Data recovery tips - Do you have a response plan?

Automated introduction: Welcome to the Australian Digital Health Agency podcast, supporting health professionals to realise a healthier future for Australians through connected healthcare.

Dr. Andrew Rochford (Facilitator): Hello and welcome to our podcast on data recovery tips. Do you have a response plan? hosted by the Australian Digital Health Agency. But before we begin, I would like to acknowledge the traditional owners of the land on which we are broadcasting from and in which you are listening. I wish to acknowledge their continuing connection to land, sea and community and pay my respects to them and to elders past, present and emerging, and extend their respect to any Aboriginal and Torres Strait Islander peoples joining us today.

Today we will be discussing cyber threats in the healthcare industry and the importance of having a cyber security response and data recovery plan. With the rapid digitalisation of healthcare systems, cyber threats have become a significant concern for healthcare providers. Malware, ransomware, phishing attacks and data breaches are just some of the risks that healthcare providers face, potentially compromising sensitive patient data and disrupting clinical operations. The cyber security response and data recovery plan are essential to minimise the damage caused by these threats. In this podcast we will provide some tips on how healthcare provider organisations can protect their clinical systems and why educating staff to be cyber aware is crucial. Today we are joined by Danielle Pentony, Director of cyber security operations at the Australian Digital Health Agency. With over 15 years' experience in the technology and cybersecurity space, focused on financial services as well as healthcare and Government. And we're also joined by Jarrod McMaugh, pharmacist with 20 years' experience in rural and metropolitan practice in the community setting. State manager for Victoria and Digital Health Lead for the Pharmaceutical Society of Australia (PSA). Thank you for joining me Danielle and Jarrod and I'm doctor Andrew Rochford, I'll be the host of today's podcast, I'm a medical doctor and spokesperson for the Australian Digital Health Agency.

To kick things off, I'd like to ask the question, what are some of the common cyber threats facing the healthcare industry at the moment? Danielle, can you help us answer this question?

Danielle Pentony (Director of Cyber Security Operations): Cyber attacks are becoming increasingly complex and sophisticated. This evolving threat landscape pits us against creative and well-funded threat actors. There is an increasing complexity of hybrid and multi cloud environment. We're also seeing more supply chain attacks than ever before. Phishing tactics are continuing to trick everyday consumers and users and employees into clicking on malicious links. The healthcare industry is actually a top target for ransomware attacks and in the healthcare sector, the potential effects of these kind of attacks could take entire hospitals or health services offline. Those attacks can impact operations in ways that are life threatening beyond simply harming the business. As healthcare organisations continue to evolve digitally, one thing has become clear, patient welfare cannot come first if digital systems supporting it are threatened. The healthcare sector is a veritable gold mine of data, as much of it is managed through easily exploited, sometimes legacy IT systems. A survey conducted by the Healthcare Information and Management Systems Society found that 73% of healthcare provider organisations use legacy IT systems, which are costly to support and are often rife with gaps in security. This makes the sector an easy and potentially lucrative target for ransomware operators, but this vulnerability does not solely come down to software and systems. It's also related to how data and devices are managed within individual organisations, which is why it's important to protect clinical systems and have an incident response and data recovery plan in place.

Dr. Andrew Rochford (Facilitator): Thanks for that, Danielle. Jarrod, can you discuss some of the key differences between data recovery for physical disasters versus data recovery for cyber attacks?

