How Healthscope avoided being breached during the pandemic

Private healthcare provider Healthscope “did not get hit” by cybercriminals during the pandemic despite a flood of new attacks and the challenges of scaling up a 1990s-era infrastructure, the company’s former CISO has revealed in recounting the company’s extensive work to pull itself up by digital bootstraps to support tens of thousands of staff.

“In Australia, we’re a little behind the eight ball and we found ourselves in a state of complete lack of digitisation” when the pandemic set in, former CISO Mitra Minai – who helmed the organisation’s security response through the pandemic before departing for KPMG Australia in May – explained during the recent ISACA Oceania 2022 conference.

That lack of digital infrastructure meant that despite having more than 19,000 employees in 41 hospitals nationwide, the company initially only had enough VPN infrastructure to support 20 concurrent users.

As staff were pushed offsite and forced to work from home where possible, the IT team bolted into action, with Minai reaching out to suppliers for support to rapidly scale up its remote access infrastructure.

“Thank goodness I was well connected in our industry,” she said, “and I asked for favours to really ramp up our VPN to be over 2000 concurrent users.”

Yet bolstering the organisation’s technical infrastructure was only the beginning: education around remote access, VPNs, and multi-factor authentication was crucial, Minai explained, because “quite a few of the people in the workforce had never used even some of those basic technologies that you and I take for granted every day.”

“It was at that level of capability and maturity where we really needed to ramp up some of the foundational level technology capabilities.”

Ramping up remote access was only the beginning of the transformation challenges that Healthscope faced, however, as it overhauled its network edge to support a healthcare workforce that suddenly had to become more mobile and adaptive than ever before.

That included the introduction of a range of new technologies for instrumenting the intelligent edge – including remote assessment of patients, delivery of telehealth services, and the introduction of extensive data analytics capabilities to support that.

“We were working in a completely different way to how we had been used to working for the last 15 to 20 years across our hospitals,” Minai explained.

“Just working through those challenges saw us bring in a lot of technology, emerging technologies and more sophisticated technologies that historically our hospitals have not invested in, just simply because we had to keep our operations going and keep maturing how we service their patients.”

Quick studies on securing the new edge

After years of technological inertia, the rapid change across Healthscope’s network saw it undergo dramatic modernisation in a short period of time.

Even as the technology team helped introduce or upgrade big-picture technology platforms such as its data warehouse and analytics capabilities, it became clear that many hospital managers had been doing their own technology investment.

“We found that each of the general managers of the hospitals had purchased medical devices to make their individual hospitals function, without much consideration of the internet capabilities and the various threats and risks associated with that,” Minei explained.

“There was quite a bit of potential threat and attacks that were going to happen across the health sector, so it was a very quick and rapid identification and management of the key risk scenario environment to make sure that we weren’t next – or if we were next, how we would manage and reduce the impact to the organisation.”

Yet the need to manage that risk exposed bigger problems: a “lack of maturity in operational risk management”, Minai explained, saw an ageing business continuity plan “dusted off and refreshed on a yearly basis.”

“We did not have the level of maturity and sophistication to talk the language of governance and risk management from an operational perspective,” she said, “so there was a really rapid education of the board and executive leadership team on good technology risk management practices.”

That included, for example, advice around prioritising and funding to keep the organisation’s technology risk within acceptable parameters.

By rallying hospital leaders, technology teams and company executives to a common cause, Minai said, the organisation was successful in protecting its assets throughout the pandemic despite the very low base from which it began.

“I’m very proud to say that in my time as CISO, we did not get hit,” Minai said, “and we triaged quite a few attempted attacks into our environment.”

She attributes the company’s success to the broad understanding that an effective response required not only technological investment, but an associated investment in time and understanding that helped the executive track the company’s changing risk profile.

“When a pandemic like this hits, people start to really understand what good governance and good risk management looks like,” she said, “and the decisions they make around key activities they need to undertake becomes accelerated.”

“We would have still been stuck in the 1990s if the pandemic hadn’t hit,” Minai added. “We probably would not have invested so heavily and accelerated our journey to digitise a lot of our hospitals, if the pandemic had not forced us into it.”