With the explosion of working from home, telehealth, and virtual offices through the COVID-19 lockdowns in 2020, physiotherapy practices were thrown into the deep end having to rapidly pivot to be able to provide IT-centric services to clients.

Now more than ever, with the new normal here to stay, all organisations, particularly those performing healthcare services, need to consider cybersecurity risk management at the forefront of practice management and governance.

This includes the end-to-end design, delivery, maintenance and management of cyber systems.

An effective cyber supply chain risk management ensures, as much as reasonably possible, the secure and private supply of healthcare services, not to mention avoidance of $360,000 (individuals) and $1,800,000 (corporation practices) fines that can come with noncompliance with the Australian Privacy Principles.

How secure is your IT hardware and software and what is a cybersecurity supply chain?

Have you ever thought to ask yourself how toxic is your cybersecurity supply chain? Why would you?

Similar to the bioaccumulation of toxins in a food chain, the cybersecurity risk within an organisation’s cyber supply chain can build up—cyber risk accumulation—and is ultimately transferred to a healthcare provider’s clients when those clients trust that healthcare provider with their sensitive personal data.

Each time you interact with practice management software, financial software, telehealth, banking, laptops and MacBooks, internet provider, mobile phone, social media (the list goes on), there is an inherent cybersecurity risk.

As such, these outside providers affect the security of a practice’s own systems and services.

Particularly if the supplier holds valuable data, operates with privileged access or has control over a large portion of a cyber supply chain, they may represent a threat.

This threat scenario means that unless the issue is dealt with, sensitive client data can be at risk or worst case hacked and compromised. In such cases, this could have wide-reaching and harmful consequences to your clients or your practice.

How to begin to protect your practice’s cybersecurity supply chain

As set out by the Australian Government’s Cyber Security Centre, cyber supply chain risk management can be achieved by: 

• identifying the cyber supply chain


• understanding cyber supply chain risk


• setting cybersecurity expectations


• auditing for compliance.

Identify the cyber supply chain

The first step in cyber supply chain risk management is for an organisation to establish a list of suppliers they have business arrangements with.

While this might seem difficult to do, the identification of those responsible for products or services with security-enforcing functions, privileged access or handling particularly sensitive information should be prioritised.

Practically, this means finding out what equipment you use, what software is installed and who has access to the device and content that you use.

Understand cyber supply chain risk

Following the establishment of a list of suppliers that clinical practices have business arrangements with, directors and practice managers should seek to understand the cyber supply chain risk that those suppliers pose.

Health practitioners should be aware that health information is defined as ‘sensitive information’ under the Australian Privacy Act, meaning that there are stricter requirements that apply when handling, and is generally afforded a higher level of privacy protection under the Australian Privacy Principles than other personal information.

In some cases, cyber supply chain risk will be the result of foreign control or interference, poor security practices, a lack of transparency, or enduring access.

For example, outsourced information technology or cloud services may be located offshore and subject to lawful and covert data collection by foreign governments without their clients’ knowledge.

Additionally, even foreign-owned service providers operating within Australia may be subject to a foreign government’s lawful access to data belonging to their customers.

For example, what practice management software do you use and where is the data stored? Do you know where these servers are based and the encryption standard?

For health providers in telehealth, what platforms are being utilised and do you know their security and privacy compliance?

As a result of understanding their cyber supply chain risk, practice owners should be able to develop a prioritised list of suppliers that present the highest risk to their organisation.

Set cybersecurity expectations

Practitioners should seek to establish cybersecurity expectations with all their business partners.

Cybersecurity expectations should be justifiable, achievable, and proportional to the information being entrusted to them or the role that their products or services play in an organisation’s systems.

Furthermore, it is critical that such expectations stipulate the requirement for any cybersecurity incidents to be openly and transparently reported to their customers and appropriate authorities in a timely manner.

Independent audits for privacy and data security compliance I am regularly faced with allied health practitioners who are extremely anxious about their cyber supply chain security risk exposure, particularly when using cloud solutions.

The good news is there are a few steps that can be performed to drastically improve your security and reduce risk.

One way to achieve such assurances is through routine audits or other forms of technical assessments.

Provisions for such activities serve to gain independent assurances of the security posture of suppliers and your own IT assets.

Why should it be independent? Simple—integrity.

