18 May 2017

CU LAB: Health care: the new frontier for cyber security

Find out why cyber security is an issue in health care with our expert, Tim Webb.

Related Knowledge

Get in Touch

Get in touch information is loading


Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. Persons listed may not be admitted in all States and Territories.


Cyber security is an issue in health care because health care is becoming increasingly digitised. We're living in the age of the internet of things where smartphones and Fitbits store and transmit data about our physical activity, calorie intake and sleeping habits. 2006 was a milestone year in respect of cyber security and health care, because implantable devices started to have networking capability ‒ so for example cardiac devices gather data and transmit it to a healthcare provider in relation to the patient's health, and that information is used to improve patient outcomes.

But with those benefits come risks. Devices that use networking capability are potentially available to be hacked and as a result the patient's data or the device themselves can be exposed to malicious forces.

The responsibility for cyber security in health care is shared. This means that medical device manufacturers, health care practitioners, hospitals and patients must all work together to ensure that medical devices and their associated data are kept secure. I think of it like pillars working together to hold up a roof. Each pillar has a role to play to ensure that the roof is stable and the house is secure.

So what should each player be doing? Well for medical advice manufacturers the US food and drug administration adopts the NIST framework core which has five continuous functions: identify, protect, detect, respond and recover.

Manufacturers should monitor cyber security sources to identify risks. They should update their products to respond to those risks. They should have features that log and detect security compromises and develop responses to them, and they should adopt industry standards when responding to cyber security vulnerabilities.

The same principles apply to health care practitioners who should also comply with their privacy obligations such as the Australian Privacy Principles, which require personal information to be stored securely.

For patients it's all about good cyber hygiene. Educate yourself on the risks involved and work with your physician to mitigate those risks. For its part Australia's Therapeutic Goods Administration recommends that all stakeholders perform frequent risk assessments for a medical device in its host environment.