What We Learnt About the Cybersecurity Elephant

According to Prof Patricia Williams, CISCO Chair and Professor of Digital Health Systems at Flinders University, it's definitely much better to adopt another pachyderm adage, "You eat an elephant one bite at a time".

It’s easy to feel scared by cybersecurity matters because:

• cyber-attacks in the media are only a small fraction of those happening
• they can affect patient safety and the financial bottom line
• health providers account for a large proportion of data breaches in Australia and globally
• for the ‘bad guys’, it’s simply a numbers game with what they send into cyberspace. They’ve got nothing against you personally, but they can make a lot of money interrupting your business or demonstrating they’ve got the sensitive information you hold.

MDA National’s How to Avoid Catching and Sharing IT Woes forum on 21 March 2018 included a Q&A panel session and talks by Prof Williams, Gae Nuttall (MDA National Risk Adviser) and Jonathan McCoy (Lawyer and Information Security Specialist). Held in Perth, the education session was moderated by Dr Jane Deacon (GP and Medico-legal Adviser), and over 50 Members and their practice staff attended.

Prof Williams broke the cybersecurity elephant down into a list of smaller bites for practices, including:

• roles and responsibilities
• managing systems access
• internet and email use
• backup
• mobile electronic devices.

Gae Nuttall was particularly struck when Prof Williams said, “People aren’t the weakest link, they are the only link”. Cybersecurity isn’t a case of set-and-forget; people need to be constantly involved. “Trish’s comment made it clear how very important staff training is,” said Gae. “The whole team needs to understand their role in helping to prevent cyber problems.”

And something Gae stated about privacy policies especially resonated with participants. The most common theme in what people were going to do differently as a result of this forum related to the practice’s privacy policy. Having the legally required privacy policy establishes a culture and set of processes that help your workplace fulfil other responsibilities. “Your privacy policy must be clearly expressed, up to date and freely available,” Gae emphasised. “An appropriate privacy policy ensures that privacy compliance is included in the design and implementation of your information systems and practices. There are handy templates available to help.”

Another bite participants frequently said they would take up next because of what they learned was better planning for a data breach. Jonathan said people generally react to a cybersecurity incident “without due regard or logic”. So being prepared is vital. Have you genuinely tested your digital backup system? Do you know what your provider says they’ll do regarding your backup, and are they actually doing it?

Improving email use was another common actionable bite for attendees. Prof Williams gave a handy tip that if you’re archiving a moderate number of emails containing sensitive information, then each email can readily be individually encrypted.

Dr Deacon’s take home message was that cybersecurity has many different aspects: “It’s not one thing, and it’s important that we keep working on the various parts”. Find a piece and chew.

Resources and more information

• MDA National. Disaster Preparation and Privacy Management – Practice Managers Update 2016 
• MDA National. Cyber Resources 
• MDA National. Privacy Resources

Keep an eye out for our future cybersecurity education activities available nationally.

MDA National Education Services