When dealing with life and death – aka health data – does the option to pay ransomware demands need to remain on the table?
The healthcare sector and federal government must view cybersecurity as a “team game” to move out of the “wild west”.
Speaking at the Medical Software Industry Association Summit in Sydney today, founder and CEO of Australian cyber security company CyberCX John Paitaridis said the healthcare sector was one of the key players holding back legislation against paying ransomware demands.
“Successive governments are keen to try and ban the payment of ransomware. The healthcare sector would be one of the few sectors right now which is holding back that decision [by saying], ‘when you are dealing with life and death, you have to have that option on the table’,” he said.
“No one is condoning or promoting the payment of ransoms but one of the main reasons the government has stopped short of putting a ban and legislating against the payment of ransoms is this industry, and the decision that may need to be made about paying a ransom if it involves life or death.”
Currently in Australia, the health sector continues to fall behind many others in terms of its maturity in the cybersecurity space, with “seismic” impacts.
“Last year’s [Australian cybersecurity] strategy notes that the health sector has one of the lowest cyber maturities across all industries and sectors,” said Mr Paitaridis.
“In OAIC reports, typically you’ll have the health sector be [the subject of] anywhere between 25-35% of all major cyber breaches in this country.”
And, according to Mr Paitaridis, the risk is only on the up.
“As the medical software industry evolves, we’re seeing increasing digitisation of services, moves to digital platforms, cloud platforms … [causing an] exponential increase in the availability of medical data,” he said.
“Modern healthcare now increasingly is underpinned by technology, and as we adopt technology and use technology across hospitals, aged care, devices, software and research institutes, clearly that threat landscape and that attack surface starts to grow across our organisations and across the broader ecosystem.
“We’ve seen a whole spate of cybersecurity attacks and breaches, which have also encouraged a pile-on from [other] threat actors.”
Despite having a number of great Australian medical software organisations in the room, a lot of medical technology continues to be made abroad, he added.
“We don’t know how that technology has been put together … [or] what the security credentials of that technology and all the software are.”
Cybersecurity regulation remains “patchy” and standards remain “unclear”, said Mr Paitaridis.
“We’re still in the wild west in the way that we are looking at and thinking about both regulation and consistency around testing or secure by design approachs around medical software,” he said.
“Adding to that is that the data that may be used by one system or one organisation ultimately is part of an ecosystem and we see this interoperability between health systems and data, which is creating elevated risk across the sector.
“If you have a cyber incident and it impacts a set of data in one system [or] one organisation, [it] can quickly cascade across the broader ecosystem.”
Australia also has a skills shortage, not just a lack of specialists in cybersecurity, but also a lack of cyber awareness within the health workforce.
“We talk about patching systems, but we also need to be patching people in terms of their security awareness, training and education in the way that they undertake their roles,” said Mr Paitaridis.
The sector and government must begin to “purposely” consider the risks as we “rush” to implement new technology.
“[Australia] needs to define clear standards for medical devices and software, particularly as we think about the patient safety,” said Mr Paitaridis.
“Global regulatory bodies are increasing their emphasis, they’re starting to get more muscular, including here in Australia, around cyber security frameworks.”
CyberCX is working with the MSIA, the DoHAC and the ADHA to reframe the dialogue around cybersecurity and implement standards and framework, particularly around consumption of foreign technology.
“We need to approach cybersecurity as a team game, and that is that industry and government need to collaborate very closely as we think about enhancing security software through the broader healthcare system and ecosystem,” said Mr Paitaridis.