Jarrod McMaugh (Pharmacist, PSA State Manager Victoria): So, physical disasters tend to be issues that cause damage to your actual devices, so they might destroy your CPU or your network capacity to communicate between your systems, or they might take out a hard drive for instance, so fires or other damage to your property. Cyber attacks target the software and the network systems themselves. So the things that allow access to the data that you've got within your system. Disasters do tend to be sudden and unexpected. If you're in Melbourne at the moment, you might be experiencing more earthquakes than we previously had in the past, but that kind of disaster is the thing that you have pop up out of the blue and you're not expecting it and it can damage your systems, and usually when those physical systems are damaged, they need to be replaced rather than being able to be swapped, fixed rapidly, as would happen with the cyber security issue. As a result, because they're physical, you can't really prepare for them advance unless you really want to have a bunch of spare hardware sitting around. But cyber attacks you can prepare for because you can detect them early, you can find the activity that would hint at an attack coming your way through phishing or spam or similar types of attempts to get your attention and get you to click on links. Which means you can be more proactive in responding to that and reducing the impact that it's going to have. The data recovery for physical disasters basically involves replacing something. So, I've had to do this in my practice in the past where we had a server that went down and our contractor company was able to replace that for us physically, quite rapidly. But when we have cyber attacks, it's a matter of having our off-site backups restored over the Internet from the company that we provide that service to us and they could do that quite rapidly and effectively. In addition to that, because cyber-attacks are about disrupting your network quite often that can be isolated to one device so when you can identify that you can just physically turn it off isolated from the system, have your contracted company dial in and make sure that there is no impact on the other devices on your network. And then isolate the one that is affected, remove it and replace it basically rapidly. So, the main differences are, one is hard to prepare for, the other is not so much, especially if you have a cyber security plan in place and the recovery from it can be a lot quicker when it's a cyber attack if you have that cyber plan in place.

Dr. Andrew Rochford (Facilitator): Thanks, Jarrod. Danielle, can you tell us why it is essential to have a cyber security response and recovery plan and what does a plan like that actually include?

Danielle Pentony (Director of Cyber Security Operations): Imagine the consequences if your organisation lost all of the data you needed for your day-to-day operations. This would not only be disastrous for your reputation and could jeopardise the safety of your healthcare consumers. Regularly backing up your data and having multiple backups is important for your business, so all information that is critical to the operation of your practice should be backed up. Determine your backup frequency, select the appropriate method and your backup storage options. I know it can all seem very complicated, but it is important to speak to your managed service provider or your technology partner who manage your IT systems about developing a comprehensive data recovery plan. Just as a fire drill helps to ensure emergency evacuation procedures are working effectively, it is important to test your backups regularly to make sure that the backup process is working as expected. This will help to ensure you are able to successfully recover from a disaster that impacts your IT systems should the need arise.  Hardly a day goes by without reports of another high profile cyber attack hitting the headlines. Organisations frequently failed to manage the response, and in our experience, this can be more damaging than the fact that they suffered a breach in the first place. It can suggest that not only were they breached, but they were not in control of the situation either. While every incident is different, a typical response plan follows a structural approach. So, this starts with detailed planning and preparation, includes testing capability through simulation exercises. Once an incident is identified, it's triaged, and steps are taken to contain the impact and then an investigation into the root cause takes place. But it's also important steps to taken to remediate the issue and bring the organisation back to a stable state. And a key step that is often skipped is following up after the incident with lessons learned to enable long term improvements in both the response process and the organisations ability to detect, resist and react in future. So, if I were to give you maybe some tips, I would just say remember these three words plan, test, and repeat. Prepare for the worst. Know what to do for cyber incident occurs. Keep your response plans updated. A RACI matrix is one of the most important aspects of your plan. It will tell you who is responsible, accountable, consulted and informed as part of your incident response. Cyber security incident management and response ensures the organization is well positioned as it can be to deal with security incidents as they occur. A response plan that is not being tested is as useful as have no plan at all. Your training and scenario exercises or drills to ensure that all parties are aware of their duties and can perform them. Your cyber incident response capability is a high impact way of engaging your response teams which includes your executive team and not just the IT team in the business decision making process that goes a long way in reacting to a critical incident.

Dr. Andrew Rochford (Facilitator): Thanks Danielle. Jarrod, what does a data recovery strategy look like in a traditional community pharmacy setting?

