One of the lessons from the recent Crowdstrike outage is that health leaders need to work on ensuring a secure and digitally resilient sector, according to Meegan Fitzharris, Healthcare Industry Lead at the cyber security company, CyberCX.
“Cyber safety is patient safety,” writes Fitzharris, who is a former ACT Minister for Health, Transport and Higher Education.
Meegan Fitzharris writes:
Walking through Sydney International Airport on Friday, 19 July, I was puzzled when I noticed the departure screens were down.
Thinking no more of it, I was soon interrupted by an announcement: “We apologise that some Sydney Airport systems are down due to a global technology outage.”
A ‘global technology outage’?
Some professional angst rose: Was it a cyberattack? Would hospitals and health services be impacted? And some personal angst: Would my flight leave? Would it be safe?
In the end, I found my gate and my flight departed safely and on time. I landed on the other side of the Tasman and immediately checked my phone to catch up on the world.
In Australia: flights grounded; stores closed. And across the globe the same, but also hospitals and health services impacted, and patient care disrupted. Clinical and IT workforces in the health sector were faced with yet another digital disruption.
As it turned out, we now know the impact of the CrowdStrike event on many organisations across Australia and the world.
We know it was a flawed update and not a cyberattack. We know it impacted thousands of travelers, retail workers, shoppers, doctors, nurses, and care givers. We know that digital, IT and cyber security teams worked across the weekend around the world to reboot their systems, get services back online and people back to work.
Slowly, the reasons are emerging. CrowdStrike has provided regular updates seeking to assure existing customers and recover their reputation. Microsoft was also caught up with the outage affecting customers on their platforms. Regulators are engaged, companies are counting their losses, and class actions are readying.
The world discovered CrowdStrike and learned it is one of the leading global providers of cybersecurity solutions. With a significant market share the impact was truly global, affecting an estimated 8.5 million users with large financial losses to customers and even larger financial and reputational costs likely for CrowdStrike.
Questions
Across all sectors, questions are being asked about what this means for digital resilience. Are we overly reliant on a few providers? What if it had been a cyberattack? Do our policy and regulatory frameworks need to change?
There is arguably no sector where these questions are more relevant than healthcare.
The answers for the health sector, as with many aspects of digital resilience, are not simple.
Most large and medium size entities across the heath sector are thinking carefully about cyber security and digital resilience. They are thinking about fixing the problems today and anticipating the problems of tomorrow.
While many are clear on their strategy, increasingly complex technology environments, large amounts of legacy technology, and competition for scarce resources inevitably limit action. And in any event, it would be fair to say no organisation can spend its way out of digital or cyber risk.
The sustainability and success of the health sector – and therefore the health outcomes of Australians – is reliant on increased digital and data connectedness.
But this will not come from ever increasing funding, nor an unachievable increase in the health workforce. Recognising this, Health Minister Mark Butler, has championed digital health (and funded it) since the current government took office in 2022.
Think of the many excellent initiatives for reforming models of care using data about patient experience and outcomes, and connecting clinical and patient data across the health system. Think of the clever innovations in digital health and medical devices, such as remote monitoring, artificial intelligence (AI) scribing, and implantable medical devices.
All these initiatives and ideas rely on increased collection and flow of patient data and increased availability of digital technologies.
To put it simply, if the future lies in digital health, the future must also be in a digitally resilient and cyber secure health system.
Cyber threat alert
Cyberattacks on health sector organisations continue to climb. Globally, US-based health sector entities have experienced expensive and high impact cyberattacks.
In Australia attacks are also on the rise, but fortunately have not (yet) had such an extensive impact. Recent high profile cyberattacks on health providers and the health supply chain have included Medibank, St Vincent’s Healthcare and MediSecure.
The Office of the Australian Information Commissioner (OAIC) reported that between July and December 2023, the health sector remained the top reporter of data breach, with health reporting 104 breaches (22 percent of all notifications).
The Australian Cyber Security Centre’s (ACSC) most recent Health Sector Snapshot reported that in 2020, the ACSC received 166 incident reports relating specifically to the health sector, up from 90 the previous calendar year.
In 2022-2023, the healthcare and social assistance sector was in the top five sectors to report cyber security incidents to the Australian Signals Directorate.
