Aged care is an important sector of the Australian economy – worth $22.2 billion – and growing faster than GDP as it rises to the challenge of a rapidly ageing population. It is also a sector facing significant cyber risk.
The 1,800-plus organisations providing aged care services across Australia are often smaller businesses, many operated by charities or as not for profits. Their main focus is necessarily on the people that they care for rather than the computers and communications systems that they operate – but this leaves them increasingly vulnerable to cyber-attacks, system failures and data breaches.
There have already been a series of incidents where aged care providers have endured data breaches and systems outages which have left them without easy access to records, essentially paralysing them until computer access is restored.
And, while aged care might not seem an obvious cyber target, the sensitive personal, ACAT and health records that aged care providers hold, are of great interest to hackers as a pre-cursor to identity theft. It’s why a health record sells for far more on the dark web than a credit card number.
Since February any serious breaches of personal data (affecting organisations with revenues of $3 million and over, or any business holding healthcare records) must be reported to the Office of the Australian Information Commissioner. The challenge for many aged care providers is that without better systems oversight they might not even know their systems have been compromised.
With significant penalties for failure to report, and the attendant brand and reputational damage that a cyber breach can have – it’s time to take action.
As the population ages, the cyber challenge will become even more significant – particularly as people who have grown used to emails, smartphones and the internet seek aged care themselves.
Today more than 15 per cent of the Australian population is aged 65 and over, 13 per cent of them are 85 or older. The cohort of 3.7 million 65+ year-olds is tipped to rise steadily through the century – and more than double, to 8.7 million, by 2056.
These will be people used to ubiquitous access to technology who will expect much the same as they enter aged care, and embrace online social media as a way of staying connected to friends and family. But residents are also potential targets for socially engineered phishing attacks – where the unwary click on a link in an email, or download an attachment, only to find their and their aged care provider’s computer systems become a victim of ransomware or a target for malware and computer viruses.
Of course, not all cyber breaches are the result of deliberate attacks – many arise from genuine accident or carelessness. No matter the cause though, the effect is the same – a breach of trust, and potentially a significant blow to an organisation’s brand and reputation.
During 2017, 114 data breaches were reported to the Office of the Australian Information Commissioner under the then voluntary data breach notification regime. After mandatory notification came into force in February, 63 incidents were reported in the first six weeks, highlighting the degree of under-reporting in the past.
Health service providers and charities were among the top five sectors affected, and 33 per cent of breaches involved health information.
Aged care is now considered a serious target for cyber-attack and at high risk of accidental data breach that may be triggered either by unwary residents or staff.