An article by WA lawyer Marcus Hodge last week highlighted the tension between the recently implemented mandatory data breach notification requirements, and the decision we will each need to make over the coming months regarding whether or not to opt out of Australia’s My Health Record system.
The central storage of health record summaries for access by health consumers and their authorised healthcare providers has long been advocated as a way to improve the safety and quality of health service delivery, and potentially create economic efficiencies within our very complex and siloed health systems. On its face, there is much to recommend the concept.
Perhaps the most worrying point made in Marcus Hodge’s article, however, is his acknowledgment of “the view of some IT commentators that true data security is no longer possible – that all data is ultimately accessible to those who seek it”. This echoes the point which has been made as far back as 2013, that every organisation (not just your healthcare provider) is vulnerable to cyber attack.
The article ‘It’s not if but when a cybersecurity attack will happen‘ appeared in AICD Boardroom Report (Vol 11, Issue 4, 2013), and quoted a Deloitte TMT Global Security Study as follows:
“The truth is every organisation is vulnerable; 100 percent prevention does not exist. That’s why a combination of detection and incident response, in addition to prevention, is becoming more important.”
That warning has been reiterated in numerous cyberthreat reports since then, one example of which is CISCO’s 2018 Annual Cybersecurity Report, highlighting the following emergent threats:
1. Adversaries are taking malware to unprecedented levels of sophistication and impact.
2. Adversaries are becoming more adept at evasion — and weaponizing cloud services and other technology used for legitimate purposes.
3. Adversaries are exploiting undefended gaps in security, many of which stem from the expanding Internet of Things (IoT) and use of cloud services.
The report then offers its own ‘not if, but when’ warning (emphasis added):
“When adversaries inevitably strike their organizations, will defenders be prepared, and how quickly can they recover? Findings from the Cisco 2018 Security Capabilities Benchmark Study—which offers insights on security practices from more than 3600 respondents across 26 countries—show that defenders have a lot of challenges to overcome (see page 46).”
Your risk and/or IT governance committee and IT consultants will be most interested to read those insights into security practices that may need to be implemented in your organisation. With every organisation increasingly dependent on their IT systems, attention to cyber threats is both a governance and an operational priority.
In the meantime, when you consider how much of the health system involves office-based practices, with extremely limited IT budgets and staff resources to address cybersecurity threats, the question of whether to trust the capacity of the My Health Record system (which will only be as strong as its weakest link) remains problematic.
Help with your IT Governance
If your Board or Risk Committee would like assistance incorporating a suitable IT Governance Policy into your governance framework, or review of your existing IT governance arrangements, contact me on 0419 347 599 or at firstname.lastname@example.org
PolGovPro also refers clients to Cyber Data-Risk Managers for insurance broking assistance with cyber cover. (Disclosure: PolGovPro receives referral fees if a policy is purchased).