In discussing the cybersecurity posture of the nation’s healthcare industry, the Australian Digital Health Agency (ADHA) has revealed it was itself the target of an attempted breach.
The ADHA, the system administrator for Australia’s My Health Record, discussed two breaches that were worthy of notifying the Office of the Australian Information Commissioner (OAIC).
Speaking with the Joint Committee on Public Accounts and Audit on Tuesday, ADHA national health CIO Ronan O’Connor said the agency notified the OAIC of two potential data breach notifications that occurred in the current financial year.
“The first notification was reported to the OAIC and that was related to a potential compromise to external information technology infrastructures supporting the wider My Health Record system,” O’Connor said.
“In effect, it meant that our security monitoring tools identified a potential vulnerability in the system and as a consequence of that we notified the OAIC … and we also worked with the Australian Cyber Security Centre (ACSC) and on that basis they were happy … and there were no further investigations on that.”
Following questioning by the committee, O’Connor confirmed the issue meant somebody tried to “hack” the external perimeter of its systems.
“I want to assure the committee there was no access into the My Health Record whatsoever, no health information or personal, sensitive information was accessed,” he added.
O’Connor said the ADHA doesn’t have the level of information on the incident to conclude who or what was behind the breach attempt and that the question would be better directed to the ACSC.
“On that basis, we don’t know the actor in this instance,” he said.
The second breach was related to a state healthcare facility.
“They became aware their system had potentially been hacked, accessed without the healthcare recipient’s authority. After investigations that were undertaken, it was confirmed that the individual whose record was accessed was indeed receiving healthcare at that facility at the time of access,” O’Connor explained. “So there was no compromise.”
Touching on the security of My Health Record, O’Connor said it had “quite a comprehensive system for security monitoring” whereby specialist real-time monitoring tools are in place to detect any sort of anomalies in any behaviour in the system itself.
“This activity ranges from system to system activities, relating to endpoints … it monitors and if there’s any sort of unusual behaviour or activity, we’ve got the ability to notify the organisation and in instances where we’ve got particular concern, we can suspend access to the My Health Record system itself. It’s quite comprehensive,” he said. “We have set up a dedicated cybersecurity centre within the agency.”
The ADHA faced the committee as part of its inquiry to consider the cyber resilience of government entities prioritising information security.
Specifically, the committee is examining two Auditor-General’s reports: Cyber Resilience of Government Business Enterprises and Corporate Commonwealth Entities and Implementation of the My Health Record System.
In probing the contentious My Health Record, the Australian National Audit Office (ANAO) pointed out a number of security issues concerning its implementation, but widely gave ADHA the tick of being “largely effective”.
During Tuesday’s hearing, the committee questioned the ADHA and representatives from the Department of Health on the cyber posture of the healthcare industry in Australia.
“We acknowledge there is variability in the security standards that apply across the health sector in Australia some systems have very high standards and some less so,” ADHA CEO Bettina McMahon said.
“There are risks of cyber attacks to the healthcare industry as there are the rest of the economy and they need to be managed through improved security over time, which is what we’re working on at the moment.”
McMahon highlighted that under the country’s Notifiable Data Breaches Scheme, healthcare organisations don’t have the exemptions which apply to the rest of Australian businesses with a turnover of AU$3 million. She said this would result in a higher volume of breach notifications in the healthcare sector.
“We watch quite closely the broader health sector and impacts with cybersecurity. This is an area we constantly look at with our service delivery partners both the ADHA and Services Australia to look at how we can strengthen those parts of the health sector that government participates in,” Daniel McCabe, first assistant secretary of provider benefits integrity at the Department of Health, said.
He explained that Health has engaged with the private health landscape to help them lift their cyber maturity through increased education, working with them on incentives to update systems and IT equipment, as well as working with states and territories on challenges related to cybersecurity.
“It’s a complex and quite distributed landscape that we need to manage,” he said.
The committee then pointed to findings made by Emisoft, which determined there were 764 ransomware attacks that affected US healthcare providers in 2019 alone. The committee asked if Australian providers were as much at risk of the incidents that caused this great impact on the US healthcare system.
While McCabe said the ACSC was better positioned to answer that question, he said the risks would be equally prevalent in the Australian healthcare sector, but also prevalent in other sectors of the economy as well.
“We take advice from the ACSC on that risk … we take their advice and we have our own cybersecurity team that works closely with them,” McMahon added, noting as well the sector and the ADHA is well aware of the risks.
Given that not all providers were found by ANAO to be achieving minimum security requirements, the committee asked who gas been driving improving these baseline requirements in GP clinics. In response, McCabe said work still needed to be done.
“There is no holistic end-to-end benchmarking that we have done, rather we look at this with the ADHA and Services Australia on a program-by-program basis … but as we engage more deeply with key stakeholders in this space there will be opportunities for us to contemplate how we might be able to understand the overall posture for the participants,” he later added.
In the context of the My Health Record system, the Department of Health said all registered participants — GPs, pharmacists, and the like — are required to have a written security policy outlining a whole range of different matters that includes user account management requirements, training requirements, physical security, and mitigation strategies as written policies.
McMahon said the My Health Record Act also provides a requirement to be cyber resilient.
“Before software is able to be connected to the My Health Record system … there are standards that are required to be met,” she said.
“There are a number of measures in place but we do recognise that we want to continually improve those and that’s the work that we’ve embarked on in terms of identifying standards, aligning it to other standards in place … as well as software vendors.”
Offering further legislation to which healthcare providers are bound by, instead of detailing how the ADHA can ensure providers are cyber resilient, McCabe said the Privacy Act should also be considered.
O’Connor also added the agency would shortly be standing up a security-focused e-learning initiative.