The Australian Health Service Alliance (AHSA) is a service company that represents more than 75% of the nation’s private health insurance funds. Established in 1994, the AHSA enables funds to pool resources and respond more effectively to the changes occurring in the private health industry.
AHSA provides a portfolio of services for its members including management of healthcare provider relationships, negotiation of contracts, data analysis and provision of educational services and training. The Alliance operates from a headquarters in Melbourne and has 40 staff.
The importance of security
In the course of providing services to health insurance funds, AHSA handles considerable volumes of sensitive data. This includes records of patient visits to hospitals together with details of the treatments provided.
As a result, there is a heightened need to ensure this data is stored securely and is not prone to misuse or theft. According to AHSA Chief Information Officer Glen Mclean, this task was becoming more complex as the nature and volume of cyber threats increased.
“In early 2017, our existing IT security partner unexpectedly closed its doors, leaving us without access to expert support or advice,” he says. “This forced us to go to the market in search of a new provider.”
Finding a new partner
After carefully reviewing a range of alternatives, a decision was made to establish a relationship with CQR. Mclean says the firm’s CREST accreditation, together with its considerable experience and deep technical knowledge, made it stand out in the marketplace.
“As a first step, CQR undertook a familiarisation review of our operations to fully understand the security tools and processes we had in place and identify any risks that needed to be addressed,” he says. “They then conducted penetration testing of our website and underlying IT systems to ensure our protective measures were sufficiently robust.”
The next step was to review AHSA’s business continuity and disaster recovery plans. Senior management wanted to be confident that, should a cyber attack occur, any impact to operations could be avoided or minimised.
“We hadn’t previously had a comprehensive plan in place and so CQR worked to create a detailed checklist of the steps we would need to follow in the event of an incident,” says Mclean. “Potential scenarios covered include a denial of service attack, loss of data through hacking and an incident of ransomware.”
Undertaking staff education
Another element of the security evaluation process was the staging of an educational seminar for all AHSA staff. CQR created a presentation that highlighted the potential security risks faced by the organisation and the role each staff member could play to avoid incidents occurring.
“The seminar was very comprehensive and we received positive feedback from all participants,” says Mclean. “It covered a wide range of topics including everything from dealing with suspicious email attachments to the risks associated with using unfamiliar USB keys.”
An ongoing relationship
With the initial review completed, a business continuity plan in place and staff educated about cyber security risks, Mclean says AHSA is better placed to withstand any problems that might arise in the future.
“We are now much more prepared to respond to any problems, whereas in the past we might have found ourselves floundering just a bit,” he says. “We have also put in place an incident response agreement with CQR so we know they will be available to assist us should an incident occur.”
Mclean says CQR remains a valuable partner who can provide ongoing guidance and support to the organisation on every aspect of IT security.
“We are in the business of providing support to insurance companies, and our relationship with CQR is like an insurance policy for our cyber security – it gives us a great sense of confidence.”