Skip to main content

Privacy & Security

By Mike Miliard | 02:00 pm | February 12, 2019
The agency is dealing with interoperability and cybersecurity, just like everyone – but add to those hurdles a vast and work-intensive EHR overhaul, stringent budgetary requirements and challenges with workforce visibility, and the DHA has a tall order.
By Nathan Eddy | 12:35 pm | February 12, 2019
The updated infrastructure offers baked-in data anonymization as well as advanced encryption and user permissioning, built on Bitfury’s Exonum private blockchain framework.
By Staff Writer | 01:00 am | February 12, 2019
The cybersecurity implications of medical devices have come under scrutiny, as the digitisation of healthcare reaches a wider net of professional, personal and public environments. In the bid to consider and plan for an evolving cybersecurity landscape to maintain patient safety, the Therapeutic Goods Administration (TGA) has released a draft regulation guidance on cybersecurity for medical devices, in line with the existing regulatory requirements. The Medical Device Cybersecurity Draft Guidance and Information for Consultation report calls for a clear regulatory environment for connected medical devices and identifies strategies to influence the approaches of those who use medical devices. “Connectivity and digitisation of medical device technologies may help improve or increase device functionality. However, the connection of devices to networks or the internet exposes devices to increased cyber vulnerabilities that can potentially lead to unacceptable risk of harm to patients,” the report identified. “These include denial of service or intended therapy, alteration of personal health data or alteration of device function so that it can cause actual patient harm. “In 2016, the Australian Government released Australia’s Cyber Security Strategy, detailing priority actions to improve Australia’s general cyber security posture, alongside supporting the growth of the local cyber security industry… In line with this, the continued safety, quality and performance of medical devices impacted by cyber-related issues is the responsibility of the TGA.” According to the TGA, operating environments are highly variable and cybersecurity risks are dependent on the knowledge, expertise and approach of the users of medical devices. “A compliant medical device will only be as secure as the most vulnerable aspect of the system it is expected to operate in. Users of medical devices also have share responsibility for providing a cyber secure environment for these devices to operate in,” the report stated. WHAT IS NECESSARY? Key to the implementation of medical devices, according to the report, is the development of a “clear and well documented” risk assessment and business continuity strategy, where the goal is to develop an environment where risk to patients is minimised.  It includes an injunction for device manufacturers and users to develop a cybersecurity strategic plan, which includes a cyber specific risk assessment and response strategies.  “The plan should have clearly defined event response procedures that define the responsibilities of each department in the event of an incident, and emphasise the importance of each area being familiar with these procedures,” it said.  “The strategy will need to be revised as new types and classes of connected medical devices are added to the healthcare environment.” [Read more: Is your healthcare ecosystem cyber resilient enough? | "Humans are not the weakest link": Shifting the cybersecurity narrative to fend off healthcare hacks] Cross-functional collaboration is a tool that the report claimed is essential for effective cybersecurity control of medical devices.    The TGA said healthcare service providers should aim to facilitate an environment which drives cross functional collaboration between the biomedical, clinical support and IT teams, helping all areas develop a better understanding of the work completed within each team. “The biomedical team should… engage with medical professionals within the healthcare organisation to help broaden their understanding of the operating profile of their devices, the technology under their management, implementation of cyber security controls and the associated risk,” it said. Collaborative procurement is another area for improvement as updating procurement practices to ensure the purchase of appropriately secure devices will create greater demand for improved cybersecurity within medical devices, the report identified. “[One way is to] incentivise procurement teams to work with IT and biomedical teams on the procurement of new medical devices to help ensure that cybersecurity is a measurable factor in procurement.” The report also suggested that organisations develop an inventory and risk profile of the current state of connected medical devices, providing insight to vulnerabilities in the operating environment. This inventory could include information such as the operation and purpose of a medical device, its secondary uses, who the primary users are, expected life-span of the device, support agreements in place and support for critical components. The report also called for more general training for all staff within organisations to raise baseline security awareness and skills. “Many professionals in the health and medical sector have received little training on cybersecurity. [Organisations need to] actively work to create a culture of cyber security awareness, vigilance and reporting, and regularly communicate