Australians are experiencing a wave of attacks in a new sector: healthcare. Ever since the Australian Government Department of Health switched to the Personally Controlled Electronic Health Record, newly renamed My Health Record, there has been an increase in cyber attacks looking to retrieve personal information from patients.
This alternative way to store health information is exclusively controlled by each individual. It contains each individual's health details in an online database that the individual controls, including who else has access to these records, as well as the informational content. Similar to this system, health insurance companies are employing an Electronic Health Records system to document additional private details, such as credit card information. While credit card information has typically been their desired objective, many cyber attackers are now seeking healthcare information for a few new reasons, including that health care records can be sold for significantly more on the black market, up to A$1,000 each, and because they contain a larger variety of information.
If unauthorised persons were to gain entry to this information, they could commit a series of frauds ranging from medical fraud to credit card theft. With access to a large amount of data, these My Health Records provide cyber criminals the opportunity to use medical record numbers to access prescriptions and pose as patients to receive care, a new and unique threat. In addition to this, cyber criminals can still find traditional information, such as credit card information and use it for their own benefit.
It is habitually assumed that the responsibility of information protection is completely left to the individual and that there is very little health care companies can do. However, there are ways they can contribute to the protection of their customers and any other valuable private information.
It is advisable to either create or expand a cyber security team. Many already existing security teams lack the resources and leadership to adequately sustain a system that is effective. This is a worthwhile investment to ensure that there are dedicated professionals present to be alert about any possible or occurring attacks before it is too late.
Investing in such a team will also make certain that your hardware and software are current, strengthening your company's defence.
Another feature that could be of use is to utilise a multiple layered authorisation schematic. For example, in My Health Record, the individual controls who else has access to their information. Currently, the individual gives a code to the person with whom they wish to share information. They then enter this code and have access to said individual's profile. Rather than solely relying on the code, there should be further verification to ensure that the person is indeed authorised. For example, doctors must enter their work identification number or their licence identification. If your company allows the individual such a control, consider additional verification processes.
Lastly, it is pivotal to emphasise to the customers the important role they play as gatekeepers to their medical information. Even if it is not My Health Record, customers play a vital part in the struggle with cyber attacks. Send friendly reminders encouraging them to update security settings, software and hardware on their home computers, change their passwords, and such. Doing so will show your attentiveness to your customers and their protection, instilling a loyalty to your company while simultaneously protecting against data breaches.
Many criminals are taking advantage of the revamped healthcare system moving into the digital age, quickly finding weaknesses and vulnerabilities that allow them into a new world of private information. Keeping these suggestions in mind will strengthen your defence, as well as increase confidence that healthcare systems will not continue to be such easy targets.