Jarrod McMaugh (Pharmacist, PSA State Manager Victoria): Yeah, so in community pharmacy setting it's traditionally not been very high tech. When I first started it was literally zip drive backups, but now that we have the Internet and a lot higher connectivity, what it usually looks like is a relationship with an IT provider who does off site image-based backups on a regular basis. Now community pharmacies updating clinical data records about individuals very rapidly throughout the day. So, an image-based backup is usually the best one because it will capture the data that's being updated on a regular basis. So, in my pharmacy I had it set up to do images every hour. And that meant that if we had a data loss that that could actually be recovered quite rapidly and not lose most of the day's data, which is quite important. What's really important as well is to make sure that it's actually in place in the first instance. So, the last thing you want is to have a data breach and then be like, oh, what am I supposed to do now? So, if you are having that thought at the time you've got a data breach, then things that are not going to go so well for you. So the main aspect here is to have your cyber security plan in place to understand what it is that needs to be done under different circumstances and to ensure that your staff understand both how to respond to an issue, but also how to prevent them so having specific rules about accessing personal emails, for instance from computers that are used to handle clinical data is a really important part of that plan. But it is fairly straightforward in community pharmacy now as each community pharmacy is a relatively small organisation, it's very easy to set up off site image-based backups that can be restored quite rapidly when an issue arises.

Dr. Andrew Rochford (Facilitator): And how do you ensure that pharmacy staff are trained on the latest data security threats and know how to respond if needed?

Jarrod McMaugh (Pharmacist, PSA State Manager Victoria): So, there should be regular training with your staff, regardless of what the topic is, and the cyber security should be a regular part of that training that's provided to your staff. So as a basic first step is to ensure that they know that that's the cybersecurity plan exists. To know where to access it, if and when there is an issue. But also, to discuss ongoing issues that arise in the space. So being aware of different cyber security attempts and also the human aspect of getting access to people's networks is a really important part. So, sending emails to people that look too good to be true and then having those accessed on a network that shouldn't be accessed from is really important. It's also important to keep in mind that if you've got a Wi-Fi set up for your staff that if they're accessing their personal emails, for instance, on their personal devices, that your security setup on your Wi-Fi is going to ensure that there's no cross contamination to your clinical data. And in some instances, in community pharmacies people provide Wi-Fis to their clients as well, so people who are in the store, my recommendation there is to have a completely separate Wi-Fi network for that setup. So, the Australian Digital Health Agency does have learning modules available for staff as well, so that's available at training.digitalhealth.gov.au and you can access those courses at any time, and they're very informative for all staff and health professionals as well.

Dr. Andrew Rochford (Facilitator): Yeah, they're great. Thank you for that, Jarrod. Danielle, how can businesses and individuals stay up to date with the latest cyber security threats and technologies related to data recovery?

Danielle Pentony (Director of Cyber Security Operations): So the Agency, we produce a wide range of resources to help healthcare providers and individuals. And as Jarrod mentioned, the good place to start is to look for resources available on the Agency website. If you're not already signed up to our threat alerts, please contact us at [email protected], that's [email protected] . The Agency Cyber Operations team also provide actionable intelligence to the health sector in a manner that is understood at the grassroots level. You can also stay up to date with the resources available from the Australian Cyber Security Centre. The ACSC. They can be found on cyber.gov.au

Dr. Andrew Rochford (Facilitator): Thanks, Danielle. Recently I spoke with the renal specialist who runs a private practice on the Gold Coast in Queensland, Dr Troy Kay. I'd like to play a clip of our conversation where they spoke about their recent experience with data recovery. And how they are keeping their practice information secure.

