As healthcare becomes increasingly digital based and an ever-wider range of IT solutions are put in place cybersecurity remains a top concern for healthcare at all levels, particularly since COVID-19 caused a rush to provision remote care solutions alongside traditional face-to-face clinical encounters. More importantly, it is critical that cybersecurity is seen as everybody’s responsibility, not the traditional view of it being the responsibility of IT geeks hiding in a back room somewhere.
The Australian Digital Health Agency website states:
“Everyone involved in providing and supporting healthcare plays a role in maintaining the privacy of people’s information that healthcare provider organisations hold. This means making sure everyone is secure in their online behaviours, both at work and at home.” [Source]
One of the biggest challenges facing organisations is raising awareness across all staff of the risks involved when working with data. There are financial, reputational, and legal risks in the release or loss of any data, and more so with data that may identify individuals (PII – personally identifiable information). Federally, and at state level, PII is legally protected, and it is therefore essential this data have strong governance and controls applied.
Data breaches and malicious software attacks are often successful due to the multitude of avenues a secure system can be attacked. We should all be aware of the risk from emails (phishing attacks, attachments with malicious functionality, requests for information) or of inserting and/or opening unknown storage devices (the USB you find the in carpark), but what about the overheard discussion in the lift, or the social media post that reveals sensitive information about your work environment that an attacker can use to breach your defences, or the text message about a parcel you’re due, a dodgy video of you, or a tax refund (which leads to a link that installs malware on your phone). As a healthcare individual with access to controlled resources any breach in your own infrastructure is a potential risk to the work environment as well.
What can you do to learn more?
Consider taking any courses that your employer offers that give you training on cybersecurity, even as a refresher as attack methods and solutions do change over time.
Consider online courses, such as the Digital Health Security Awareness eLearning Course (free registration required)
The Office of the Australian Information Commissioner also has specific guidelines and action plans in place for health service providers.
For general guidance and practical advice for those who handle personal information in their day-to-day roles, there is an online e-learning course
Adopt good cybersecurity hygiene practices and share them with your colleagues:
- Use complex passwords and change them regularly, or utilise a reputable password management solution.
- Do not share passwords between systems (particularly between home and work systems).
- Lock your workstation when you walk away.
- Think before you click
- Are your social media posts free of personal or patient information?
- Are your emails going to the right people? Would it cause a problem if the wrong person or the public received it? Always double check the recipients before pressing send.
- Is that public Wi-Fi network secure enough for work? If it didn’t need a password anyone could be on there looking for computers or phones to hack
- Stay Smart Online
- Privacy in Practice e-learning: e-learning: Privacy in Practice – Home (oaic.gov.au)
- Check if your username/password combination has been breached – Have I been Pwned
Join our Cybersecurity Community of Practice
We would love for you to come and join us to learn and share about Cybersecurity best-practice.
Richard Oakham CHIA
Principal Software Developer, Gold Coast Hospital and Health Service