Posted: 24 Nov. 2020 05 min. read

In good health

Upgrading cyber security is key for healthcare

The Australian Government has recently released its Cyber Security Strategy 2020. As part of our series exploring the new strategy, this blog looks at the implications on the Australian healthcare sector.

The healthcare sector is the ‘sleeping giant’ of the Australian economy. It’s the country’s largest employer, with roughly 13 percent of the working population contributing to it. But now, the COVID-19 pandemic has shone a light directly at the giant – causing it to stir.

The pandemic has demonstrated how a health challenge can have a devastating impact on the economy, safety and public morale of a nation. For this reason, it is welcome to see the healthcare sector elevated in the Australian Cyber Security Strategy 2020 as a Critical National Infrastructure – as the power and energy, utilities, defence and telecommunications sectors have previously been.

It is also increasingly necessary. Over the next few years, there will be a considerable digital uplift in the health sector. Not only will this keep systems and technology contemporary but it will ensure Australia can respond effectively and efficiently to any further pandemics. The proliferation of healthcare information that is sure to follow will require stringent and pragmatic controls. This is critical to ensure the public’s personal data is protected, and Australia’s national interests are not exploited or subverted through foreign interference.

Lifting the cyber security posture of the healthcare sector is a challenge, given the size and scale of the industry. It includes primary, secondary and tertiary care, life sciences, allied health, aged care and healthcare support services – with little consistency in systems, processes, security maturity and budget. Harmonising all these players to a common cyber security standard requires a flexible and scalable model, that supports their different profiles based on the risk they pose to the system as a whole.

It also requires a change in mindset. Security in the healthcare sector is a relatively new concept. By contrast, the financial services sector has been actively protecting their commodity for hundreds of years. Until fairly recently, the healthcare sector has not needed to worry about protecting health information – it’s been locked away in a filing cabinet or desk drawer with little value to criminals.

Now, with the proliferation of technology-enabled healthcare and the digitisation of patient records, clinicians must turn their attention to the protection of sensitive health information in cyberspace. Cyber security and the protection of a patient’s personal information is now a component of providing safe clinical care.

Due to the vast size, scale, breadth and depth of the healthcare sector, the Australian Government will have a complex challenge in ensuring the protection of the industry as it does for other components of Critical National Infrastructure. A one-size-fits-all approach to regulation and industry standards will be a difficult task for a sector that employs so many people in so many different organisations – with such a broad spectrum of cyber maturity and resources.

Healthcare organisations should start planning for this future now. There is little doubt that cyber security will increase in prevalence and as a threat to the sector as a whole. By proactively taking steps to understand their IT environments, identify where the sensitive patient information is held and assess the cyber risks, healthcare organisations will lay the foundations for good cyber maturity into the not-too-distant future.

For healthcare organisations, the balance of investing limited resources and funding into cyber security, instead of the provision of clinical care, is a challenging quandary. However, a pragmatic approach to continuous funding and resourcing to gradually uplift cyber security overtime can strike the right balance, reducing risk without overinvesting in cyber security to the detriment of health operations.

In doing so, the healthcare sector can start to make inroads that complements the intent of the cyber strategy. The challenge of harmonising a cyber security approach with regulation to best protect the sector will be a complex and multifaceted task. But the time to lay the foundations for a more cyber safe future starts now.

More about our authors

Ian Blatchford

Ian Blatchford

Partner, Risk Advisory

Ian leads Deloitte’s Cyber business in Australia. He has 20 years of experience delivering technology and cyber projects to clients across the world. Ian has worked with a number of global organisations and governments to ensure this risk posed by emerging technologies are understand and managed effectively. He has worked on a number of high profile engagements throughout his career including planning and securing events such as G20 summit in Brisbane.

Ben Walker

Ben Walker

Director, Cyber Security

Ben is a Director in Deloitte’s Cyber Security practice. His expertise is in Cyber Security with Human Factor and Insider Threat strategy. Ben has experience in large scale project and portfolio management, the delivery of operational information technology, data and security services. Ben has worked in cyber security for nearly 20 years and has a background in secure Government information security. He is the lead Health Care Director for Deloitte Australia’s Cyber Risk Advisory practice.