Experts have issued a warning about the vulnerable technology at the heart of Australian health systems.

New research has found that local health systems may need training programs and tighter regulations to strengthen their cybersecurity.

A team from UNSW compared the cybersecurity landscape of Australian health systems with their international counterparts and examined recent trends in healthcare breaches.

They demonstrated that the abilities of nefarious actors have raced ahead, while health systems have struggled to keep up. Often hospitals run outdated, legacy operating systems that allow hackers an easy way in.

“We now see almost all systems, such as radiology, pathology and patient records being digitised,” said researcher Dr Elena Sitnikova.

“The corresponding cybersecurity requirements have not evolved as fast sensitive data, such as HIV status or sexual history, has also been obtained by hackers and used against individuals.”

Dr Sitnikova said interconnected systems such as My Health Record can be life-saving tools as they provide immediate access to patient data when needed most.

However, they can also place lives at risk due to ransomware attacks that cripple hospital functioning to targeted attacks on critical data records.

An increase in attacks against hospitals and public health data has been recorded when health workers are subject to extra stress and stretched resources.

“Digital health records can also be used for precision harm against individuals,” Professor Raina MacIntyre said.

“It has been shown, for example, that CT scans can be hacked and altered so that evidence of cancer can be removed or added – imagine the harm that could cause if an individual were targeted in this way.”

Professor MacIntyre said training health managers would be a step in the right direction form securing this data.

“There are currently no cybersecurity training programs stipulated by health management accrediting bodies in Australia such as RACMA or ACHSM, and those in the healthcare profession may be inadequately equipped to manage cybersecurity threats or breaches,” she said.

“Cybersecurity is everybody’s business – from health administrators in the reception area to surgeons in the operating theatre.

“A culture of cybersecurity maturity must be proactively developed within healthcare systems to help mitigate cyber threats.”

She said the systems themselves also need to be strengthened to improve the protection of sensitive data against theft, loss or corruption.

Dr Sitnikova points to the US Healthcare Insurance Portability and Accountability Act (HIPAA) as a good example of more stringent regulations.

The HIPAA mandates encryption, reporting of breaches, education and risk assessment.

“We need to follow best practices which already exist and customise them to our own needs in Australia,” Dr Sitnikova said.

“Even with the HIPAA, the US still faces cyber-attacks on hospitals – so we are even more vulnerable.”

The study is accessible here.