Think of every patient’s file as a Ferrari.
No, really – that’s how valuable the information inside can be to a hacker, according to a new report from professional services firm RSM Australia’s health arm, titled Building resilient healthcare organisations in Australia: Innovation, data and security.
In comparison, credit card details are more like a beaten-up old Ford.
“With a stolen credit card, the most you can use it for is five days, if you’re lucky,” RSM director of cyber security Ashwin Pal said.
“However, with patient data and all of the information you get with it, you can actually go in and get five credit cards, five mortgages, three personal loans … and off you go to Mexico.”
Hackers are also getting more wily, Mr Pal told The Medical Republic.
Where they may have previously hacked a GP computer system just to lock it and demand a ransom, they now also steal patient data.
“Now, when the GP refuses to pay ransom, and says, ‘I’m fine, I backed up all my data last night’, the criminal is going to go, ‘ah, but I’ve got all your patient data and now I’m actually going to leak to the dark web and to the world that your patient, Mrs J, had an abortion at the age of 16’,” he said.
To improve cyber-defence, RSM suggests regularly training staff at every level of the organisation – about 40% of healthcare data leaks, at least in the US, are caused by healthcare staff themselves, mostly by accident.
“I’ve had a pharmacy where the locum has come in, checked his email online [on the pharmacy computer] and clicked on what he thought was electricity bill, and all of a sudden you’ve got an issue,” RSM Australia Health Services National Leader Peter Saccasan said.
“That can happen in any health practice, particularly because it’s an industry that relies on locums and contractors.”
As health continues to move toward smart devices, wearables and what the industry calls “operational technology”, cybersecurity is likely to get even more important.
“Unfortunately, whenever anything is able to be connected to the internet, to folks like us it’s basically little red flag to a bull,” Mr Pal said.
About 15 years ago, former US Vice President Dick Cheney even had doctors disable the wireless capabilities of his pacemaker to avoid any possibility of assassination via the device.
“Local GP clinics may not have their attention on these issues, even though they obviously understand that patient data is important and sensitive,” Mr Saccasan told TMR.
Outsourcing cyber security to dedicated IT teams, he said, is probably the best move.