Dealing with cyber risks in health care
Keeping patient records secure is a priority at St John of God Health Care. CFO Steve Goldsworthy CA outlines its approach.
- Cybersecurity is a top priority for Steve Goldsworthy CA, group CFO of St John of God Healthcare.
- In the year to February 2019, 206 of the 964 serious data breaches reported to the Office of the Australian Information Commissioner were in the health services sector.
- Cybersecurity breaches are especially damaging for healthcare providers, as they have a huge impact on an organisation’s trust and reputation.
By Beverley Head
It’s no surprise that cybersecurity is a top issue for Steve Goldsworthy CA, group chief financial officer for St John of God Health Care.
“Most organisations would have it high on their risk registers at the moment, especially those that have confidential information like patient information,” says Goldsworthy. “As CFO you need to be across all risks and impacts for the organisation.”
Over the 12 months to February 2019, the first year of Australia’s notifiable data breaches scheme, 964 serious incidents were reported to the Office of the Australian Information Commissioner (OAIC). The sector most affected was health services which reported 206 such incidents; 113 prompted by human error, 90 deemed malicious and three due to a system problem.
“As CFO you need to be across all risks and impacts for the organisation.”
How data breaches impact finances
Steve Goldsworthy CA.
“If you have a major cybersecurity event that impacts the organisation’s records, whether there is a financial penalty or not, there is an impact on the trust of the organisation and on reputation which will ultimately impact the finances,” says Goldsworthy. “CFOs need to take a broader view on risks.”
St John of God Health Care employs almost 14,000 staff across Australia, New Zealand and the Asia-Pacific. It operates 24 facilities with 3400 hospital beds, and provides home nursing, disability services and social outreach programs. Underpinning all of that are vast reserves of personal, often highly confidential, information that require proper protection.
The organisation recently went through a review and appointed a group manager of cybersecurity. According to Goldsworthy, CFOs and technology teams must work closely on the issue.
“You need to ask your digital technology teams to develop plans and projects to bring you up the maturity curve. Then you need a roadmap of projects that are required based on risk tolerance, and ideally with a cost benefit, so it’s really clear what projects need to occur to bring you to the next level, and what you are comfortable with in terms of risk tolerance.”
That includes consideration of risk transfer. “Historically, cyber insurance has been cost prohibitive. Prices have started to come down and I think most organisations are now seriously considering it,” he says.
Human error is a big cyber risk
Given the high incidence of human error that the OAIC has uncovered, cyber awareness education is critical – and that includes the finance team.
“Finance workloads are electronic these days. We receive regular phishing emails, some looking very similar to internal workflows, so we regularly train the team to be aware about threats,” he says.
“We look at training them to identify the unique identifiers with our workloads, so they can be sure to only click on links from internally generated sources.”
It’s not infallible. Goldsworthy acknowledges that if a hacker penetrated the system then the unique identifiers could be hijacked, but it does significantly raise staff awareness, which is an important step in the right direction.
What today’s CFOs need to know about cyber risk
Cyber risks are financial risks, so today’s CFOs should see working with IT on a cybersecurity strategy as part of the job.Read more