Cyber hack wake-up call: How can you protect your client data?

The recent data breaches with large companies such as Optus and Medibank have brought cyber security to the forefront of concerns in a number of sectors, and aged care is no exception.

Australian cyber security company, CyberCX, data shows there has been an increase in cybercrime targeting the healthcare and aged care sectors over the last few years. 

According to the data, in the second quarter of 2021 the number of ransomware attacks doubled compared to the previous quarter. Experts believe this is because aged care providers hold much sought after personal health and care records.

Getting caught up in a cyber attack can have far-reaching consequences for your business including financial loss, legal implications and reputational damage.

It is important for aged care providers to understand they are not exempt from cyber threats and in fact should be actively investing in preventing them according to Nigel Phair, Professor of Cyber Security at the University of New South Wales.

“It’s great to have the internet and access to all the online technologies but [providers] need to invest in controls and risk management around that, and make sure they’re resilient to cyber attacks,” he said.

So what can you do to protect yourself from this increasing cyber threat?

Identifying weaknesses in your systems

The first step in identifying where your organisation is vulnerable to data breaches is to understand a number of factors about your current situation.

You should find out:

• Why you are collecting certain pieces of personally identifying information
• Who has access to that information
• Why they have access to the information
• How that access is recorded
• When that information is deleted
• What it would mean if this data was breached

From there, a competent risk management assessment needs to be done and a risk management framework used to identify the areas of high risk.

A good place to start is reviewing the policies and procedures you have in place around cyber security and how much protection they provide, as well as how well they are adhered to by your employees and clients, to identify weaknesses there.

That said, it’s one thing to have a policy in place but if it’s been created by someone that’s not a cyber security professional, or not implemented and monitored by an employee with the right capability, it’s not worth the paper it’s written on.

An external HR company may be best placed to review your policies for you to ensure they cover what is required from an organisational point, but you might also need the advice of a specialist in cyber security policy.

If you haven’t already, engaging a third party firm to conduct a technical investigation such as penetration testing and vulnerability scanning, where the person pretends to be a malicious hacker trying to gain access to your system, will show where there may be vulnerabilities.

It is important to note that cyber security experts are exactly that, ‘experts’. Your standard web developer or IT employee, in most instances, isn’t trained in this specialised area.

Think of it like having a heart problem, you want to see the cardiac specialist in addition to having the advice of your GP.

Websites with directories of Australian cyber security firms where you might like to start looking for a consultant include Clutch and Consultancy.com.au.

Preventing cyber attacks

There are a number of types of hardware and software that can be used together to prevent a cyber attack. 

These protections, referred to by Professor Phair as “controls”, include:

• Physical backup drives or encrypted drives, which may be located onsite or offsite
• Firewalls
• Multifactor authentication
• Antivirus software
• Strong passwords

Other types of controls can be found on the Australian Cyber Security Centre (ACSC) website.

Using one type of protection may help, but using a combination of these should provide stronger protections against a wider range of cyber attacks. 

The ACSC suggests the top three controls that should be combined for stronger protection are updates to devices, multifactor authentication and a backup drive, so you should start with at least these three protections.

You should also ensure all of these controls are kept up-to-date, either with automatic updates or by hiring a specialist to regularly update them.

The CyberCX data in particular shows ransomware and data extortion attacks are on the rise. 

Professor Phair said one of the best ways to combat ransomware attacks, which occur when criminals hack into a system and steal or encrypt data, is to have an appropriate backup system for files.

“Having what we call a ‘cold backup’ is a very sensible thing to do, and a very cost-effective thing to do,” he said.

This could be as simple as having a separate drive that is set up to automatically back up files saved to the main drive by creating a copy on the backup drive.

The backup drive should be updated often, for example, if you are changing or adding data daily it should be updated daily, so that you do not lose any data in the case of an attack. 

To identify the types of controls and providers of these that will be strongest for protecting your data, you can start by researching international standard 27001, which is considered the best information security management standard globally.

In case your data is breached, you can also consider cyber risk insurance – to protect you financially and help your organisation recover after an attack.

However, Professor Phair cautioned that insurance is not a “panacea”.

“It’s not the panacea but it’s just like [providers] would insure their buildings and their cars and all the other factors. But cyber insurance, just like you still lock your car and don’t leave your phone and sunglasses on the dash, cyber insurance is not the panacea, it’s like a control,” he said.

The human element

Even with all the technical protections in place, there will always be a human element to your cyber security.

To mitigate the human factor you will need to invest in training both employees of your organisation and residents of any facilities you operate.

This is because anyone using a shared network can be a target of hackers attempting to gain access to the data you store.

All employees should have cyber security awareness training, including gaining an understanding of the threats they are facing and the information they’re accessing.

Professor Phair explained employees need an “understanding of how to be good, safe, secure citizens online”.

Staff with access to more sensitive information, such as ACAT records, may need additional training around cyber risk management.

There are providers offering these kinds of training through online or in-person courses across Australia.

You can start by looking through programs on the Australian Cyber Security Centre directory matching the training your employees need.

As for residents, a basic understanding of cyber safety is likely all that is needed, as they won’t have direct access to the sensitive information of other clients.

The main risk that residents pose occurs when they use a shared network for sensitive tasks such as internet banking, not simply when using a password-protected WiFi source.

The cyber safety education for residents should include:

• Being wary of not clicking on suspicious links
• Being alert to phishing emails or text messages
• Understanding how people are trying to scam them
• The use of long and strong passwords
• Implementation of multifactor authentication across devices

Whatever training you do provide to residents and employees will complement the hardware and software controls, and policies you use to mitigate the risk of a cyber attack.

Professor Phair said, above all, providers need to remember that they are not immune to these kinds of crimes, as they hold valuable data, and need to take action to prevent that data being stolen.

“They shouldn’t go thinking, ‘Why would anyone hack us?’,” he said.