Expecting the unexpected

Beyond cyber security to cyber resilience

The modern hospital building for all its familiarity, is a miracle of engineering, from the selection of materials to the design of care facilities to the sprinkler systems and alarms. All this careful design and planning results in a high degree of safety that we tend to expect as we go about our business.

And despite that high degree of built-in safety, we still practice regular evacuation drills as a last resort, so we can survive if all else fails.

Cyber security is no different. Your healthcare networks and systems have been designed by dedicated professionals to manage data and communications seamlessly and transparently, while keeping out cyber-attacks and other unwanted intrusions. Despite all that careful planning and design, there may be circumstances where a cyber-attack breaches the defences.

The practice of addressing these contingencies is called cyber resilience. More formally:

Cyber resilience is the ability to adapt to disruptions caused by cyber security incidents while maintaining continuous business operations. This includes the ability to detect, manage and recover from cyber security incidents.^[1]

A recent example

A US respiratory hospital – already stretched by the demands of the ongoing COVID pandemic – suffered a ransomware attack where some services were initially disrupted and personal health information was exfiltrated prior to their systems and files being encrypted.

In response, the hospital instigated their cyber incident response plan and promptly contained their affected systems, notified authorities and communicated with their customers “We were prepared for a potential attack and protective systems were promptly activated.”

Most importantly, the hospital’s primary function – the delivery of respiratory care – continued without interruption, and no patients were at risk of harm.^[2]

In other words, the hospital seems to have done an exemplary job of detecting and managing this incident, and are now in the recovery phase.

What is the magnitude of these risks?

The risk of being involved in a cyber incident is much greater than the risk of a fire or other major workplace emergency. The Australian Cyber Security Centre received over 67,500 cyber crime reports in the previous financial year, which is equivalent to roughly one report every 8 minutes. Australia’s health sector, moreover, has received more than its share of unwanted attention:

Targeting of the health sector, particularly by cybercriminals, is one of the most significant cyber threats Australia has so far faced during the pandemic. The health sector in Australia reported the second highest number of cyber security incidents both overall and for ransomware-related cyber security incidents.^[3]

Becoming cyber resilient

Improve your cyber maturity

Improving the cyber security maturity of your healthcare organisation will enhance its capacity to avoid and respond to cyber-attacks. Authoritative general guidance is provided by the Australian Cyber Security Centre’s Essential Eight Maturity Model and Preparing and responding to cyber security incidents. See also the RACGP factsheet Responding to a cybersecurity incident for advice tailored to the specific needs of healthcare providers.

The Office of the Australian Information Commissioner’s Data breach action plan for health service providers sets out a high level plan for addressing data breaches, including reporting obligations.

Additional considerations include:

• Review and test your incident response and disaster recovery plans. Do the relevant personnel know what they’ll need to do?
• Confirm that normal operations can be restored from offsite backups within an acceptable timeframe.
• Review your network connections with any third parties. Do they represent a risk to your operations? Or do you represent a risk to them?^[4]

Understand your reporting obligations

Australian healthcare providers have specific data breach reporting obligations. All health service providers in the private sector (regardless of organisation size) are subject to data breach obligations under the Privacy Act 1988.

In addition, participants in the My Health Record system are subject to specific data breach obligations, which apply when an incident has, or may potentially, effect the security or integrity of the My Health Record system, or involves unauthorised collection, use or disclosure of information in a person’s My Health Record.

These obligations, and practical advice for implementing them, are available at the Office of the Australian Information Commissioner’s website:

• Guide to mandatory data breach notification in the My Health Record system
• Guide to Notifiable data breaches under the Privacy Act 1988.

In summary

System resilience in a healthcare setting is not a new concept for this environment. Dealing with patient related events including life and death situations means that the healthcare system is well versed in preparing for the unexpected.

As healthcare becomes more digitised to achieve better outcomes, efficiencies and safety for patients, the dependencies on information and the platforms that support and manage this information increase. Digitisation means that technology and clinical processes are seamlessly integrated to achieve these outcomes.

The need to test and prepare for those systems being interrupted, interfered with or disrupted is essential to ensure that we’re not “fixing on the fly” after the fact. Building resilience and preparing for the unexpected, means that we do what we practice rather than being taken by surprise.

Dig deeper

The Australian Digital Health Agency offers broad-ranging cyber security guidance to the Australian healthcare sector, with targeted advice for both technical and non-technical audiences.

More technically oriented readers may benefit from the detailed cyber resilience framework recently published by the US National Institute of Standards and Technology.