Cyber and health professionals.
In Australia a cybercrime is reported every ten minutes, with medical practitioners increasingly being targeted. But the good news is there are simple things you can do to protect yourself and your practice.
Like health care professionals, cyber security professionals are used to change and challenge. As digital technology has become more entrenched in health care so too has the audacity, skill and reach of cyber adversaries. The growth in cyber-criminal groups now threatens the delicate equilibrium of safety and security that underpins our digital society. Right now that threat has never been more prevalent for medical practitioners and their patients.
This year has been especially profitable for cyber criminals. Thriving in an environment characterised by fear and uncertainty, the COVID-19 pandemic has presented healthcare specific victims, scams and exploits. Increasingly medical providers are being seen as an easy and lucrative target. The numbers speak for themselves:
Spear-phishing attacks[1] related to Covid-19 have increased over 600% since February.
Covid-19 phishing attacks gain three-times the clicks[2] of other scams.
From April to June Facebook applied warning labels to 98 million pieces[3] of Covid-19 misinformation.
Staying in front of a range of extant and new cyber threats is a growing challenge which requires effort for all of us. The risks have become especially sharp for healthcare professionals. In the January-June 2020 Notifiable Data Breaches Report[1] published by the Australian Privacy Commissioner, the health sector is again the highest reporting sector, accounting for nearly 1 in 4 of all reported breaches.
Cyber criminals are honing in on medical practitioners because patient records are worth three times as much on the dark web compared to bank data.[2] Health care information is valuable because it can’t be easily changed - unlike credit cards and bank accounts.
The stakes for health professionals are high, with patient data being used for insurance fraud, identify theft, and involving the irrecoverable corruption of patient records that can lead to malpractice.
Diving deeper into the Data Breaches Report reveals some concerning trends. Of the cyber incidents reported to the Privacy Commissioner health care service providers accounted for 37%. In all but one of the cyber incident categories (phishing, stolen credentials, malware, ransomware, hacking and brute-force attacks) health professionals took pole position.
This increasing focus on the health care industry by cyber criminals is not surprising. Yet many health care services believe they are too small to be a target. This couldn’t be further from the truth, Medical practitioners across the board from GP’s to surgeons are what is known as ‘whales’ in the cyber- crime sector. This means they are a high-value catch and cyber criminals will go to extreme lengths to lure them.
There is enormous value in the information collected, generated and communicated across the health care supply chain. As well, hospitals and health care providers typically use a range of poorly secured legacy information systems, have urgent and concurrent demands placed on them and lower levels of cyber and digital literacy compared to other sectors.
These elements combine to create a tempting mix for a range of cyber actors who seek to steal information and data, monetise ransomware attacks and focus on high-value individuals for identify theft.
It is not all bad news – up to 90% of successful cyber-attacks can be mitigated by focusing on good ‘cyber hygiene’. This means understanding the cyber threat environment, being careful with passwords and keeping an eye out for phishing attacks.
Cyber risks will continue to evolve and it is important medical practitioners know where to get help with managing these risks for practice. This should include:
building you and your people’s cyber resilience through awareness training and workshops
regularly reviewing your cyber security posture, including use of cloud services
understanding what to do in response to increasing regulatory and privacy requirements
developing plans for incidents and data breaches
