A international cyber attack which resulted in the theft and release of personal data from an aged care provider has sparked warnings across the sector.
Regis Healthcare advised the Australian Securities Exchange on Monday that an overseas actor had copied data from its IT system and released personal information.
The incident sparked a warning from the Australian Cyber Security Centre that cyber criminals are increasingly targeting healthcare organisations, including the aged care sector.
Dr George Margelis, Independent Chair of The Aged Care Industry Information Technology Council (ACIITC), says there’s been a failure to prioritise cyber security despite the push for the aged care sector to adopt technology.
“I wouldn’t say it’s been neglected, but it hasn’t been prioritised,” he told Community Care Review.
Dr Margelis says recent research by the council found a lack of maturity around cyber security in aged care.
“One to the things that was highlighted was the lack of maturity around cyber security, and one of our recommendations to the federal government was the need for more education in that space,” he said.
Data theft
The weekend cyber attack on Regis resulted in data being encrypted, stolen and published, a spokesperson said.
“The company is contacting parties whose personal data has been publicly released,” the provider said in statement.
Regis Healthcare implemented its back-up and business continuity systems and the attack did not affect resident care or service delivery. And the incident did not “materially impact” day-to-day operations, the provider said.
“Our priority is maintaining safe and reliable operations while ensuring the security of personal information of our residents, clients, and employees,” said Dr Linda Mellors, chief executive officer and managing director of Regis Healthcare.
Cyber criminals view the aged care and healthcare sectors as lucrative targets for ransomware attacks … because of the sensitive personal and medical information they hold, and how critical this information is to maintaining operations and patient care.
Australia Cyber Security Centre
The incident has been reported to the Office of the Australian Information
Commissioner, the ACSC and other regulatory bodies.
The ACSC on Sunday issued advice saying it was aware of a significant increase in malicious cyber activity targeting the aged care and healthcare sector using ransomware Maze.
“Cyber criminals view the aged care and healthcare sectors as lucrative targets for ransomware attacks … because of the sensitive personal and medical information they hold, and how critical this information is to maintaining operations and patient care,” the ACSC said.
“A significant ransomware attack against a hospital or aged care facility would have a major impact.”
The ‘Maze’ ransomware is designed to lock or encrypt an organisation’s valuable information, so that it can no longer be used.
Cyber criminals then threaten to post the information online unless a ransom is paid.
Increasing reliance on technology
Cyber attacks on the aged care sector have implications for privacy, but the main concern for providers is primarily around being able to maintain day to day activities as the sector becomes increasingly reliant on technology, Dr Margelis says.
For example, an outage can disrupt rostering and client alarm systems and a ransomware attack can lock away digital rostering systems as well as invoicing and payroll data.
Meawhile, clients receiving in-home care may be relying on outdated hand-me-down technology from family members, and can find them selves completely isolated during outages if relying on telehealth and online social interactions.
“Home care’s probably becoming more and more vulnerable as people are starting to use technology in the house,” he says.
ACIITC CIO Forum committee chair Gavin Tomlins says cyber attacks are not uncommon for Australia’s aged care providers.
“Cyber security is very lacking in the whole industry at this present point in time,” Mr Tomlins said.
Other aged care providers have also experienced ransomware attacks.
“Some of the organisations are paying because they don’t have the necessary processes in place, and they need to release the data,” he said.
“My suggestion is all aged care providers should have cyber insurance, which I still don’t think is commonplace,” he said.
Strategic solutions
Dr Margelis says there are a number of vendors with cyber security solutions and the Council is also in discussions with the government about improving cyber security.
But he says cyber risks aren’t specific to aged care and there is no aged care-specific solution.
“All aged care providers, every business has to make decisions about how much they spend on tech and then optinise that spend,” he says.
“It’s knowing that there’s a problem, knowing that there are solutions and looking at cyber security strategically to keep it on the radar as an organisation.”
Mr Tomlins said providers should also have a firewall, virus and malware software protection, and a backup system that is regularly tested.
Cyber security is very lacking in the whole industry at this present point in time.
Gavin Tomlins
Ongoing awareness education for all staff is also vital, Mr Tomlins said.
“As part of induction and part of the ongoing development of staff members, there should be either e-learning, or it should be a conscious thing to be educating staff around digital literacy, data privacy and cyber security as well,” he said.
Providers should also undertake annual system penetration testing, which is where an ethical hacker tests how secure an organisation’s systems are, Mr Tomlins said.
The ACIITC National Forum will address the issue with a theme of Cyber Security and Safety – Is your front door unlocked? It be held online on Friday 28 August.
You can follow Community Care Review on Facebook, Twitter and LinkedIn and you can sign up to our CCR newsletter which will be delivered to your inbox once a week. Keep up with the latest news by visiting our website.