Healthcare IT security needs a thorough checkup

A flood of industry-wide security breeches have seriously compromised Australia’s healthcare IT security. While gaining a lot of media attention for all the wrong reasons, many Australians now have genuine concerns about the nations’ poor cybersecurity and irresponsible management of sensitive personal information.

In January 2016, the Royal Melbourne Hospital was attacked by a virus via their dated Windows XP operating system, which paralysed the pathology department and caused general mayhem for operations on the floor. Following that, in September 2016, University of Melbourne academics discovered that Medicare IT security was seriously compromised, giving hackers easy access to highly sensitive information about patients and healthcare professionals.

As global cyber attacks become increasingly sophisticated and almost commonplace, the potential impact on our lives has never been so great. Not too long ago, Britain’s National Health Service needed to reschedule appointments and routine operations after a virus attacked critical systems. But this sort of incident is minor (yes, minor) compared to the US health insurer Anthem that lost 78.8 million records following an attack, or the Korean Pharmaceutical Information Centre that lost 43 million records in a similar breach.

When lives are on the line, IT can wait

Healthcare IT security is in a bind, which means rich pickings for cybercriminals and bored teenagers. Like most industries, healthcare is caught up in an accelerating digital transformation—and it’s hamstrung by budgetary and privacy concerns.

It’s difficult for a healthcare IT manager to argue for millions to upgrade security against hypothetical threats when that money can be spent on medical equipment that’ll save hundreds of lives. Even if the budget isn’t an issue, you’re constrained by privacy regulations. Rules and regulations keep sensitive medical information stored on outdated and vulnerable but familiar technology, like Windows XP computers. When it comes to newer technology—like the cloud—IT managers will be reluctant to use something that hasn’t been proven safer.

The fate of an industry

In March 2017, the Institute for Critical Infrastructure Technology released a paper warning that the healthcare industry “is the primary perpetual target of cyber attackers due to the massive amounts of disparate data collected, stored, and inadequately protected.” In 2016, the Breach Level Index found that the healthcare industry experienced more than a quarter of all breaches in Australia. To put that in perspective, the government accounted for 14 percent and the finance sector made up 12 percent. Hackers are coming for your medical records, big time.

So far, healthcare hackers have confined themselves to ransomware attacks. That said, it doesn’t take much imagination to identify other business opportunities, like identity theft or blackmail. How much would a prominent individual be willing to pay to avoid revelations about a medical condition, for example? Big institutions like the Red Cross can survive breaches, but what are the consequences—in terms of reputation, business equity, and legal expenses—for a small, private hospital if the medical histories and credit card details of their patients end up on the internet?

IT security triage starts with the weakest link

Eventually, there will be a hack big and ugly enough to motivate Australian healthcare administrators to get serious about security. Until then, IT managers will find themselves in a triage situation. One weak spot that’s relatively cheap and easy to address is healthcare printer security. In other words, you can prevent printers in healthcare facilities from being targeted by those pesky hackers.

Overlooking printer security is way too common—and printers can be exploited to execute code and leak information. They’re often connected directly to the company’s network or accessed wirelessly through processes like Apple’s AirPrint protocol, which means anyone with the access to print can execute a potentially harmful command.
Fortunately, most IT managers won’t need to persuade their boss too much about the clear benefits of upgrading to new high security printers, which unleash superior technology and are designed to keep the crooks at bay from your sensitive data files. This might be the best first step down the path of tighter IT security in healthcare. It’s up to you to identify the best route to follow next to fully secure your organisation’s IT environment.