Photo: Daniel Stone on Wikimedia

Hacking your health

05 January 2018

Victoria’s poor cyber security in healthcare points towards widespread vulnerabilities in the Australian system. Policymakers need to realise that when it comes to cyber security, prevention is better than cure, Anthony Bergin writes.

Victoria’s healthcare systems aren’t securely configured. Outdated computer systems are putting hospitals at risk of cyber hackers. In many cases the systems are so outdated that the original developer is no longer issuing security updates. Others have poor password controls.

The Victorian Auditor-General’s office recently found 22 problems within the IT systems of Victorian public hospitals that exposed hospitals to successful cyber attacks. The auditor concluded that there’s a risk of hackers circumventing security processes and stealing or altering hospital financial or patient data.

And if you think that the rest of Australian healthcare has better cyber security, think again. It’s likely that similar findings would also apply in other Australian states. And this poor security leaves us vulnerable in numerous ways.

Attackers could cause Denial of Service attacks and restrict healthcare users from utilising health services. This year in the US there was a voluntary recall by the Food and Drug Administration of 465,000 pacemakers due to the possibility of hackers reprogramming the devices.

The emergence of Internet of Things medical devices being connected to healthcare networks also poses risks: they allow hackers direct Internet access into hospital systems.

There are no state or national standards for the security of such devices. Many of these devices – like CT scanners – aren’t designed to be patched. Malicious individuals could take over the devices and gain unauthorised access to health networks.

A targeted cyber attack on the healthcare sector could affect the care provided to thousands of patients. And it wouldn’t be the first time. In August hackers took down the computer systems of a major trauma centre in the US for six weeks, while the recent WannaCry ransomware attack took out over 60 National Health Service Trusts in the UK.

It’s only matter of time before cyber attackers target our healthcare networks. Access to patient information could lead to identity theft, fraud or blackmail.

Hackers target medical institutions because they are soft security sites with easy access to a powerful ID dataset that may contain a patient’s name, address, Medicare number, date of birth and even driver’s licence details.

While financial details such as credit card details are usually stored in more secure systems, a criminal seeking to create false identities has an excellent start with the information contained in the average medical record.

We have to have confidence that health data won’t be stolen, because the consequences could be so serious. Such information could be used in everything from school bullying to workplace discrimination. Employers are already screening prospective employees via their social media accounts. The addition of a perceived adverse health profile may make someone unemployable.

The My Health Record information system is an online summary of our health information. By the end of next year almost all patients will have a digital health record. This should bring more timely access to important health information for both consumers and their treating healthcare providers. As it’s moving from an opt-in system to an opt-out system, there needs to be confidence that data is secure. We need to ensure that proper logs are kept showing when data is accessed and by whom.

Medical data is moving into the digital era at a record-breaking pace. X-rays, pathology results, pharmacy records and even online consultations via telehealth are now all within the digital sphere.

Patients are being entrusted with this e-data via the cloud in the push for patient-centred care. This data will be accessible anywhere in Australia by any health provider caring for the patient.

The benefits are huge, including avoiding duplication of expensive testing, errors in prescriptions, missed or unknown previous illnesses to name a few. But the risk is that the pace and push for e-data will outstrip the security needed to safely manage it.

Australia some years ago shunned the Australia Card. As such, we have no unique identifier in this country. How will we even know we have the correct patient when we access the cloud?

Centralised storage of healthcare personal information could be targeted by hackers. This year we saw the federal police launch an investigation into the leak of sensitive Medicare details, which were allegedly sold by criminals on the ‘dark web’. Last October there was a massive security breach of personal data of over 50,000 blood donors which included information about ’at-risk sexual behaviour’ leaked from the Red Cross blood service.

Doctors are looking for functionality and ease of use: interfaces that are designed to provide access to patient information at point-of-care in a form that’s attuned to the diagnostic process.

But our health care system struggles to achieve this. Many systems are time-consuming and difficult to use. These systems are often plagued by multiple passwords for access. There is a significant tension between making such systems simple enough to access and use and, at the same time, secure.

Hospitals don’t want to spend money on things that aren’t related to patient health. IT security isn’t often seen by hospitals as related to patients’ care. IT for health is expensive to develop, costly to buy and difficult to interface with myriad different hospital systems.

But our healthcare industry has been lucky not to get caught up in a major cyber security incident. Such an attack could have catastrophic consequences and affect the lives of thousands of patients. Our healthcare systems need to work closely with our cyber security bodies. We’ve been warned.

This piece was first published by Policy, the website of the Asia and the Pacific Policy Society and Crawford School.

Filed under:

Updated:  18 May 2024/Responsible Officer:  Crawford Engagement/Page Contact:  CAP Web Team