Cloud and genAI usage in sector brings new cyber risks

Cybercriminals don’t act in an ethical way, therefore, they have no problem preying on older people, hospital patients, or healthcare entities. For them, it seems, the financial opportunity is too good to miss.

It’s crucial that the health and care sectors operate with high cybersecurity and data protection standards, in order to keep our most vulnerable citizens and their sensitive data safe. 

The healthcare sector has consistently been Australian cyber’s weakest link, suffering the highest volumes of data breaches across sectors since 2018.

Experts say healthcare is a prime target due to the valuable data the industry holds, yet other data-rich sectors are managing to withstand similar levels of cyber threat without as much damage, indicating there’s room for improvement in healthcare. 

One of the main vector’s for the industry’s cyber problems is its ongoing digital transformation. 

New technologies introduce new cyber risks

Seeking to modernise operations, in recent years healthcare organisations have deployed new technologies at a fast pace. Cloud and generative AI have both been enthusiastically adopted by frontline and non-clinical workers alike. Both bring new cyber risks, and both require careful handling.  

The risks of cloud and AI manifest in various ways, which are all well captured in recent research. Analysing genAI usage in healthcare, the report shows that a large majority of the sector’s organisations (88 per cent) are now observing genAI usage among their teams.

In itself, this wouldn’t necessarily be problematic but these users are regularly putting sensitive data both in their prompts and documents they’re uploading into genAI tools such as ChatGPT, Google Gemini or Microsoft Copilot. These have included regulated data (44 per cent of all leaks), source code (29 per cent of leaks) and intellectual property (25 per cent of leaks).

Over two thirds of healthcare workers are also using personal genAI accounts at work, which is likely preventing security teams from properly monitoring the data being shared with these apps, or detecting and stopping potential data leaks. 

But genAI-related risk is only a small part of a broader issue. Healthcare workers are also regularly exposing sensitive data in cloud environments and applications, with regulated data being by far the most affected (81 per cent).

These cloud environments are being accessed by cyber criminals to compromise organisations and access sensitive data.

Attackers know that employees inherently trust the major applications that are managed by their organisation. Yet, previous research shows that 40 per cent of all malware delivered to healthcare workers came via the cloud applications they use every day at work (such as Google Drive and Microsoft Sharepoint). 

Staying alert, even in the rush

Healthcare staff operate in high pressure environments, and urgency and heightened emotional states can both contribute to poor decision making and enhanced cyber risk.

To be clear, the vast majority of healthcare data exposure by employees is unintentional, caused by a lack of awareness of cyber risk in the midst of the rush of the day-to-day job. 

However, healthcare staff have a duty to protect their patient and organisation’s sensitive information, and should stop and ask themselves if there is any risk involved with sharing data with someone, or uploading it in different applications or environments. Unfortunately they won't always know the answer.

Healthcare organisations need to understand that despite education and training – which has proven to be only marginally efficient – employees are never going to be foolproof security defences. 

Technology as a safety net

To achieve a strong security posture, organisations need to deploy security that serves as a safety net, preventing incidents even when employees forget, or find a way around security and data protection policies.

A first line of defence against gen-AI related data leaks is to deploy organisation-approved genAI applications among the workforce to centralise usage in applications whose data policies have been checked, and which can be monitored and secured by the organisation.

There are already positive signs that changes are happening. As organisations have increasingly deployed approved genAI tools, the use of personal genAI accounts by healthcare workers has declined from 87 per cent to 71 per cent over the past year. 

Security tools designed to prevent data loss and protect against risky behaviours also exist. Data Loss Prevention (DLP) policies allow organisations to monitor and control access to genAI and cloud applications, define the type of data that can be shared with them, and automatically block actions that break these policies.

More than half of healthcare organisations (54 per cent) have already deployed DLP policies for genAI, up from 31 per cent a year ago.

Real-time user coaching is another helpful technology tool, alerting employees in the moment if they are taking risky actions. For instance, if a care worker attempts to download a suspicious file from an external Sharepoint, a prompt will come up alerting them to the risk, and asking them to positively agree if they still want to proceed. This prompt can also be tailored to suggest alternative actions. A large majority of employees (73 per cent) do not proceed when presented with coaching prompts. 

Ultimately, healthcare organisations bear a fundamental responsibility to protect the sensitive information entrusted to them. This duty is constantly challenged by technology transformation, which introduces new cyber risks that healthcare workers are often ill-prepared for.

If the industry wants to shake off its reputation as a cybersecurity laggard, it is crucial that organisations keep their finger on the pulse of modern cyber threats, and adjust awareness efforts and technical integrations accordingly. 

---