This applies to the healthcare sector too. Healthcare and cyber colliding can be a visceral experience unless proper planning and preparation is undertaken. Let’s illustrate with an example inspired by a true story.
Consider 27 year old Olivia who has been suffering from chronic heart disease. Olivia was being prepped for life-saving surgery when a cyber-attack occurred. The surgeons were unable to access critical systems, the operation was postponed, and Olivia was left waiting for her life-changing event.
With this in mind, healthcare executives would have three main concerns:
- Business Continuity
- Integrity of systems and data
From a cybersecurity perspective, Pitcher Partners recommend that five key artefacts should be in place and signed-off by the executive or the board:
- Crisis Management Blueprint
- Business Continuity Plan
- Encryption Policies
- Public Disclosure Plans
- Cybersecurity Dashboard, highlighting your compliance with regulatory requirements
As well as protecting against adverse patient outcomes such as Olivia's, these artefacts mitigate compliance risks in relation to relevant Acts and regulations. Some of these will include the Privacy Act Amendments, the Victorian Protective Data Security Framework (VPDSF), the National Institute of Standards and Technology - Cybersecurity Framework (NIST CSF) as well as NIST SP800-30 risk management framework.
Upcoming penalties of up to $1.7 million for companies, and up to $340,000 for individuals, means Directors will need to be prepared for the Privacy Amendment Act (Notifiable Data Breaches) 2017 to ensure they do not pay fines. These penalties do not include reparation costs for customers impacted by the breach.
If your organisation is concerned, please contact Pitcher Partners who can help you perform a Cybersecurity Health Check, a first step towards understanding your risk and evaluating your organisation’s ability to meet your obligations.
Click here to watch our short ‘Cybersecurity in Healthcare’ video.
Krist Davood is a Principal Consultant in Pitcher Partners Consulting (PPC) and PPC’s Cybersecurity Lead.