Cyber Security in Aged Care

September 7, 2023 | Aged Care Management

3 of the biggest cyber risks that aged care providers are exposed to

By Stacey Swindon, Manager

On 19 July 2023, Governing for Reform in Aged Care hosted a webinar on Cyber Security. A panel discussion hosted by KPMG, where industry experts Glen Hegner and Varun Acharya, shed light on the importance of understanding cyber-related risks at an organisation level and outlined practical strategies that should be considered to enhance cyber safety.

In this blog, we provide a summary of key takeaways that can support executive leaders and governing body members to take steps towards actions and improve systems oversight.  

Current challenges within the Aged Care sector

It is of vital importance that aged care providers critically assess what information management systems are used to deliver safe, high-quality consumer-centred care. Not surprisingly, this presents challenges for providers due to the rapid evolution of cyber risk and the increasingly digital nature of modern operations. The webinar panel highlighted specific areas of concern within the aged care sector, which include:

  • Identifying what systems are being used to protect sensitive resident data,
  • How these systems – whether manual, paper-based or software platforms – meet the highest data security requirements,
  • The large number of legacy systems that remain in use to manage consumer information, and;
  • Provider capacity to translate business processes to adapt to the ever-changing landscape of cyber risk and digital transformation.  

The importance of understanding cyber related risks at an organisational level

The dynamic cyber security environment in which we now operate necessitates a paradigm shift in the industry’s approach to understanding risk and informing strategy. This shift demands a change in mindset: moving from a position of defending data to one that pre-emptively and proactively protects it. Ultimately, the goal should be to stay ahead of rapidly evolving threats and ensure that organisations are prepared to address threats before they cause damage.

Aged care might not seem like an obvious target; however, personal data and health records are used as a pre-cursor to identity theft, which increases the sector’s vulnerability to data-breaches and cyber-attacks. The panel shone a spotlight on three of the biggest risks that organisations are currently exposed to:

  1. 3rd party risks and supply chain Third party risk is any risk brought on to an organisation by external parties in its ecosystem or supply chain. With every third-party that an organisation uses, the risks of being exposed to a security breach increase. When it comes to data privacy for example, it is imperative for organisations to know how their software vendors are protecting sensitive consumer information and where. With security only being as strong as the weakest link in the supply chain, regular and rigorous supply chain review is critical to safeguard personal information.
  2. Scammers When we think about ways to boost cyber security posture the focus is often on high-value assets like IT systems. However, as the digitised world evolves, as do the skill of scammers who tend to piggyback on low-hanging fruit.  In the context of cyber security, this refers to easy targets within an organisation’s network. Examples of low-hanging fruit could be reflected in staff’s ability to detect phishing scams, password strength and device security.
  3. Insider threats Increased prevalence of remote work, bring your own device environments and low digital literacy in aged care staff compound the human element of cybersecurity risk. Although human risk cannot be eliminated, if staff are not provided with training that is curated to support their understanding of cyber security risks and indicators of an attack, organisations remain extremely vulnerable to data breaches and cyber-attacks.

Implications if organisations don’t get cyber security right

Poor cyber security can attract significant penalties, brand and reputational damage and has the potential to negatively impact older Australians. The implications if we don’t get cyber security right can include, but are not limited to:

  • Identify theft,
  • Data loss that impacts managing and reporting resident level data essential for both future direction and day-to-day operational performance, and;
  • Disruption to care or loss of life if systems are attacked and cause a disruption to direct clinical care.

Practical strategies for executive leaders and governing body members to adopt, enable, empower and improve cyber safety

Managing cyber security risk requires time, money and staff capability. As the aged care sector works tirelessly to accommodate regulatory changes as a result of the reform, the panel provided advice about tangible strategies that can be adopted to get the basics right first.  

  1. Be proactive: Transition from a defensive posture to a proactive one. Anticipate threats and implement pre-emptive measures to mitigate potential cyber risk. Examples of this includes:
    • Subject your information systems to regular penetration tests, including those accessed through third-party vendors.
    • Using Microsoft Secure Score to assess your current security posture and benchmark with other organisations. The insights provided can be used to identify potential improvements across the entire digital estate.
    • Keeping abreast of the latest cyber security alerts by signing up to relevant updates and alerts.
    • Understand how your software vendors are protecting your consumer data and ensure this aligns with the highest safety standards. For example, does your software vendor have ISO27001 accreditation?
  2. Prioritise cyber hygiene: To maintain cyber health and prevent data breaches or security incidences it is imperative to follow precautionary measures. Cyber hygiene best practises include, but aren’t limited to:
    • Adopting the right IT security framework and cybersecurity standards.
    • Implementing and updating internal policies for information management.
    • Authentication and access control.
    • Password controls and secure remote access.
    • Back-up strategies.
  3. User-buy in: Organisations should invest in employee training to enhance their awareness of cyber threats and promote safe online practices. One person can’t fly the flag alone and it is crucial that individuals understand their role in mitigating cyber risk.
  4. Foster partnerships: Organisations are stronger when working together which is why it is important to foster collaborative with industry partners to remain cyber aware.

Now more than ever, it is crucial for aged care providers to consider how they hold and protect sensitive resident information. While cyber security is important, it is far from easy. To be in the best possible position to maintain cyber hygiene, it takes a proactive approach – much like running at two paces – getting the basics right first and then preparing for a more resilient future.

At Mirus, we have taken the time and effort to prioritise data security and data sovereignty for all our providers and their residents by becoming ISO27001 certified now. Contact us below if you’d like to see what this certification means in practicality with our solutions like Mirus Metrics.