Prevention is better than a cure, writes Ajay Unni.
In early 2021, the Australian Cyber Security Centre (ACSC) sent shockwaves around the aged care industry when it reported cyber security incidents relating to the Australian healthcare sector increased by 85 per cent in 2020.
The health sector reported the highest number of cybercrime incidents to the ACSC in 2020 outside of government and individuals.
With the aged care sector struggling to cope with the devastating effects of the COVID-19 pandemic, these attacks couldn’t have come at a worse time.
The sector is still fighting the ever-present threat of the COVID-19 virus, but unfortunately, the prevalence of cyber threats means there’s more than one kind of virus to fight.
Cyber attacks can cause serious distress among aged care residents and staff alike. Attacks can result in sensitive personal information being leaked online, or crashed systems resulting in harmful mistakes and mix-ups with patient care.
In the past, ransomware has resulted in documents with details of individual residents’ care and accommodation agreements, employee appraisals and passwords relating to one of the company’s facilities being posted to a public website.
In another example, an attack blocked staff from accessing patient records, booking and management systems, resulting in a wide range of logistical and care-related issues.
These are serious issues that must not be taken lightly. So how can aged care providers take action and start tackling this ever-present issue?
In my experience most companies only invest in tackling cyber security when they see a dire need or motivation or after an attack has already taken place.
However, it’s much better for businesses to tackle these issues before an attack takes place because just like many areas of life, prevention is better than a cure.
Aged care leaders and board members must realise the vital importance of having a cyber security process in place well before an attack occurs and understand the wide range of benefits that come with strengthened security.
Cyber security starts from the top
Company directors and boards carry huge responsibilities and they need to be aware of how a cyber attack can impact themselves and their organisation.
Not taking these responsibilities seriously can have severe legal, reputational and financial implications, both personally, and for the company as a whole.
Board members must ensure that cyber security is set as part of the board’s agenda, with time set aside to build a cyber security strategy.
This includes appointing someone in the management team to lead and be responsible for cyber security, along with checking that your board’s risk register includes cyber risk.
The risk register must be updated regularly and tabled at the board meetings.
Finally, the leadership should take part in cyber security awareness courses and training so they have a deep understanding of the true nature of the threat.
Once leaders have a better understanding of how serious the threat really is, they’ll be far more likely to take action.
Training, training, training
Alongside leadership training, all staff members must be made aware of the risks presented by cyber attacks.
Compromised business emails are a very common and persistent threat to organisations big or small, and staff must remain vigilant of phishing attacks at all times.
For example, an attacker might use a technique called typosquatting, where the scammer uses a lookalike name. Google.com might become Goog1e.com or Gooogle.com, with the scammer hoping the victim may miss the spelling mistake and assume the email is legitimate.
Without the right training in place, it’s far more likely that staff would overlook these small inconsistencies and open a malicious link.
With scammers getting more and more sophisticated, the risk is only increasing over time.
Prevention better than cure
When given a choice, human beings have an innate tendency to take the path of least resistance. As an example, it is widely understood that preventative care including eating healthy, exercising and avoiding smoking or drinking will drastically improve your health, and yet people still fail to take action.
Similarly, cyber security has some basic hygiene principles and if aged care providers can follow them to the letter, they can protect themselves and mitigate the massive risks.
Basic password hygiene and multifactor authentication can go a long way towards a better-protected system. Passwords should be rotated at the very least every 60 days and should be at least eight to 10 characters long, have at least one number, one capital letter and one special character.
Some common examples of multifactor authentication include an SMS message, phone call, or authenticator app to verify a browser login. Other verification factors could include personal questions, a physical object such as a security token or bank card, or fingerprint, face, or iris scanning.
Consider which option makes sense for your facility, and ensure all staff are aware of why the process is in place and how it works.
With the right training, processes and technology in place, the aged care industry can put itself in the best possible position to tackle the ever-present threat of cyber breaches. The threat is real, and it’s time to take action – before it’s too late.
Ajay Unni is the founder of cyber security specialists StickmanCyber, a member of the 2020 NSW Government’s Cyber Security Task Force and a contributor to the 2021 NSW Government Cyber Security Strategy
This story appears in the November-December 2021 edition of Australian Ageing Agenda magazine.
Main image: Ajay Unni
Comment on the story below. Follow Australian Ageing Agenda on Facebook, Twitter and LinkedIn, sign up to our twice-weekly newsletter and subscribe to AAA magazine for the complete aged care picture.