Case Study – Cyber Security in Aged Care

Background

Our client is a not-for-profit welfare organisation with a history of dedicated aged care service in Melbourne communities for over 70 years. The key business areas cover a range of aged care services including Residential Care, Respite Care, Day Centre, and Home Care.

A combination of recent expansions and growth, increased compliance obligations from government and newer COVID precautions significantly changed the risk profile of the organisation.  This created the requirement to assess and improve business resilience and reduce the risks to care provision and business operations in the event of a cyber security event.

The client need

The client wanted DFP to assess their cyber security resilience and undertake a ‘fit for purpose’ set of improvements to their technology, business control practices and staff mindsets to reduce the exposures inherent in the current situation.

Our approach

To tackle this problem, DFP undertook a detailed 3-week diagnostic of the cyber security capabilities based on our proven Cyber Security capability reference model.  The assessment highlighted a range of significant vulnerabilities in several dimensions: work practices, technology design, data protection and vulnerability assessment, management and testing.  A cyber security hardening program was then proposed and undertaken over a three month period.  The hardening program introduced modernised cyber protection, monitoring tools, technology architecture strengthening, stronger data protections, a more formal cyber security monitoring and control framework from CEO down.

The outcome

The improved cyber security operating model in combination with best practice tools covering all dimensions of the organisation reduced the key risks to an acceptable level. The security resilience score was elevated from 36% to 68% placing our client into a best practice level of resilience for their industry sector.

Staff retraining has improved the level of awareness of appropriate practices for data handling and to be aware of misleading and fraudulent requests from perpetrators.

The IT practices for applying security patches and ensuring IT enhancements and new technology is secure by design have been well instituted and involves their key vendors in complying with the uplifted practices.

Our client now has 24 x 7 monitoring and alerting on key events which appear abnormal and represent a potential or actual threat.  This uplifted capability has also helped our client build further confidence and trust with the families they service by demonstrating how they take cyber security seriously and are mature in their risk management practices.