Data security and patient safety

James Wishart, Industry Director – Health & Community Services, TechnologyOne

There are many reasons why healthcare providers may have poor cybersecurity, especially when most resources are focused on delivering patient care. As the industry adopts new technologies, patients get better and more efficient services — but the opportunity for digital attacks also increases. Hospitals and healthcare facilities have become a key target for cybercriminals, with attempts to steal data expected to rise over the coming months.

The damage caused by the WannaCry ransomware during and after it held systems hostage in May 2017 exposed just how vulnerable healthcare networks are to cyberattacks. Spreading indiscriminately to 300,000 computers in 150 countries, WannaCry’s hold over infected systems blocked hospitals from accessing patient records, diverted ambulances to unaffected hospitals, and forced doctors to cancel surgeries.

COVID-19 has put additional strain on hospitals and resources in a way that no one could have fully predicted, and a potential data breach is too high of a risk to take in the current environment. Poor security measures and data handling could result in fines of up to $2.1 million (for corporations with an annual turnover of more than $3 million). In 2018, nearly a quarter of data breaches reported under the data breach regime took place in the healthcare sector. This makes it essential that hospitals ensure data is protected through enforced organisation-wide processes which meet industry standards.

Clinicians work hard to ensure patient safety, and IT security must be considered another layer in its success. It is fundamental to the ability of health providers to protect patient data and mitigate the risk of disruption to clinical operations.

Hospitals and healthcare facilities have become a key target for cybercriminals, with attempts to steal data expected to rise over the coming months.

Supply chain threats

One of the more common vulnerabilities in a system is the hospital supply chain, due to the numerous entry points and legacy systems that lack cybersecurity practices. Entry points that threat actors can use to compromise the hospital supply chain range from manufacturers, distribution centers and transportation companies, third-party contractors to developers of software and mobile apps hospitals use, from past to non-core services staff.

To date, the majority of publicly reported cyberattacks against hospitals have been one of the following: data breaches, ransomware, or medical device compromise. Several high-profile breaches in recent years involved lapses in the supply chain. Furthermore, according to a health and human services public breach reporting tool, 30 per cent of healthcare breaches in 2016 were due to business associates and third-party vendor breaches.

Supply chain threats arise as a result of outsourcing suppliers, and the lack of verifiable physical and cybersecurity practices in place at the suppliers. Suppliers do not always vet personnel properly, especially companies that have access to patient data, hospital IT systems, or healthcare facilities. Vendors do not always vet their own products and software for cybersecurity risks and may also be outsourcing resources as well. This allows perpetrators to exploit sensitive information across the supply chain.

Cybersecurity must be a priority

Few industries are exposed to greater levels of innovation and have access to more technology than healthcare. But for all its forward-thinking, the industry has been comparatively slow when it comes to reducing manual and paper-based processes.


In the aftermath of the WannaCry attacks, many organisations planned to increase their cybersecurity capabilities. The reality is that most still aren’t truly ready to face today’s complex cyberthreat landscape. And healthcare is on the front line.


For healthcare system digitisation to be successful, it is imperative healthcare leaders continue to make cybersecurity and data protection a top priority. Healthcare providers need to expect the unexpected, but you can be prepared and take proactive, preventive steps to avoid the worst outcomes.


Healthcare IT teams must also create, enforce, and frequently review a risk management system and governance framework related to the transfer of resources to and from any entity outside a network’s trusted circle to minimize the risk of supply chain attacks. The smooth operation of daily hospital services can make a life-or-death difference for patients, and IT security should be an enabler, rather than an obstacle, to delivering patient care.

Optimal security, compliance and privacy

TechnologyOne has spent hundreds of millions of dollars building the world’s most trusted SaaS ERP solution that’s secure, reliable and compliant. We protect your data with encryption in transit and at rest, and provide administrative controls to enforce organisation-wide protection.

We are committed to protecting the privacy of your data and your patients’ data, and preventing it from unauthorised access with industry best-practices and standards such as AT-C 205 SOC 2, GDPR, HIPAA and IRAP. We certify with industry-accepted standards so you can verify that your organisation and patient data remain secure and compliant.

TechnologyOne recognises the importance of the performance of online technology and how personal information is collected, stored, used and disclosed and understands the importance people place on their personal information. We are committed to ensuring that all information collected by us is treated with the appropriate degree of privacy and confidentiality.

Publish date

05 Oct 2020

eBook: Efficient operations

Speaking with our customers over the years, we’ve been able to identify the key challenges that hospitals are facing in inventory management, and the impact on their operations.

Keep exploring

Explore our Efficient Operations hub for more industry content, resources and advice.

Ready to learn more?

Our team is here to help. Provide us with your details and we will contact you.

Alternatively, contact your local office 9am - 5pm Monday to Friday.