Beyond IT: Cybersecurity awareness in healthcare, a shared responsibility

When healthcare professionals think about "cybersecurity" they can be forgiven for imagining complex systems and technical jargon that seem unrelated to their jobs. However, cybersecurity extends far beyond IT departments and digital experts. It’s about safeguarding sensitive patient information, ensuring the integrity of medical records and protecting against potential threats that could compromise patient data, care and safety. Nam Lam, Managing Director ANZ at SailPoint, shares insights on the increasing threat of cyber-attacks to the healthcare industry and emphasises that cybersecurity is everyone’s responsibility.

The cybersecurity challenge in healthcare

Keeping up with cybersecurity is a significant challenge for the healthcare sector. Recent statistics reveal that 93% of healthcare organisations have experienced a breach in the past two yearsⁱ, with nearly half of these incidents leading to operational downtime.

Why care about cybersecurity?

Healthcare organisations hold vast amounts of sensitive personal information, medical records, diagnostic reports and billing details for their patients. This data, increasingly stored within digitised systems, makes them prime targets for cybercriminals.

Securing systems, like the electronic medical records systems that hold, manage and store patients’ relevant health information as part of their care, is challenging because they constantly need to be accessed by various individuals — doctors, clinicians, nurses and support staff — as part of their legitimate jobs, as well as by other IT systems.

Medical staff also use multiple applications for patient care and administration, each with its own security and access requirements. This can lead to doctors, for example, having multiple usernames and passwords, which as we know should all be different and complex, but in reality, this isn’t always the case.

No wonder in the second half of 2023, 22% of the data breaches reported to the Office of the Australian Information Commissioner (OAIC) were in the healthcare industry. And with the most significant cause (58%) being compromised credentials it should not be a surprise that the OAIC has prioritised the security of personal information.

Can healthcare organisations and hospitals do anything about it?

The answer is yes, in part through the clever use of technology.

Calvary Health Care, a major player across aged care and virtual care, is a great example. With multiple businesses and systems, Calvary recognised the need for identity security and automation to overcome the scale and complexity of managing tens of thousands of identities securely across its network.

Aaron Le Saux, Architecture and Integration Manager, likened this approach to a Swiss army knife, saying, “You need a partner that’s got that Swiss Army Knife capability to be able to integrate across all of these systems... they need to be highly interoperable.”

Catch the cyber threat before it becomes a breach

For Calvary and others, the answer to ensuring secure access to sensitive information lies in custom permission levels. By assigning access privileges based on job roles and responsibilities, staff members will only have access to the systems and tools they require.

Additionally, the swift and secure access to resources adjusts automatically as people join, change job roles, or leave the organisation, and it ensures that sensitive and regulated information is continually managed to regulatory requirements. This approach creates a more controlled access environment, preventing unauthorised personnel from accessing sensitive information.

Managing custom permissions manually can be challenging, especially in large, complex healthcare organisations. So automated solutions for access control simplify assigning and revoking permissions, ensuring staff always have the appropriate level of access without imposing an excessive administrative burden.

The value of this approach was demonstrated during the COVID-19 pandemic when SailPoint was able to quickly onboard thousands of triage nurses by implementing automated permissions management. This involved assigning custom permission levels to each nurse, ensuring they had access to key systems only as they needed them, and removed much of the administrative burden, letting them focus on their work.

A culture of cybersecurity awareness: Everyone’s responsibility

However good the technology, organisations cannot be complacent. Cybercriminals often target healthcare through sophisticated phishing attacks, stealing login credentials used to access sensitive patient data. Promoting cybersecurity awareness is crucial. From frontline clinicians to administrative staff, everyone plays a critical role in this effort.

Healthcare organisations should provide regular training on cybersecurity best practices, conduct security awareness campaigns and encourage staff to report suspicious activity. Raising awareness and accountability empowers employees to recognise and respond to potential threats.

Addressing the urgency of Cybersecurity

Investing in cybersecurity is crucial for healthcare organisations and our digital healthcare systems. While tackling cybersecurity might seem daunting, neglecting it can lead to severe risks as cyber threats become more advanced. The time to act is now, especially with the digital healthcare market expected to grow at a compound annual growth rate of 20% through to 2030ⁱⁱ.

To protect patient data and healthcare records, healthcare organisations need a comprehensive security approach. This includes addressing compromised credentials, fostering collaboration, embracing digitisation and promoting a culture of cybersecurity-awareness. It is also crucial to have strong identity security measures in place to have full visibility into all identities, monitor user activities and streamline and enhance identity management processes such as access requests and permissions. As our population grows and healthcare providers and systems face increasing pressures, digital systems will be essential for scaling healthcare services and ensuring they are available and inclusive to all.

By taking a proactive stance to managing and securing identities, healthcare organisations can safeguard patient privacy, adopt the digital systems they need and maintain resilience in the face of increasingly sophisticated threats.

^{[i] “State of Identity Security 2023: A Spotlight on Healthcare” report
[ii] Australia Digital Health Market Analysis}