potential cyber security issues,” it said. Segmenting the corporate network from the biomedical network could also help improve cybersecurity attacks. “Ideally, this should be done with an internal firewall. This will significantly reduce the risk of malware spreading from one network to another. Medical devices should be segmented into logical groups (manufacturer or modality) to reduce the attack surface. When possible, medical devices should be isolated,” the report said. [Read more: World-first cybersecurity trial safeguarding medical devices from hackers to take place in Victoria | Tyde set to become the first digital health company to earn the government’s top cybersecurity accreditation] In addition, it recommended that healthcare organisations consider implementing multi-factor authentication for staff access to networks, especially in areas of high traffic, and reduce privileges to only those required. “Access to the network is critical for most medical devices, especially with an Electronic Medical Record (EMR) system. Ensuring that only authenticated access is provided is key but when credentials are compromised, it can be challenging to define authenticated but unauthorised access. “So, regular reviews of network access should be completed. These must be managed to ensure usability of systems is not adversely impacted.” The report also said that more focus should be given to securing medical devices themselves, instead of just to ICT equipments. “Monitoring the internal and external environment for medical device abnormalities and cyber security threats is important to building a stronger cyber security posture. One advantage of monitoring medical devices is that their range of normal operation is narrow. This means that anomalies can be easier to spot in medical devices than ICT equipment,” it identified. The TGA has invited industry, peak bodies, professional and consumer groups, and individuals to provide comment on the draft guidance. Submissions for comment close on 14 February and will be used to help inform the final guidance document.
By Nathan Eddy | 10:12 am | February 08, 2019
They’re not entirely new but each brings fresh twists health and IT executives will need to keep pace with moving forward.
By Staff Writer | 01:00 am | February 08, 2019
The health sector has topped the list of notifiable data breaches for the fourth consecutive quarter, as identified by the Office of the Australian Information Commissioner. In its latest Notifiable Data Breaches Quarterly Statistics Report, which captures data notification breaches received between 1 October and 31 December 2018, the Office of the Australian Information Commissioner (OAIC) said the private health service provider sector reported the most data breaches, accounting for 54 of the 262 breach notifications received. Of these notifications, 54 per cent were the result of human error, including incidents involving communications sent to the wrong recipient, insecure disposal of personal information, or loss of paperwork or a data storage device. Malicious and criminal attacks was the second largest source of data breaches from the health sector, at 46 per cent. Cyber incidents were the most common type of attack, accounting for 44 per cent, while theft of paperwork or data storage device was the second most common type of attack (32 per cent). The OAIC said these notifications do not include those made under the My Health Records Act 2012 as they are subject to specific notification requirements set out in the act. In addition, it stated that most of the health sector notifications in the period involved the personal information of 100 individuals or less (59 per cent of breaches). The report also showed that the number of notifiable data breaches are on the rise. Between 22 February 2018 (when the notifiable data breaches scheme commenced) and March 2018, the sector reported 15 cases. Between April and June that year, there were 49 cases and between July to September 2018, there were 45 such cases. The latest quarter’s results are the highest to date. INDUSTRY RESPONSES As one of the most data rich and vulnerable sectors when it comes to cybersecurity, the health sector faces a unique challenge of balancing security with accessibility to patient records, while at the same time, coordinating care that supports a patient-centric approach to healthcare. Zscaler ANZ Country Manager Budd Ilic said it was becoming increasingly clear that traditional security solutions are no longer up to the task when it comes to protecting organisations.  “Our environments and architectures are now so complex it’s difficult, if not impossible for practitioners to effectively monitor their environments and is a contributing cause to incidents like these,” Ilic said. “The growing usage of mobile devices and cloud-based applications and services means users are not protected, and internet gateways are unable to handle advanced threats.” [Read more: Is your healthcare ecosystem cyber resilient enough? | "Humans are not the weakest link": Shifting the cybersecurity narrative to fend off healthcare hacks] Ping Identity Asia-Pacific Chief Technology Officer Mark Perry said balancing security with customer convenience and employee productivity has never been an easy exercise. “But, there is really no excuse these days as modern authentication solutions provide the means to secure the most common enterprise attack vectors without getting in the way of the employees, partners and customers who need access,” Perry said. “As a result, IT