Independent audits and assessments are not designed to pull organisations and industries down but rather to lift them up. They do this by eliminating the familiarly threat.

A familiarity threat is a well-documented and understood compliance threat that, due to a long or close relationship with a system or project, an internal professional or partner (they could be your business or personal partner) will be too sympathetic to an organisation’s interests, or too accepting of their organisation’s work to adequately assess or find weaknesses in its effectiveness.

A best practice internal audit or assessment by a qualified specialist brings indisputable integrity to an organisation’s cybersecurity system and eliminates any potential accusations of marketing puffery or any misleading statements about security controls and effectiveness.

Step 1—Get your own house in order, make sure your network and IT assets are secure.

At the end of the day your cloud computing software (accounting, practice management or telehealth) and supply chain is only as secure as your own devices.

If your own devices are compromised, then so will every link in your cyber supply chain, including your cloud computing providers.

For example, I remember talking with a psychologist as they recounted how a cybercriminal managed to infiltrate an associate’s laptop and secretly changed the invoice payment details to another bank account.

It took more than 60 days before the business realised what they thought was a spike in customers’ tardiness to pay invoices was actually a breach in their cyber supply chain, with the root cause being traced back to their very own device being breached, not their cloud accounting provider.

How to do this: conduct an independent privacy and data security assessment on your own IT equipment and assets by qualified IT cybersecurity auditing experts. Note, your general IT providers and partners would typically not be qualified to perform independent cybersecurity assurance work.

Step 2—Conduct basic due diligence on your cloud-based providers.

Compile a list of your high-priority cloud-based providers. For your list, contact your providers and request them to provide evidence of their independent audit, review or assessment of their security controls.

If you are not comfortable doing this yourself, engage a qualified IT auditing professional to do it on your behalf.

This is an extremely critical step in securing your cybersecurity supply chain—these audits independently validate that the marketing statements made by your supplier in regard to their cybersecurity are actually accurate and the controls are in place and effective.

Just like other professionals such as accountants, who are regularly independently audited, or builders certified by independent engineers, or medical practitioners subject to peer supervision, cloud software providers that deal with sensitive data are governed by IT standards and audits under various legislation and guidelines, such as the Australian Privacy Act, HIPAA, HITECH, GDPR EU and GDPR UK.

Take control of your cybersecurity risk

Under the Privacy Act 1988 and My Health Records Act 2012, clinical practitioners are accountable and responsible for their data security supply chain.

Although you cannot outsource your privacy obligations, take heart, because you are in control. Trust me, best- in-class providers are out there for your practice.

If you work through the action plan listed above, you are well on your way to protecting your practice.

If you are unsure of the process of becoming data compliant and protected, get independent support.

Ensure your own IT assets are secure by conducting an assessment by a qualified independent IT auditor. They will understand your business risks and exposure and will provide specific recommendations and remediation steps to protect you and your clients.

Ash Runham (GradDip CA, BBus(Accy), CertCSAuditing) is a privacy and cybersecurity expert and co-founder of Vaultron Technology, a privacy and data security compliance consulting firm that specialises in privacy by design assessments for healthcare practitioners and their practices. Ash has over 20 years’ experience as an internal controls and governance professional and has conducted internal control audits in the UK, Denmark, Netherlands, Belgium, Spain, France, Germany, USA and Australia.

References

Australian Government Signals Directorate: Cyber Supply Chain Risk Management January 2021 https://www.cyber.gov.au/acsc/view‐all‐content/publications/cyber‐supply‐chain‐risk‐management

Office of the Australian Information Commissioner: AustralianPrivacyPrinciplesguidelines https://www.oaic.gov.au/privacy/australian‐privacy‐principles‐guidelines/

Australian Privacy Act 1988 https://www.legislation.gov.au/Details/C2021C00024

ISO/IECJTC1/SC27Informationsecurity,cybersecurityandprivacyprotection https://www.iso.org/committee/45306.html

SOC 2® Examination That Addresses Additional Subject Matters and Additional Criteria https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/soc2ad...

Compliance with Ethical Requirements when Performing Audits, Reviews and Other Assurance Engagements https://www.auasb.gov.au/admin/file/content102/c3/ASA_102_Auditing_Stand...

Code of Ethics for Professional Auditors https://apesb.org.au/uploads/standards/superseded_pronouncements/2109201...