Healthcare: evolving cyber risks require continuous review
Healthcare institutions are fast adopters of automation. It streamlines workflow and expands the range of service options that can be provided to patients. For example, teleradiology is allowing X-rays to be dispatched over the internet and interpreted by radiologists anywhere in the world in order to deliver a 24x7 service for patients.
Specialised equipment such as the da Vinci Surgical System allows surgeons to remotely perform operations while working in different states or countries. This is democratising access to specialist services that might not readily be available in all jurisdictions. Benefits of this type of robotic surgery can include shorter hospitalisation time and faster recovery time for patients, among several others. There are reportedly 40 hospitals in Australia and New Zealand offering robotic surgery for certain conditions.
But what happens if the robot is hacked or the connection interrupted mid-surgery? What happens if a hospital’s lifts are subjected to a cyber-attack when theatre patients are being transferred to critical care wards? Where does the liability lie when the pacemaker malfunctions?
These issues, along with the security of private data, need to be carefully addressed.
Electronic medical records also represent a trove of information that cyber criminals prize. Since the launch of the Notifiable Data Breaches scheme, the health sector has consistently been the most highly represented in terms of notified breaches to the Office of the Australian Information Commissioner (OAIC). Serious security concerns have been raised about the government’s My Health Record system which aims to create a shared digital medical record for every Australian unless they opt-out. The My Health Record system, which currently houses over six million Australian health records, reported six eligible data breaches in 2017. Health information is an attractive target for intruders. They can be used to perpetrate a wide variety of offences, including identity fraud, identity theft, blackmail and extortion1.
The healthcare sector has become increasingly aware of the risks associated with automation. Cyber risk has been identified as a top five risk by the sector according to Aon's analysis, with no signs of waning in the future. The fast pace of transformation brings with it the risk of blind spots emerging. The risk to healthcare organisations is changing as fast as the automation technology is rolled out. Their risk profile and insurance policies require regular and comprehensive reviews to ensure no gaps develop.