We invite you to either listen to the article or read the below.
Pentagram Advisory Pty Ltd (Pentagram) is proud to be a foundation partner supporting CI-ISAC Australia (CI-ISAC) in its delivery of cyber security services for Australia’s health sector under a Commonwealth Government grant announced on 29 January 2025. The $6.4 million grant funds the creation and initial operations of the CI-ISAC-led Health Cyber Sharing Network (HCSN).
The HCSN aims to better equip health sector organisations to manage and mitigate current and emerging cyber security threats. CI-ISAC will receive and collate cyber threat information from participating health entities, analyse that information and create timely cyber threat intelligence (CTI) advice that it will disseminate to HCSN members to enable them to protect themselves from known cyber threats.
In addition to enabling CTI services for health sector entities, the grant includes funding for cyber incident response plans (CIRPs), attack surface monitoring, education on mitigating cyber threats, and insider threat advice and training. It is this last feature – insider threat advice and training – that will be the focus of Pentagram’s contribution to HCSN members.
CI-ISAC and Pentagram collaboration
CI-ISAC and Pentagram have worked both independently and in collaboration over the last two years to provide protective security advice to Australian critical infrastructure entities across the 11 sectors, as identified in the Security of Critical Infrastructure Act 2018 (SOCI Act). SOCI Act entities have legal obligations to protect the operations of the critical infrastructure assets they own or operate.
The SOCI Act sets out four hazard types that critical infrastructure owners and operators must protect their asset from:
- cyber and information technology,
- physical and natural,
- supply chain, and
- personnel security.
Further, enterprise risk management and governance overlay these four hazard types.
CI-ISAC’s CTI service aligns with the cyber and information technology hazard. Pentagram’s offerings encompass the four hazard types to varying degrees, with our primary focus being the human factors element integral to all the hazard types, but especially the human factor of ‘insider threat’.
What is an insider threat?
Insider threat is people. These people are candidate employees, current employees, former employees, contractors, consultants, short-term hires, supply chain (third-party) partners. The insider is a person who has, or had, legitimate access to an entity’s assets (information, ICT systems, operational technology, funds, people, data, physical items, etc.) and uses that access to cause harm to the entity.
There are numerous types of insider threat, but they all fall under two headline classifications: unintentional insider threat, or intentional insider threat. Unintentional insiders may not mean to cause harm but do, whereas intentional insiders intend to cause harm based on a myriad of motivations.
How does insider threat relate to cyber security?
Whilst insider threat has long been a feature of human history, it has become most pronounced and potent in the 20thand 21st centuries as nation states have clashed, industrialisation bred capability and competition, technology (especially information technology) proliferated transforming daily life, and national security (with aligned economic concerns) became the predominant issue for most states.
Information technology is a fundamental enabler to society, the economy, and for national security. Accordingly, the insider threat is immensely enabled and empowered by contemporary technology, such that they can cause harm in many ways, but often will utilise information technology to enable or undertake the harm.
Most insider threat education is delivered by government, or, for most people, by the cyber faculties of universities so the term ‘insider threat’ has become synonymous with the discipline of cyber security.
It is noteworthy that cyber industry bodies routinely identify that 70% to 80% of cyber incidents are caused by unintentional insiders – they cause harm but did not intend to. Accordingly, the majority of insider threat-caused cyber security events (or harms) may be mitigated through refocused workforce security education, workplace security culture, and an insider threat program. To be clear, most of the tools needed to mitigate the insider threat already exist in an enterprise, but these tools are not connected in a way that helps mitigate the insider threat.
Is insider threat relevant to Australia’s health sector?
Yes, it is.
The health sector is vulnerable to cyber-attack and also to numerous types of insider threat (not just cyber related).
Here are examples to showcase types, breadth, and consequence of insider threat within the health sector.
In 2013, an employee was sentenced to 14 years imprisonment for defrauding Queensland Health of more than $16.6 million between 2007 and 2011. The employee was an intentional insider who was found, in retrospect, to be a high-risk employee having been hired despite having a criminal record and being wanted by New Zealand police for fraud. An effective insider threat program would have identified these risk indicators to inform the decision to (not) employ.
In 2022, a Medibank employee enabled access to an alleged Russian cybercriminal facilitating one of the worst reported privacy breaches in Australian history. The employee saved his Medibank username and password to his personal internet browser. Those credentials then “synced” across to his personal computer allowing the hacker to use those log-on credentials to access Medibank’s ICT domain. The consequences included exposing more than nine million people to, as the Australian Information Commissioner said, “harm including potential emotional distress and the material risk of identity theft, extortion and financial crime”. This event was caused by an unintentional insider.
The 2023 cyber-attack on Australia’s MediSecure, a company whose software facilitates electronic prescriptions and dispensing, suffered the theft of personal and health data for 12.9 million Australians. The ransomware attack was reportedly enabled by a third-party supplier’s access to MediSecure. Though the exact method of exploitation has not been made public it could have been an insider threat, be that intentional or unintentional – for example, routine ICT patching or maintenance not carried out by an employee or contractor could have enabled the cyber-attack. This case shows the security risk posed by third parties (suppliers) with access to your ICT domain.
In 2024, a British nurse working in a hospital was convicted of murdering seven babies and harming seven more. The nurse was an intentional insider.
In 2024, a hospital nightshift security guard in the United States built a botnet using the hospital network to attack rival hacking groups. Investigation showed the guard downloaded malware on dozens of hospital terminals, including nursing stations with patient records. The guard installed a backdoor in the HVAC unit which, if failed, would have caused damage to drugs and medicines and affected hospital patients during the hot Texas summer. The guard was an intentional insider.
These examples demonstrate that insider threat is relevant to the health sector’s cyber security and, further, is a security risk that spans operations and roles across the entire health sector, not just the cyber domain.
What will Pentagram do?
Pentagram’s objective as a HCSN partner is to:
- deliver insider threat workshops for HCSN members to create awareness of the risk posed by insider threat and help entities prevent, detect, deter, and manage risk from employees and contractors, and
- offer relevant and practical advice and education on the mitigation of insider threat by establishing and operating an insider threat program, along with practical tools to help entities prevent, manage, and recover from insider events.
Not all health sector entities that participate in the HCSN will be SOCI entities because the SOCI obligations currently (January 2025) rest with 89 hospitals (named in the SOCI legislation) and select data service providers related to them. However, all health sector entities can leverage the benefits from CI-ISAC’s HCSN services and also from Pentagram’s SOCI-aligned advice and education to protect their critical assets and operations while strengthening overall resilience.
SOCI-aligned and general security education is currently available on Pentagram’s eLearning Hub, including courses on insider threat, insider threat programs and how to maximise cyber resilience with CI-ISAC Australia membership.
Pentagram also delivers no-cost educational workshops – you can register here.
In closing, please note Pentagram has extensive experience of advising SOCI entities, including critical hospitals in the health sector. We look forward to meeting, collaborating with and advising new people and entities in the health sector to enhance the security of Australia’s critical infrastructure which underpins Australia’s national security.