professionals need to understand the value and effectiveness of the appropriate security controls for their businesses before taking a one-size-fits-all approach to protecting data.” CQR Consulting Co-Founder and Chief Technology Officer Phil Kernick said the mix of human error and malicious attacks composing the source of majority of data breaches will see an “expensive enforceable judgement” against at least one Australian company which finds itself in breach of the legislation. “If this should happen, there will be a scramble among businesses to adopt a heightened data security, risk and compliance culture, who until now may have taken a rather laissez-faire approach to their cybersecurity footing,” Kernick said. "The good news is that Australian businesses will continue their mass migration to the cloud in 2019 and while the cloud is not without its vulnerabilities, the security measures which cloud providers offer as standard will be a positive step forward." Aura Information Security Australia Country Manager Michael Warnock agreed and added that the healthcare industry should understand the data risk if insecure cloud practices aren’t addressed with robust security measures and ongoing workforce education. “Many [organisations] will remain a happy hunting ground for cyber criminals as company management continue their reluctance to allocate investment for high-tech protection. At the same time, they don’t expect an attack to happen to them, so they refrain from elevating the issue on their training agendas,” Warnock said.  “The harsh reality is, cyber attacks will continue to grow in both frequency and complexity over the coming year. [Organisations need to] implement ongoing training to teach employees to recognise potential threats, adopt responsible data protection behaviour and allocate sufficient funds to cover protection measures commensurate with their risk profile.” [Read more: Greg Hunt announces legislative changes to tighten privacy and security protections for My Health Record | Tyde set to become the first digital health company to earn the government’s top cybersecurity accreditation] LogRhythm Asia Pacific and Japan Senior Regional Marketing Director Joanne Wong addressed the need for healthcare providers to take a more holistic approach to cybersecurity and practice good IT and security hygiene such as patching systems and applications, updating and modernising their systems, applications and infrastructure, and controlling access to only those that need access. “They also need to be able to validate identities, and encrypt or apply other safeguards to critical business systems and data,” she said.  “There’s no doubt that any company having anything of digital value will eventually be compromised. The question is, how fast can a security operations team detect these compromises and neutralise threats? Businesses don’t stand a chance without sophisticated analytics and modern workflow automation that can drive accurate threat detection.” LOOKING TO THE FUTURE SailPoint Chief Product Officer Paul Trulove said with only four OAIC notifiable data breaches reports issued and spanning a period of less than a year, it’s “impossible to determine” if these patterns will continue into the future, especially as Australian businesses continue to learn how to report breaches. “Health service providers are a gold mine of valuable personally identifiable information for cybercriminals, especially as more health information is digitised,” he said. Trulove added that the report findings highlight that healthcare has a long way to go to improve its security posture.  “The report reiterates that an organisations’ users have become the easiest route into an organisation for hackers. This is a trend we do not expect will ease up, as hackers now know that users offer them the keys to the proverbial kingdom, once compromised,” he said. “The most secure path forward for organisations today continues to be taking a comprehensive approach to security, one that puts identity governance at the centre, ensuring visibility and governance over all users and their access to all applications and data.” WatchGuard Technologies ANZ Country Manager Mark Sinclair said for healthcare organisations to stay out of these quarterly reports, they will need to have in place business continuity plans and a “well-balanced cybersecurity strategy”. “This strategy will spread funds across threat prevention, detection and response, user education, business continuity and disaster recovery,” he said. “And why not test that plan in 2019 to see your technology and employee response in the event of a disaster? Prior preparation could be the difference between picking up the pieces and closing your doors.”
By Bill Siwicki | 02:42 pm | February 06, 2019
The major academic health system is working with machine learning analytics vendor Splunk to create a new system to guard against misuse of controlled substances, including opioids.
By Tom Sullivan | 10:19 am | February 05, 2019
Pew’s director of HIT Ben Moscovitch says consumers prefer biometrics, notably fingerprinting, facial recognition and iris scans, for a unique identifier.
By Nathan Eddy | 10:02 am | February 05, 2019
The industry is faring worse than others in complying with the European Union’s General Data Protection Rules, one expert says.
By Mike Miliard | 02:59 pm | February 04, 2019
GA4GH, with more than 500 healthcare and IT members, works to create frameworks and standards to enable voluntary and secure sharing of genomic and precision medicine data.