The targeted nature of cyber-attacks on aged care

As published in the Summer edition of ACCPA’s Aged Care Today Magazine on page 100

It’s time to make security a priority

While technology has contributed significant efficiencies and improvements to care delivery in Australia, it has also opened the doors to malicious actors, making aged care organisations prime targets for cyber-attacks.

Recent surveys and statistics underscore the urgency for the sector to prioritise cyber resilience, particularly as new regulatory frameworks such as the revised Privacy Act and the Cyber Security Bill come into effect.

McGrathNicol's annual Ransomware Survey highlights a concerning reality. In 2023, 56 per cent of Australian businesses experienced a ransomware attack, including many in critical service industries like healthcare and aged care.

In 2024, 84 per cent of businesses attacked opted to pay the ransom, and with cyber ransom payments now averaging $1.4 million, it's clear that aged care organisations must invest more in their cyber defences, not just to prevent attacks but also to avoid devastating financial and operational impacts.

What makes aged care such a lucrative target is primarily the volume of personal and sensitive information stored by them. The data includes medical records, financial details and personal identifiers that are invaluable to cybercriminals.

In fact, the McGrathNicol survey found 69 per cent of Australian businesses have been targeted due to their data richness.

In addition, aged care organisations often rely on legacy systems and technologies that are no longer supported by regular security updates, leaving them exposed to highly sophisticated cyber threats.

With the growing reliance on digital patient records and telehealth services, the attack surface has now expanded, offering more opportunities for cybercriminals to infiltrate an organisation.

The regulatory push

The Australian government’s recent updates to the Privacy Act and the introduction of the Cyber Security Bill mark a significant step in addressing the threat of a cyber-attack.

These regulations are designed to hold organisations accountable for protecting personal data and for reporting breaches. For aged care providers, this means an immediate need to review cyber security strategies to ensure compliance.

The Privacy Act now places greater emphasis on mandatory data breach reporting and the responsibility of organisations to protect personal information from unauthorised access.

In the aged care sector, where breaches can have life-altering consequences for residents, this is particularly significant. Providers must now not only focus on protecting data but also on having clear protocols in place for responding to breaches and notifying affected individuals swiftly.

The Cyber Security Bill further tightens the screws, mandating stronger cyber defences across sectors. The legislation calls for increased collaboration between private organisations and the government in combating cyber threats. For aged care providers, the proposed changes should be seen as an opportunity to develop strong partnerships with cybersecurity firms, legal experts and government agencies to bolster cyber defences and ensure compliance.

Building cyber resilience in aged care

So, where does the aged care sector go from here? The answer lies in prioritising cyber resilience and a holistic approach to preparing, responding to, and recovering from cyber-attacks. At the heart of cyber resilience is the need to invest in updated technologies, train staff on cyber hygiene and adopt proactive incident response plans.

Aged care organisations must also recognise that cyber resilience is not just an IT issue but a board-level responsibility. Ensuring the board and executive teams are educated on cyber risks and are committed to a culture of security is essential for long-term sustainability.

The rising wave of cyber-attacks targeting aged care in Australia is a stark reminder that no organisation is immune in today’s interconnected digital world.

With the combined pressures of evolving cyber threats and new regulatory demands from the Privacy Act and Cyber Security Bill, aged care providers must strengthen their cyber resilience, embracing technology, fostering partnerships and embedding security into their organisational DNA. Only then can they ensure that they are not only protecting sensitive data but also safeguarding the trust and wellbeing of those they care for.