On Sunday 22 November 2020 – 59 Aged Care Royal Commission documents were impacted in a cyber security incident. While there is no evidence that any personal information was accessed and the incident was deemed to not be a notifiable breach, this incident highlights the need for all organisations to ensure that proper data governance measures are in place to protect all data.
The Royal Commission files were stored and secured by a reputable document management service provider – demonstrating that even cyber security experts are unable to completely remove the risk.
The impacts of cyber security breaches extend beyond the risk to individuals and an organisation’s sensitive information being accessed. There is also the cost to the organisation.
An IBM report – The Rising Cost of a Data Breach in 2020 – estimated the average cost of a data breach in Australia to be $3.35 million. Their findings noted that 80% of these data security incidents resulted in the exposure of customer information. Interestingly, the report also noted that when the business did not have security automation – i.e. machine learning execution of security actions – the business spent 211 days on average identifying and containing the breech.
For the Royal Commission’s document management service provider, the November incident resulted in shutting down key systems, completing a forensic examination, implementing a range of security enhancements to its systems and networks and having to work with both the Australian Federal Police and the Australia Cyber Security Centre (ACSC). An expensive exercise.
Unfortunately, cyber security isn’t an issue just for large organisations or high-profile Commissions.
In August 2020, Regis Aged Care was hit with a ransomware attack. Shortly after, Anglicare experienced a similar incident – these incidents prompting the Department of Health to issue an urgent warning and the ACSC to issue advice to assist providers to reduce their risk of a cyber-attack.
For providers, ensuring the security of data is paramount. In addition to providing a business-wide approach to managing and protecting clients’ personal information, a Data Governance Framework gives providers the tools, framework, processes and policies to help reduce the risk of cyber-attacks.
The ACSC’s advice to providers – issued to help providers protect themselves against possible cyber-attacks – suggested the need for a robust Data Governance Framework, noting the need for providers to identify and backup critical information and systems, keep their systems and software up to date through regular patching and to ensure they were using current antivirus software.
In line with the ACSC’s advice, the Aged Care Industry Information Technology Council (ACIITC) also recommended the need for higher levels of technology governance across the aged care sector. This recommendation stemmed from their 2020 Aged and Community Care Innovation and Technology Capabilities and Readiness (CARE-IT) report which highlighted many gaps in providers security preparedness.
ACIITC found that while 75% of providers used antivirus software and firewalls, only 32% of organisations were using an enterprise password management system and most were not employing encrypted data transmission, two-factor authentication or network penetration testing. All important measures in the fight against cyber-attacks.
As aged care providers continue to digitise their business, their attractiveness to cyber attackers will continue to rise. Organisations storing personal and confidential information on individuals are prime targets for ransomware attacks.
At an average cost of $3.35 million per data breach, surely providers would be better placed to invest these funds into establishing a Data Governance Framework and protecting residents’ and clients’ personal information.