Policy responses
Late last year the Federal Government released the Australian Cyber Security Strategy. Widely viewed as ambitious, the Strategy comprises of a series of ‘shields’ to defend against cyber threats and leverage Australia’s cyber capabilities across the economy.
Since 2018 the Security of Critical Infrastructure Act (or SOCI) has recognised the health and medical sector as one of eleven critical infrastructure sectors, designating most major hospitals with Intensive Care Units as critical assets requiring a range of compliance activities to build resilience to a number of threats, including cyber.
The Strategy calls out a lack of maturity across the health sector, proposing a pilot for a health sector cyber threat information sharing and analysis centre (ISAC), for which it recently sought grant applications. There are also measures for small and medium business, which make up much of the health sector.
There are strong regulatory measures in place in the insurance sector, which also apply to health insurers. The Australian Prudential Regulation Authority (APRA) requires insurers to meet a high level of cyber security and it has the authority to enforce compliance. They have taken strong action with Medibank, including to increase its capital adequacy requirement and overseeing a cyber remediation program.
For public hospitals and health services, state and territory governments are actively pursuing measures to secure their health systems. With complex and varied governance arrangements between central cyber units, health departments and health services, there are a range of approaches.
For the vast array of small and medium organisations across the health sector, however, there is a generally held view that there is low maturity, higher priorities (especially patient care) and limited extra funding.
Impacts
In February this year the United States experienced what the American Hospital Association called “the most significant and consequential incident of its kind against the US”.
Change Healthcare, a health payments processor that handles 15 billion or 40 percent of all claims in the US experienced a major cyberattack. Up to one third of all Americans’ health data was stolen, and patient access to care and the financial viability of many healthcare providers was significantly impacted. Change HealthCare estimates the cost of the attack at over US$1 billion.
More recently, Synnovis, a leading UK diagnostic and pathology provider was also the target of a cyberattack. The impact meant the NHS could not use some of its essential systems to run blood tests in south-east London, causing “significant disruption in south-east London across a range of different treatments”.
A notable attribute of the attacks on both the Change HealthCare and Synnovis attacks (and many others) was the theft of personal health data and immediate operational impacts on health service availability.
What these examples reveal – and what they have in common with the CrowdStrike outage – are the supply chain risks across the health sector.
They all highlight the presence – increasingly required and demanded by consumers, policy makers and health professionals – of large and shared data sets, as well as the essential digital infrastructure that enables our health systems to run.
Lessons for the health sector
The key prism through which to assess the CrowdStrike outage for the health sector is digital resilience.
Three key questions emerge here:
- Does Australia have the right regulatory levers in place to set achievable and scalable standards across the health sector and can industry work with these?
- From the Department of Health, hospital leaders and relevant agencies, does Australia have all the right parts of the system considering their role beyond their own organisation and how they contribute to strengthening the digital resilience of the sector?
- Do we know where data is highly aggregated? Do we know the critical infrastructure that enables our health system to continue providing care?
Individual health sector entities can take many measures to build their cyber and digital resilience and, over time, the right levers, regulations and laws will develop to ensure new digital health technologies and medical devices embed cyber security into their design.
However, the gaze of health sector policy leaders, regulators, workforce representative and industry leaders needs to lift to see the sector as a whole and agree on simple and effective measures they can all action to ensure a secure and digitally resilient health sector.
The US Health Sector Coordinating Council for cybersecurity has a simple approach, ‘cyber safety is patient safety’.
It’s a good guide for how our health sector leaders could approach measures to ensure the resilience of our health sector.
Author details
Meegan Fitzharris is the CyberCX industry lead for healthcare. Prior to joining CyberCX, she worked at senior levels in health, transport, and law enforcement. She chaired the Reform Advisory Group for the Queensland Health Minister in 2020 that developed the “Unleashing the Potential” report. Prior to that, Meegan was a member of the ACT Legislative Assembly, serving as the Minister for Health, Transport and Higher Education. As Health Minister Meegan also chaired the National Health Ministers Forum. Meegan has held other roles with the Australian National University, Australian Federal Police and Attorney General’s Department. Since 2021, she has also been a Non Executive Director on the Board of Dementia Australia. Meegan’s role at CyberCX means she can work with Australia’s pre-eminent cyber security professionals to ensure a digitally enabled, secure and trusted health system to improve the health and wellbeing of the Australian community.
See Croakey’s articles on safety and quality of healthcare