Aged Care faces significant cyber risk and is urged to act now
Aged care is an important sector of the Australian economy – worth $22.2 billion - and growing faster than GDP as it rises to the challenge of a rapidly ageing population. It is also a sector facing significant cyber risk.
The 1,800-plus organisations providing aged care services across Australia are often smaller businesses, many operated by charities or as not for profits. Their main focus is necessarily on the people that they care for rather than the computers and communications systems that they operate – but this leaves them increasingly vulnerable to cyber-attacks, system failures and data breaches.
There have already been a series of incidents where aged care providers have endured data breaches and systems outages which have left them without easy access to records, essentially paralysing them until computer access is restored.
And, while aged care might not seem an obvious cyber target, the sensitive personal, ACAT and health records that aged care providers hold, are of great interest to hackers as a pre-cursor to identity theft. It’s why a health record sells for far more on the dark web than a credit card number.
Since February any serious breaches of personal data (affecting organisations with revenues of $3 million and over, or any business holding healthcare records) must be reported to the Office of the Australian Information Commissioner. The challenge for many aged care providers is that without better systems oversight they might not even know their systems have been compromised.
With significant penalties for failure to report, and the attendant brand and reputational damage that a cyber breach can have – it’s time to take action.
As the population ages, the cyber challenge will become even more significant – particularly as people who have grown used to emails, smartphones and the internet seek aged care themselves.
Today more than 15 per cent of the Australian population is aged 65 and over, 13 per cent of them are 85 or older. The cohort of 3.7 million 65+ year-olds is tipped to rise steadily through the century – and more than double, to 8.7 million, by 2056.
These will be people used to ubiquitous access to technology who will expect much the same as they enter aged care, and embrace online social media as a way of staying connected to friends and family. But residents are also potential targets for socially engineered phishing attacks – where the unwary click on a link in an email, or download an attachment, only to find their and their aged care provider’s computer systems become a victim of ransomware or a target for malware and computer viruses.
Of course, not all cyber breaches are the result of deliberate attacks – many arise from genuine accident or carelessness. No matter the cause though, the effect is the same – a breach of trust, and potentially a significant blow to an organisation’s brand and reputation.
During 2017, 114 data breaches were reported to the Office of the Australian Information Commissioner under the then voluntary data breach notification regime. After mandatory notification came into force in February, 63 incidents were reported in the first six weeks, highlighting the degree of under-reporting in the past.
Health service providers and charities were among the top five sectors affected, and 33 per cent of breaches involved health information.
Aged care is now considered a serious target for cyber-attack and at high risk of accidental data breach that may be triggered either by unwary residents or staff.
Aged care providers are growing rapidly to keep pace with the demographic shifts already underway and surging demand for their services. They are also keen to innovate and exploit modern technologies for both the efficiencies and insight they promise and are increasingly turning to mobile technologies, cloud computing, big data analytics, wearable and assistive technology.
As a result the wealth of data that is collected increases, but so too do the potential entry points for an attack.
For example – continually connected employees. A workplace transformation is already underway with many more digital natives and tech-savvy workers being hired – by 2028 Generation X, Y and Z workers are forecast to make up 95 per cent of the Australian workforce. This mix will expect anytime anywhere access to data and connectivity.
So too will residents. Research shows that 2.7 million Australians aged 65 and over use the internet each day. Their internet access expectations won’t shift as they transition into aged care facilities – instead their appetite for connectivity will likely grow as they turn to social media to maintain connections with family and friends.
Aged care providers and directors need to ensure that cyber security and systems resilience receives the proper attention and governance that it requires, and that staff and residents are kept informed about best cyber practices to ensure they and their data stays safe. Business continuity plans that feature computer disaster recovery planning, playbooks for responding to cyber-attacks or data breaches, and appropriate levels of cyber insurance are also recommended.
In Aon’s 2017 Global Risk Management Survey, 45 per cent of healthcare industry respondents identified cyber as a Top 10 Risk and Top 5 emerging risk in 2020. It is unlikely to abate any time soon.
The Australian Signals Directorate’s Essential Eight guidelines provide a useful outline for aged care providers seeking to better protect themselves from cyber-attacks or data breaches.
In addition, aged care providers are advised to:
- Review their current data collection and get clarity about what records are stored where and how;
- Examine existing access and data storage policies, and update where required;
- Work with independent consultants on a cyber risk assessment and mitigation strategy;
- Ensure appropriate training and education for staff, and provide information to residents and residents’ families about safe online practices to reduce the risk of social engineering or phishing; and
- Consider cyber insurance to provide peace of mind and expert support in dealing with any breaches, including OAIC notification and remediation requirements.