Cyber security for General Practice

Digital transformation continues to improve many aspects of our daily lives, including health care outcomes. However, as digital transformation and reliance continues for both organisations and individuals globally, the market of opportunity for cybercriminals’ increases. Cybercriminals have seen the healthcare industry as a lucrative target because of the nature of our work. Malware and ransomware are some of the main sources of cyber security risk in healthcare. This has become increasingly evident through the proliferation of notable cyber attacks in Australia. 

In October of 2022, we saw a cyber attack, specifically a ransomware attack on a private health insurance provider, which resulted in the largest breach of personally identifiable information (PII) and sensitive health information in Australia to date. The privacy of 9.7 million individuals was compromised and sensitive medical information, including treatment for HIV, drug and alcohol addiction, and mental health treatment, was posted on the dark web by cybercriminals.

When an individual’s medical history is stolen the ramifications are beyond financial loss and breach of privacy – this data can be used to proliferate insurance scams and can make the victim’s access to necessary treatment difficult. In some situations, the effects can be life-threatening as critical infrastructure may not be accessible leading to delays or disruptions in patient treatment. This highlights that cyber resilience across our people, processes and technology is more important than ever.

What is cyber resilience? Cyber resilience is your organisation’s posture or ability to defend, adapt respond and recover from cyber threats and cyber incidents while maintaining continuous business operations. In a healthcare context, this is ensuring that you have the knowledge and capabilities in place to continue to provide quality health care and protect patients despite a potential lack of information system availability and integrity due to a cyber attack.

Cyber adversaries aim to halt critical operations, steal data, and gain financially by exploiting any vulnerabilities that may exist due to digital and technological transformation or an internal lack of security knowledge. The following are some essential actions to get you started and uplift your cyber resilience today:

1. Undertake regular security assessments of your operating environment
2. Uplift your cyber security literacy and create a culture of cyber resilience in your organisation. This is achieved by educating your staff on fundamental security awareness including what cyber threats are, such as phishing, business email compromise (BEC) and ransomware attacks, and how to prevent them. Security awareness works in conjunction with technical investments to bolster cyber defences
3. Automatically update your organisation’s software, operating systems, and technologies. This will ensure you are running the latest version, which generally fixes any security vulnerabilities
4. Regularly backup your important data and test that your backups work
5. Enable multi-factor authentication on all accounts and ensure strong password requirements are enforced for your important organisational accounts. You should also regularly review who has account access and remove any accounts that are no longer required
6. Finally, recognise a cyber-attack can happen and you should be prepared. Develop a cyber incident response plan and practice this plan with your staff. This includes key tasks such as checking your critical assets and processes, testing procedures, establishing emergency plans and fallback scenarios.  Be sure to outline the key contacts and actions such as reporting the attack to the Australian Cyber Security Centre (ACSC) on for support, as well as notifying the My Health Record System Operator on 1800 723 471, and Office of the Australian Information Commissioner (OAIC) online of a potential data breach.

Looking ahead, we understand that enabling cyber security in healthcare is achieved by maintaining the availability and interoperability of critical digital health applications, systems and services, while simultaneously protecting the confidentiality of sensitive and personal medical records.

At the Australian Digital Health Agency (the Agency), our Cyber Security Strategy 2022-2025 supports the advancement of our cyber capability in response to the changing cyber environment and supporting the delivery of the National Digital Health Strategy and Framework for Action.

We have four guiding principles that are applied to shape how the Agency will work thing and behave towards security. The principles are:

• Business-Led. Cyber security services and solutions are aligned to strategic Agency objectives and clinical outcomes.
• Future Focused. Staying ahead of the evolving digital healthcare environment, ready to securely support the next horizon of digital health.
• Prioritised Effort. Resources are focused on maximising value for the Agency and the Australian healthcare ecosystem.
• Security By Design. Creating a DevSecOps environment that fully integrates security into every stage of product development.

In practice, we see these principles applied to establish and maintain the security of the My Health Record system. Where a range of technical and non-technical security controls, including legislation, policies, procedures, network and application protections and security monitoring, of the My Health Record system. There are also several security features and controls, such as privacy restrictions and access control logging and monitoring, which are designed to enable healthcare recipients, carers, and authorised personnel to monitor and control access to their records.

While the delivery of the Cyber Security Strategy is led by the Agency, we cannot do it alone. Cyber security is everyone’s responsibility. It requires us all, both healthcare providers and consumers to think securely. Whether we are at home or at work, we must ensure we are doing our best to protect the information, services and data in our care every day.

eLearning

My Health Record, Security, Privacy and Access

This module explores security measures and legislation supporting the My Health Record system and how your organisation’s policy governs the use of the system. Access the free eLearning module on the Australian Digital Health Agency Online Learning Portal.

Using My Health Record in General Practice

This module provides an overview of My Health Record and describes how general practitioners (GPs) can use it within their practice. Access the free eLearning module on the Australian Digital Health Agency Online Learning Portal.

On-demand webinars for healthcare providers

Watch the Agency’s free on-demand webinars, to learn more about using My Health Record in your health service, including how to easily find the right document. Once you register, you can watch these short, pre-recorded sessions straight away. You will also receive a link so you can watch the session at a time and date that suits you. Find the full list of on-demand webinars on the Australian Digital Health Agency website.