Australia’s private hospital operators warn costs of proposed cybersecurity law could cause ICU closures
The cost of complying to the Australian government's proposed new cybersecurity obligations could lead to some hospitals closing their intensive care units, a parliamentary inquiry has heard.
The government is seeking to strengthen the defences of the nation’s critical infrastructure by imposing cyber obligations, but private hospital operators claim they simply can't afford them.
The proposed Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 will require organisations, including hospitals with ICUs, to develop a "risk management programme" to detect and defend against attacks, including threats of foreign interference to supply chains. High-risk employees who could engage in corporate espionage and sabotage will also need to be identified.
WHY IT MATTERS
In evidence to a public hearing into the bill, Toby Hall, Group CEO of Catholic Health Australia, the nation’s largest non-government provider of healthcare services, said robust cybersecurity was already in place and called for the government to pay for costs generated by the legislation.
"Our member hospitals cannot meet the prescriptive requirements of this bill without financial support from the Commonwealth Government," Hall said.
Based on government data, Catholic Health Australia claims the cost to larger hospitals in its 75 strong network would total around $120 million over the next four years.
"Catholic hospitals have played a significant role in the COVID-19 response over the past two years at substantial cost," Hall said.
"Hospitals have also faced increased costs resulting from additional PPE, social distancing in care settings and staff furloughs. All this at a time of significantly curtailed revenue resulting from restrictions on elective surgeries."
Hall said while public hospitals will receive government support to implement the changes, private hospitals will be left to pay $8.5 million in initial costs, then $6 million per annum per hospital.
As a result, St Vincent's private hospital in Toowoomba may be forced to close its ICU, placing more pressure on the public system.
"It's a regional hospital, it actually makes no profit. We operate it from a mission point of view," Hall said.
"[The bill] creates such a cost impost that it would actually take a hospital to a point where it's losing money to operate with an ICU. So you'd take the choice just to take the ICU out."
UnitingCare’s Group Executive Michael Krieg said the organisation was aware of the vital importance of cybersecurity.
"We have been the subject of a cyberattack, which I'm not directly at liberty to talk about, but we've had some secondary incidents as well," he said,
But private hospital operators had been "blindsided" by the bill, according to Krieg, and although the impact on a local community of closing ICU beds can be "significant", some smaller and independent hospitals may have no alternative.
"The decision may be to close the intensive care unit because you can't justify maintaining an intensive care unit if you're going to have an additional level of cost to achieve compliance," Krieg said.
"The majority of private hospitals right now are certainly impacted by COVID in a variety of forms, if not running at a loss. So any cost impost is more than we can afford to bear right now."
ON THE RECORD
Christopher Neal, Group CISO at Ramsay Health Care, said the new measures fail to take into account the existing cybersecurity defences in place and that networks of hospitals contain facilities of varying levels of size and sophistication.
"We invest heavily in cybersecurity and risk management, and we continue to do so," Neal said.
"But in the case of Ramsay Health Care, where we run a large network of hospitals, it would be more costly for us to run differential controls and maintain that effectively across different levels of hospital, rather than run common controls across all hospitals."
Gloss