The Royal Australian College of General Practitioners (RACGP) has urged general practices (GPs) to shape up their information security after a series of practices and surgeries were victim to ransomware scams.
The warnings follow an attack on a Gold Coast medical clinic in which scammers used remote desktop protocol and brute force password guessing to encrypted thousands of patient health records with ransomware.
They demanded $4000 to decrypt the sensitive information.
SC police sources say up to six other Queensland clinics were attacked within the same week.
RACGP president Dr Liz Marles urged GPs to adopt a series of standards (pdf) and a workbook it developed last year in conjunction with Edith Cowan University's Dr Patricia Williams who specialises in research into security in the healthcare sector.
“Even large multinational corporations and governments are susceptible to sophisticated cyber-security breaches, however if the right precautions are taken early enough, the vulnerability of the system is greatly reduced and is less likely to be infiltrated," Dr Marles said.
“Ensuring comprehensive backup and recovery procedures for practice information are in place, including checking the backup and data restoration process regularly, is the best corrective solution to regaining lost data should a cyber-security breach take place."
The standards were a revised self assessment guide and checklist for GPs that provided a record of a dozen security controls.
The association said it was important that GPs increase their security postures as health records become stored on network-connected devices.
Dr Williams wrote in a paper (pdf) last year that the Federal Government's Personally Controlled Electronic Health Record, while an "important and positive move", presented significant security risks that were not defined nor addressed.
"Until Australia’s e-health system is fully operational, the realisation of both the benefits and the vulnerabilities may not be apparent," Dr Williams wrote.
"However, what is known is that the vulnerability of this national asset is based on the multiplicity of services required, the mix of public and private healthcare providers, the complexity of connections, the level of knowledge and skills in IT and security, and the difficulty in perceiving a comprehensive national system vision."
The association said GPs should run updated anti-virus, patch systems and secure remote access.
The below poster of security process controls created by the National Security Agency can be printed out as a guide.