Dr. Troy Kay (Renal Medicine Specialist (Nephrologist): I guess I was asked about cyber security on one of the recent talks and we certainly had a recent experience where our practice was hacked, as the term would be. Unfortunately, on a Friday night just before the daily backup occurred and it was just yet another reminder about the vulnerability that medical practices have, and we're certainly being targeted. It's one of those things where you'd say when, not if anymore. Certainly, I'm aware of more and more colleagues that have had some form of malware, ransomware or hacking of viral encryption that has led to, a bad experience. We first had a ransom where many, many years ago which let us to improve our systems and then this latest attack has changed again. So, the first thought with all that is the backup side and everyone thinks that they have backup and I spoke to a colleague where he had a recent ransomware demand and he thought he had good IT people and they were on daily backups and he found the most recent backup that was viable was three months earlier. So, ensuring that we are on top of our IT people or if you're doing it yourself, that the backups are truly happening and truly recoverable is really critical. Because otherwise your practice can really stall and very quickly. So, you want to make it so that if you, or when, you have one of these attacks your chances of getting back up and running quickly and without compromising patient care in particular. But also your practice running is pretty streamlined and it's always one of those things where simulation training maybe worth thinking about. Just making sure you can almost do a dry run and see that everything's going to work, that you're being told is going to work. There's a reaction that you have to it at the time it's very frustrating for us. You feel violated and I guess trying to just deal with the emotions of all of that and get back on your feet is important too. You lose a lot of trust that there's people out there that are doing things like this and especially to medical practices. The ransomware, so the colleague, I never had any demands with this recent one, but the colleague had a demand of a payment to unencrypt his practice data. He looked into it and said that it's somewhere around the 10 to 15% that make that payment and get anything unencrypted. So, the general recommendation is not to pay any money. So, you really need to be able to fall back on your on your backups to get back up and running and just write off whatever it is that they're destroying or encrypting at the time. The Cyber Crime Division sort of want to know about these. There is scam watch, so they'll give us advice and part of it also is if you have been hacked, whether or not there's been a data breach and then whether or not you should be looking at disclosure to patients that some of their details may have been released. That's different if they just encrypt your data, but if they have had a snapshot of your practice data of your hardware, it's possible that's also happened, in which case you got to go down the route of disclosing to your patient population about the possible elements of their recorded background with you, that may help some people get identity theft, in particular with things like the Medicare number, dates of birth and some more details around it. Hopefully not keeping banking details of theirs on file. One part that was of benefit for me is in amongst the daily backups, my daily backup was occurring at 10 o'clock at night, so we lost our data at 8 o'clock at night. So the day's work that I had done that day was lost. The good part, and this is where it integrated into the My Health Record, was that my letters will upload to My Health Record unless the patients opted out. So, I think there's something like 22 - 23 patients or something I'd seen that day in clinic, all but two of them I could pull their data straight back off their My Health Record into my notes. So I basically had no real concern with having full data recovery with patient care. The other two patients we just approached the GP's to get the letters back that I had sent out on those two. So we actually had a fairly quick recovery of all the patient data and then getting up and running again. It did prompt me to change from a stand in, in the room server and offsite backup, to looking at cloud hosted so and again there's pros and cons of each approach, but I think the biggest thing is to recommend that every doctor out there and every medical practice thinks hard about this before it happens, because after it happens it's too late, you can't get the data back. So, making sure that you've got as many systems in place to ensure smooth running of your practice and smooth patient care is part of everyday life now. The other part of it that was mentioned to me is there is such thing as having insurance for cyber security and for these breaches. But my understanding of that is it's very expensive. So, just making sure that I guess we've got the backups and we can recover probably still going to be the first port of call.

Dr. Andrew Rochford (Facilitator): As we wrap up today's discussion on data recovery and cyber security in the healthcare industry, we hope you found our conversation informative and helpful in understanding the challenges and best practices in this area. Our guests have emphasised that data security and recovery are critical components of any healthcare organisations operations by prioritising data protection and implementing robust backup and recovery plan, healthcare providers and organisations can ensure that patient data is safeguarded from cyber threats and other unexpected events. We encourage you to take the time to review your own data security and recovery plans and stay up to date on the latest developments in this space. 

Thank you to Jarrod and Danielle for joining me on today's podcast and thank you to you for tuning in and we hope to speak with you again soon.