Cyber security for general practice

Digital transformation has greatly enhanced various aspects of daily life, including healthcare. However, this increased reliance on digital systems presents a growing opportunity for cybercriminals worldwide.

The healthcare industry, in particular, has become a lucrative target due to the sensitive nature of its data. Malware and ransomware pose significant cybersecurity risks in this sector, as evidenced by numerous cyber attacks in Australia.

In October 2022, a ransomware attack on a private health insurance provider in Australia led to the largest breach of personally identifiable information and sensitive health data in the country’s history. The privacy of 9.7 million individuals was compromised, with sensitive medical information, including treatment details for conditions like HIV, drug and alcohol addiction, and mental health issues, being exposed on the dark web.

The consequences of medical data theft extend beyond financial loss and privacy breaches. Stolen data can facilitate insurance scams and impede victims’ access to necessary treatments, potentially endangering lives due to disruptions in patient care. This underscores the critical importance of cyber resilience across people, processes, and technology.

Cyber resilience refers to an organisation’s ability to defend, adapt, respond, and recover from cyber threats while maintaining continuous business operations. In healthcare, it involves ensuring the capability to deliver quality care and protect patients despite potential disruptions caused by cyber attacks.

Cyber adversaries aim to halt critical operations, steal data, and gain financially by exploiting any vulnerabilities that may exist due to digital and technological transformation or an internal lack of security knowledge.

The following are some essential actions to get you started and uplift your cyber resilience today:

1. Undertake regular security assessments of your operating environment.
2. Uplift your cyber security literacy and create a culture of cyber resilience in your organisation. This is achieved by educating your staff on fundamental security awareness including what cyber threats are, such as phishing, business email compromise (BEC) and ransomware attacks, and how to prevent them. Security awareness works in conjunction with technical investments to bolster cyber defences.
3. Automatically update your organisation’s software, operating systems, and technologies. This will ensure you are running the latest version, which generally fixes any security vulnerabilities.
4. Backup your important data and test that your backups work.
5. Enable multi-factor authentication on all accounts and ensure strong password requirements are enforced for your important organisational accounts. You should also regularly review who has account access and remove any accounts that are no longer required.
6. Finally, recognise a cyber-attack can happen and you should be prepared. Develop a cyber incident response plan and practice this plan with your staff. This includes key tasks such as checking your critical assets and processes, testing procedures, establishing emergency plans and fallback scenarios. Be sure to outline the key contacts and actions such as reporting the attack to the Australian Cyber Security Centre (ACSC) on for support, as well as notifying the My Health Record System Operator on 1800 723 471, and Office of the Australian Information Commissioner (OAIC) online of a potential data breach.

Looking ahead, maintaining the availability and interoperability of critical digital health systems while safeguarding the confidentiality of medical records is essential. The Australian Digital Health Agency’s Cyber Security Strategy 2022-2025 supports this goal by aligning cybersecurity efforts with strategic objectives and clinical outcomes. Four guiding principles—business-led approach, future focus, prioritised effort, and security by design—shape the agency’s approach to cybersecurity.

The agency applies these principles to establish and maintain the security of systems like the My Health Record. Various technical and non-technical security measures, including legislation, policies, procedures, network and application protections, and security monitoring, are in place to safeguard sensitive health data.

Ultimately, cybersecurity is a collective responsibility that requires vigilance from healthcare providers, consumers, and organisations alike. Whether at home or at work, everyone must prioritise security to protect information, services, and data.