The recent cyber-attack on Regis comes as a loud, red-flag warning to all aged care and retirement providers. The sophistication of the ASX-listed aged care operator’s data governance systems and processes would no doubt be superior with a well-executed strategy.
However, for aged care providers in particular, the investment in establishing these data governance principles, systems and processes is extremely limited. Yet globally, the risk of cyber-attacks has been in the top ten business risks for several years.
The attack on Regis has seen personal data shared in public domains. Given the highly sensitive nature of the data stored in Health and Aged Care, providers are a prime target for attackers. The advice is to expect more of the same.
While these attackers are clearly sophisticated in their approach and may be difficult to stop, it does not give providers justification to ignore their obligation to clients. Providers must make every effort to protect their clients’ personal information.
In a recent article , I highlighted the need and importance for all providers to develop and execute a business-wide approach to data governance. The attack on Regis and reportedly another aged care provider supports this position.
A data governance strategy and framework are key to managing and protecting your clients’ personal data. So what does data governance entail?
A data governance strategy fundamentally focuses on two key elements – the organisation and the technical components.
Organisationally, data governance establishes the key roles and responsibilities people undertake, the forums and the decision delegations of these, escalation and conflict resolution processes and even the supporting policies required.
The technical component of a data governance framework covers ten specific components: architecture; modelling and design; storage and operations; quality; integration and interoperability; document and content management; reference and master data; warehousing and business intelligence; metadata; and security.
Security is key to minimising the likelihood of successful attacks on an organisation’s data and the potential risk of personal information being made public. For organisations, the considerations regarding security cover a range of areas with ISO 27001 Certification – Information Security Management being best practice. Additionally, the Australian Cyber Security Centre (ACSC) has developed prioritised mitigation strategies, in the form of the Strategies to Mitigate Cyber Security Incidents. It identifies eight essential areas for consideration.
- Whitelisting applications – specifying approved software or executable files that can be active on an organisation’s systems. The objective being to protect the organisation against potentially harmful applications.
- Application patch management – testing, acquiring and installing patches or code changes to update and secure applications.
- Patching operating systems – ensuring all known or potential system vulnerabilities are fixed to minimise the risk of malware entering the operating system.
- Blocking untrusted Microsoft macros – essentially blocking macros from unknown sources which could be malware attacks.
- User application hardening – taking a finished application and making it difficult to reverse engineer and tamper with to protect their application’s IP and prevent its misuse.
- Restricting administrative privileges – limiting the users who can make significant changes to the operating environment.
- Multi factor authentication – a system requiring the user to present two or more credentials before accessing the system.
- Data back ups – regularly and systematically copying or archiving files and folders and storing them elsewhere to be able to access them in the case of data loss.
As aged care and retirement providers, the protection of clients’ personal information is paramount. Providers must ensure they employ appropriate strategies and take the necessary actions to negate or limit any adverse impact on clients. A well-executed data governance strategy is fundamental to protecting both your clients and your business.
A more rigourous and systematic approach to data governance and cyber-security may have seen the ASX-listed aged care operator less susceptible to the recent cyber-attack.
Ash Priest is the Managing Partner at Novigi
For more information about anything you’ve read here, or if you have a more general inquiry, please contact us