Healthcare organisations are victims of one in ten in cyber attacks in Australia. Despite the size of your workplace whether it be a small practice or a large hospital, the need for cybersecurity is still high.
Criminals consider healthcare data extremely valuable due to the high volume of sensitive information. Sensitive information such as contact details, past addresses, date of birth and other personal details can be used for identity theft, while an individual's healthcare information may be used to extort the vulnerable. Due to the high returns criminals can gain for this information, they are often very willing to go to any lengths to bypass security.
Data breaches of a malicious or criminal nature are increasing globally and within Australia. The Australian Cyber Security Centre (ACSC) receives a report of a cyber crime in Australia every ten minutes. Data from the Office of the Australian Information Commissioner shows that criminal data breaches make up nearly two-thirds of all reported data breaches.
| 2020 | |
| Notifications | 1,057 |
| % criminal | 58% |
| % human error | 35% |
| % system fault | 5% |
Source: Notifiable Data Breaches Report, OAIC
Healthcare practices are a reservoir due to the large amounts of personal information they store making them a prime target for hackers. Ensuring you and everyone in your practice follows good cyber hygiene will help prevent your practice from falling victim to an attack or in the least limit the damage.
MIPS’ Indemnity Insurance policy relates to the healthcare services your provide, but it is not designed or intended to comprehensively cover every aspect of your business. If your business is at risk of being sued or possible cyber attack then practice entity and cyber cover is able to protect you from any loss. MIPS' partner, Aon, an insurance broker, offers Practice entity, cyber and public & product liability. MIPS receives no financial benefit or commission from this but provides assists members to apply for cover.
Key cyber security threats for healthcare organisations
Ransomware – A highly disruptive form of cyber-attack, ransomware is a form of malware designed to lock up, encrypt and extract data. These attacks are accompanied by extortion demands, requiring payment of a ransom (often in bitcoin) to decrypt or prevent publication of stolen data 1.
Data breaches – often caused by social engineering or impersonation.
DDoS attacks – a cyberattack on a server, service, website, or network that floods it with Internet traffic. The aim is to overwhelm the website or service with more traffic than the server or network can accommodate 2.
Phishing – a way that cybercriminals steal confidential information (online banking logins, credit card details, business login credentials or passwords/passphrases) by sending fraudulent messages (sometimes called ‘lures’).
Insider threats – include sabotage, theft, espionage, fraud, and competitive advantage, are often carried out through abusing access rights, theft of materials, and mishandling physical devices 3.
What you can do to protect yourself, your patients, and your organisation
Passwords:
- Make them long and strong.
- Don’t use things that can be easily guessed.
- Passphrases are a good idea.
- Use a password manager.
- Turn on multi-factor authentication.
Phishing emails
- Don’t open it if you don’t expect it!
- Be sceptical
- Be aware of your online presence.
- If you receive a suspicious link, do not open or click on it. Inspect it.
- Use strong passwords.
- Always ensure your software is up to date.
MIPS Membership
The benefits of membership include the MIPS indemnity insurance, which relates to the provision of healthcare. It excludes claims associated with the loss of, damage to, or the failure to adequately protect the security of electronic or hard copy medical records. MIPS does not provide a cyber cover or Practice Entity cover. Members need to make their assessment and consider their risk concerning this. MIPS has established a relationship with Aon to help facilitate MIPS members inquire and obtain an estimate for practice entity and cyber cover.
Useful resources
RACGP
- Responding to a cybersecurity incident information security in general practice
- Computer and information security standards
Australian Cyber Security Centre
- Multi-factor authentication for stronger cyber protection
- Back-up data to defend against cybercrime
- How to back up devices
- ReportCyber - Are you a victim of cybercrime?
MIPS webinars
MIPS Practice Notes
- Cyber risk: The essentials of online security
- Cyber: Legacy system letdown
- 22% of all cyber security breaches within healthcare
- Cyber security attacks - are you prepared?
- Hackers love health data
- Top 10 IT security tips for healthcare practices
[1] Locked Out: Tackling Australia’s ransomware threat
[2] What is a distributed denial of service attack (DDoS) and what can you do about them?
Missed the MIPS webinar? Catch up On-Demand
This information is not intended to be legal advice and as such should not be relied on as a substitute. You may need to consider seeking legal or other professional advice about your individual circumstances as appropriate. Should you wish to obtain further information you can review our Member Handbook Combined PDS and FSG or contact MIPS on 1800 061 113. You may need to consider seeking legal or other professional advice about your individual circumstances as appropriate. Information is current as at the date published.
