Health care providers a weak link in governments’ cyber-sec chain

Healthcare cybersecurity Australia

A cybersecurity expert has criticised Australian governments for churning out “tokenistic” cyber strategies without much-needed detail, education or funding to tackle hackers and respond to breaches.

These cyber strategies ignore not-for-profit businesses and particularly those providing health services – a sector facing increasing supply chain attacks by bad actors as a means to “get to government”.

That is according to Greg Clarkson, managing director of Network Overdrive, a Melbourne-based IT consultancy that works mostly with not-for-profit (NFP) organisations that rely on government funding.

He frets that governments’ focus is now overwhelmingly on bolstering defences for future attacks rather than addressing immediate, real-world cyber risk that impacts organisations in the here and now.

“Governments are big on [issuing] alerts and advisory, but everyone gets drowned in this. They’re about threats that can potentially do harm.

“What we need, however, is specific information about attacks that’s real-time, situational and you can do something about,” he says.

Clarkson cites a supply chain attack involving US company SolarWinds, which saw 18,000 of its customers inadvertently install malware through updates. Among them were more than a dozen critical infrastructure companies, several federal government departments (including a public healthcare office), a hospital, and local and state governments.

NSW Health was among the victims of the attack, although the agency told ABC News its system was not compromised.

What also concerns him is hackers’ “dwell time” – often up to 20 days – in an organisation’s IT system to either hold data or operations to ransom.

“I’m not seeing anything in these [government cyber] strategies that acknowledges the problem of bad actors getting into an IT system, watching, looking and doing nothing until they’ve got the hook.

“And then, they initiate the ransomware event after they’ve already got their data. Why doesn’t the government outline how to deal with this?”

Health sector a cyber risk

He points to the health sector, including hospitals, as increasingly in the crosshairs of cyber attackers, echoing breach notice reports by the Australian Cyber Security Centre (ACSC).

The health sector accounted for the most – 85 separate incidents, representing one in five – breaches reported to the Office of the Australian Information Commissioner in the six months to June 30.

In one instance, Russian-based ransomware-as-service Sodinokibi/REvil attacked the internal IT system of UnitingCare Queensland on Anzac Day, forcing a number of healthcare providers to revert to working on paper. The organisation runs a number of health and wellbeing services in Queensland, including Lifeline and the Wesley, Buderim Private, St Stephen’s, and St Andrew’s War Memorial hospitals.

The malware encrypted the organisations’ files before attempting to delete backups and then demand a ransom to ‘unlock’ them. Following the breach, UnitingCare took almost two months to restore its key corporate IT systems.

Meanwhile, earlier this year in New Zealand, the Waikato District Health Board suffered a breach that resulted in their systems being offline for six weeks, with the personal information of about 4,200 people leaked onto the dark web.

Globally, renowned medical journal The Lancet has acknowledged the seriousness of breaches targeting the health sector, with healthcare systems and organisations it said lagging behind other industries in their cyber readiness.

On average, the health sector spends just two per cent of its operational budget on IT, about a fifth of other industries, the journal noted.

Compliance costs a big stretch for NFPs, SMEs

The Security Legislation Amendment (Critical Infrastructure Bill 2020), when it becomes law, will mandate even stricter cybersecurity obligations and standards for critical infrastructure providers in Australia, including healthcare. Governments will also have wider powers to assist an entity to respond to a cybersecurity incident.

It makes sense then that governments ask not-for-profits that provide healthcare on behalf of the Government to be cyber secure and comply with international standards, Clarkson says.

This is echoed in the Federal Auditor-General’s performance audit report, Cyber Security Strategies of Non-Corporate Commonwealth Entities, published in March.

The guidance is there, as this online cybersecurity toolkit from the Australian Charities and Not-for Profits Commission (ACNC) shows, but there is “no associated funding stream to pay for this work”, he says.

Clarkson adds that the costs to support this can be prohibitive for NFPs, and particularly so if they are small businesses. And the cybersecurity issue at hand is often not due to any fault on their part – globally six in 10 data breaches is due to vendors or third parties.

To achieve appropriate information security standards, such as ISO27001 or participation in the Information Security Registered Assessors Program (IRAP), typically costs up to $150,000, he says, plus up to $50,000 thereafter for annual auditing.

He sees a disconnect between the expectations of government in their security (both cyber and information) mandates and the capacity of these organisations to meet these requirements.

