Why health is a ‘soft target’ for cybercrime

5 minute read


With the value of Australia’s cybercrime industry is approaching 10 times the nation’s GDP, it’s time to ‘shore up’ our digital processes: we’re only as strong as our weakest link.


Healthcare is a ‘soft target’ for cybercrime – while DoHAC is making moves to propel us in the right direction, we’re years behind the US.

Speaking at the Australian Healthcare and Hospital Association’s webinar on cyber security in healthcare last week, Microsoft Australia and New Zealand’s chief medical officer Dr Simon Kos said healthcare faced a conundrum when it comes to cyber security.

“The paradox of health is we need to share information widely for patient care and keep it private at the same time,” he told attendees.

“Healthcare is critical infrastructure, [it] is actually known around the world as a soft target [for cybercrime].

“In 2023, 67% of healthcare organisations fell victim to ransomware, and 53% of those healthcare organisations paid the ransom to recover their data.

“The average cost was 11 million USD [dollars] per breach.

“So that’s why the cybercrime industry looks at healthcare.

“It’s complex, it’s sensitive data. It knows that we’ve got a long tail of unsecured systems, and it knows that we’ve got a propensity to pay.

“That means that healthcare becomes a really important industry to shore up.”

According to Dr Kos, the cybercrime industry is approaching $10 trillion in value, far surpassing our GDP of $1.7 trillion.

First assistant secretary of Medicare benefits and digital health division at the Department of Health and Aged Care Daniel McCabe added that according to Australia’s cyber security strategy, released last year, “our health sector probably has the lowest level of cyber security maturity overall in all parts of the economy”.

“Health in the last six months was the largest [affected sector for data breaches],” he said.

“Not all of it was cyber related, but at least 40% was a result of cyber incidents affecting systems and assets in the healthcare system.”

Mr McCabe said the implementation of the 10-year digital health blueprint would see a “huge transformation change” for the healthcare system.

“But the challenge we have ahead of us … is that we need to maintain public trust and social license with our citizenry as we do this, and cybersecurity and lack of resilience in certain parts of our health system will continue to undermine that,” he said.

Mr McCabe said Australia was on similar trajectory to the US, if not quite as advanced.

“I think there’s a lot Australia can learn from [the US],” he said.

“I think we have a lot of similar challenges in terms of the need to continually uplift cybersecurity across our healthcare system here in Australia.

“Our health system consists of multiple levels of government delivering healthcare services, as well as tens of thousands of private organisations all supporting healthcare.

“That provides a huge amount of complexity in terms of the fragmentation of the way healthcare is delivered.”

Beyond regulation and legislation, “uplifting” the sector would require building communities of practice across the industry and looking at national systems, like MyHealthRecord and Medicare payment systems, said Mr McCabe.

“We will be looking at lifting the bar of entry for third parties that connect to [our national] systems as well, with a view of not just protecting government infrastructure, but also looking at how we can use some of those services to help uplift the broader ecosystem,” he said.

Dr Kos said that, during his work in the US, he was party to a major shift in the cybersecurity space.

“When I was working in the US as Microsoft’s global chief medical officer, it was in the period 2016 through 2019, I actually saw the culture change and that shift when security stopped becoming IT’s problem, and started becoming the board’s problem,” he said.

“And the role of the chief information security officer was no longer to say no, it was to say yes and do that securely.

“That is a huge shift.”

Dr Kos said it was only recently, in the wake of large-scale data breaches in Australia, that the conversation was opening up here.

Progress was about governments working “hand in glove” with industry, he said.

“No one organisation can do it alone,” he said.

“We are on a digital journey, but the covid period accelerated what our digital transformation of the healthcare industry looks like.

“It is a complex [industry] that’s quite decentralised, and it’s got lots of nodes, and each of those nodes is a point of vulnerability, and the chain is only as strong as the weakest link.

“That’s why it’s not just securing our own organisation, it’s how that spreads out across the whole ecosystem.

“We need cross sector collaboration and public private collaborative networks.”

Mr McCabe said that he was working within DoHAC on the establishment of a Health Information Sharing and Analysis Centre.

“[We would] be working with industry to make sure that we can build our capability, not just within government, but across all parts of the healthcare ecosystem,” he said.

“We also have the Trusted Information Sharing Network for health and medical providers, as well as well as the Cyber and Infrastructure Security Centre that’s been set up as part of our security of critical infrastructure act as well.”

End of content

No more pages to load

Log In Register ×