Did You Know That ADHA Will Monitor Your Systems for Signs of Malware Infection?
Authored by David Carroll
Welcome back, this week we continue our look at cyber response.
My Health Record and Cyber Incidents
Did you know that under the My Health Record system, registered entities such as Pharmacies must follow a series of rules?
The purpose of the My Health Records Rule 2016 (the Rules) is to support the secure operation of the My Health Record system by prescribing rules that relate to:
- Access control mechanisms provided by the System Operator to individuals to manage their My Health Record;
- The security, integrity and operation of the My Health Record system;
- The handling of specified types of records;
- Identity verification; and
- Participation requirements for healthcare provider organisations operators to be eligible to register and remain registered with the My Health Record system.
You may not realise it, but as part of these rules, the Australian Digital Health Agency (ADHA) will monitor your pharmacy device connections and block your connection to their services if they detect malicious traffic or suspect your systems have been compromised.
Requirement to Assist
Suppose ADHA detects a potential system compromise, (e.g. malware) to protect patient data, they may suspend your access to MYHR and other ADHA systems and require you to assist with an investigation.
Under Rule 32 of the My Health Records Rule 2016, as a healthcare provider, you must provide ADHA with all necessary assistance about their inquiry.
What Will ADHA Require Me to Do If They Detect Malware on My Systems?
Suppose ADHA detect that your system is compromised or has been participating in suspicious online activity, such as actively scanning other systems or hosting malware. In that case, they will remove all access to their systems to protect patient data and privacy. They will then issue you with a formal letter requiring you to:
Make a formal Report to ACSC or ACORN
As part of your response to the incident, you will need to report to the ACSC at https://www.cyber.gov.au/acsc/report. The report will be sent to the police, who may contact you for further information, depending on the circumstances to the breach.
Respond with a Formal Report to ADHA
ADHA will also require you to respond to questions about the incident so they can assess the impact of the incident to the MyHR data and your patient’s data privacy.
It means you will need to investigate the suspected incident and respond to ADHA with a formal response, detailing what you have done to resolve the incident and what steps you have taken to prevent the event from occurring again.
Can I prevent this from Occurring?
As you can infer from the above steps, an incident at your pharmacy will significantly impact your daily operations. It will incur costs from your IT provider to get your systems reinstalled and re-setup to ensure the malware/infection is removed. You may also incur additional costs by engaging a professional security organisation to investigate and report the incident.
The best defence from these types of incidents is good cyber hygiene –as we have covered in many of our previous posts covering the ACSC essential 8, and being prepared for an incident to occur by either:
- Having an incident repose plan or;
- Partnering with a third-party security provider to assist and lead the investigation for you.
Next Week
Next week, I cover what is needed in an Incident Response Plan and how you can practice responding with your team.
If you are worried about the security of your pharmacy systems and want to know how you can implement strong security in your pharmacy and protect yourself from ransomware, speak to your Corum Customer Success Manager or contact us on 1300 669 865.