“These compliance requirements are increasingly becoming the minimum standards to do business with the Victorian Government, particularly if your organisation has got anything to do with kids.”

Government strategies ultimately force businesses to up their cybersecurity game, expecting small businesses – despite the deep pockets required to fulfil these demands – to be able to effortlessly follow suit.

“I know a number of organisations that, because of their notifiable data breach requirements, have to get a level of cybersecurity higher than anything we’re seeing in the government strategies,” Clarkson says.

Professor Asha Rao, a cybersecurity expert and Associate Dean of Mathematical Sciences from RMIT University, agrees.

These costs of compliance could prove a barrier for many, with almost half of all Australian small businesses (those with under 20 staff) currently spending less than $500 a year on cybersecurity, as well as having no qualified IT specialist in-house, stats from the Australian Bureau of Statistics show.

Among these are many primary health providers, including general practices, community health centres, allied health practices, services for dentistry, pathology, chiropractic, physiotherapy, ambulance, optometry, and specialist medical services.

There are 32,483 SMEs among the total of 159,076 businesses in the Australian healthcare and social assistance sector.

“Government [digital] strategies are tailored to the big end of town, but it’s the small end of town that’s troubling for cybersecurity issues.

“Small business cybersecurity cannot be ‘cut and pasted’ from large scale solutions, so how do you create a truly secure small or medium enterprise?”

She says under-detection of breaches was rife within small businesses due to owners’ poor technical knowledge, with many attacks revealing no obvious ‘symptoms’.

“While large enterprises can detect subtle attacks using active traffic monitoring systems, few small businesses can afford this monitoring,” Rao co-wrote in a peer-reviewed paper.

“[Without it], system owners may not even be aware of a breach for months or even years.”

A cybersecurity bloc(k)

That is why Clarkson’s idea for a ‘collective defence’ of a small group of not-for-profit organisations joining forces to build their own cybersecurity could work.

He believes such a defence pact could help bridge the gap between governments’ digital strategies, the scarcity of funding, and the urgency of bringing cybersecurity up to speed.

The Care and Community Collective Cyber Defence Trial he plans to set up by next year will allow participating organisations to scan and share intelligence about their IT systems in real-time.

The defensive partnership would employ Clarkson’s firm using Ironnet to set up NDR (network detection responses) and will bring in or integrate with an organisation’s EDR (endpoint detection and response) and SIEM (security information event management) systems.

An NDR (network detection responses), to “passively watch the network”, will feature as part of a trial of the service.

“It would actively block malware as it happens – that’s the power of collective defence.”

“While the technology is already there,” Clarkson says, he’s “not seeing government policies or strategies really taking advantage of it.”

However, RMIT’s Rao is sceptical, arguing that even if they did share resources, small businesses would not necessarily have the manpower to continuously monitor their IT networks.

This remains a critical cybersecurity resource gap that small businesses will struggle to plug. But, are governments necessarily aware of this, particularly when it comes to their vision for digital health?

Tapping into small business concerns

In her research with RMIT colleagues, she found Australian small businesses had consistently low response rates to broad-based voluntary surveys about cybersecurity, ultimately translating to a “lack of public domain data”. As a result, it is hard to get a firm reading of the overall cybersecurity position of SMEs, in particular, she says.

The latest National Digital Health Strategy and Framework for Action, now out for public consultation, could offer the right approach.

The agency’s chief digital officer Steve Issa says it has received more than 4,600 responses to the survey, including almost 4,000 from the general public.

“The feedback we’re getting is to position digital tech as enabling, rather than substituting traditional health care, and that we should be agile.

“From industry’s perspective, there’s an expectation the systems will be interoperable between different care settings and jurisdictions and will have the right standards.”

Interoperability means giving healthcare providers timely access to the information they need (in what would include vital cybersecurity data), in a format so they can effectively improve clinical decision-making and care.

While the survey does not specifically ask about cybersecurity concerns, Issa says respondees can add any relevant concerns to a supplementary text box.

He is adamant that this next five-year strategy, released mid-next year, will not “sit on a shelf” – it will respond to change.

“We’re not suggesting the new [National Digital Health Strategy] in 2022 will remain consistent and relevant for the next five to 10 years, so we’re working towards having a living strategy that responds to the market’s and consumers’ needs, trends and technology.”

He describes his agency as the “steward” for the strategy for the agency, governments of all jurisdictions, industry, business, and the general public.

Small businesses, particularly in the health sector, need to continue voicing their cybersecurity issues and concerns to the steward.