apply the necessary governance and compliance checks and limited experience in undertaking whole-of-organisation uplift projects.

What to do?

So where to start? While the challenges might be slightly different, the practical steps that healthcare organisations can take to uplift and maintain privacy and cyber security are no different to other sectors. Establishing a clear baseline (what your healthcare organisation collects, uses and discloses), having a proactive and practical plan and ensuring that frameworks and controls are understood by personnel and operate effectively can significantly impact the patient journey.

Here at elevenM, the sustainability of the healthcare system is something we care deeply about. Having outlined the problem space, in our next blog we’re going to help you identify what maturity assessments and other tools and resources are most useful to healthcare organisations and what your organisation can do to identify gaps and then build strategies and programs to help build trust.

In the meantime, if you would like to know more about privacy and cyber security, please get in touch.