Estimated reading time: 5 minutes
With more personal devices being used at work, cyber experts are urging safeguards be put in place to prevent the unlawful access of sensitive patient information. By Amber Daines
The digitisation of the healthcare sector and its wide range of records has been, in many ways, a revolution. In 2025, most dentists would have among their tools of the trade such tech items as a mobile phone, a laptop and maybe a tablet.
However, along with the greater accessibility and workplace flexibility of such cloud-based patient databases across multiple devices, comes a rise in more cyber risks.
Recent research led by Dr Tafheem Wani at La Trobe University showed that clinicians’ phones, among other digital devices like laptops or smartwatches, contain highly sensitive patient information that is often not protected by antivirus or malware software and passcodes.
The study reveals numerous vulnerabilities associated with the use of personal devices (BYOD) in healthcare, particularly in safeguarding sensitive patient data.
For example, in a much publicised case in 2022, the personal laptop of a doctor was stolen and the incident resulted in the breach of thousands of electronic health records. This occurred because without adequate protections in place, the device was able to be used to access sensitive healthcare systems.
Likewise, Dr Wani says similar stories across Australia’s healthcare sector suggest it a ripe target for cybercriminals looking for ways to access sensitive patient information they can then use for ransom demands or other nefarious activities like identity theft.
Dr Wani explains, “There are various ways patient data can become unsecured, especially when shared through platforms such as SMS or WhatsApp. Unfortunately, such practices remain prevalent in some healthcare settings.
“It’s common to see patient information being forwarded between clinicians, whether to a senior doctor or within a clinical team. This process inherently carries risks because patient data, including personally identifiable information, may be transmitted using unsecured methods. Moreover, personal devices used in such exchanges may be lost or stolen, further exposing this data.”
The challenges of enforcing BYOD (bring your own device) policies come down to individual user behaviour. Unlike hospital-provided devices, which are often equipped with robust security controls, personal devices depend on the actions of their users. The use of personal cloud storage services such as Google Drive or Dropbox for storing patient data does pose significant everyday risks.
“When clinicians use their cloud accounts for work, it creates an additional layer of risk. These platforms are often vulnerable to cyber attacks, especially if they are not properly secured,” he explains.
Dr Wani stresses the importance of proactive cybersecurity measures. “Key strategies include implementing two-factor authentication, role-based access control, and educating all stakeholders—clinicians, private practices, and patients—about cybersecurity risks.”
Private practices may have limited awareness of cyber risks, partly because of their smaller scale and fewer patients. Yet they still need to be top of them.
While hiring a cybersecurity consultant can be expensive, it can be a worthwhile investment.
Dr Matthew Vaughan, owner of Newcastle’s Live Life Smiling, recently returned from specialist orthodontic training in the UK. While there he became familiar with the NHS, where the scale and impact of cyber hacks and data security breaches related to patient data have been frequent and widely publicised. This knowledge has amplified a greater cyber awareness for his business back in Australia.
There are three main areas Dr Vaughan identifies as his cybersecurity focus—cybersecurity policies, engaging the right tech expertise and BYOD management of all team members.
Dr Vaughan explains the policy his practice has implemented prevents staff from logging into social media or personal emails on work computers to mitigate risks such as phishing or being infected with malware. “We have a strict rule that work computers can’t be used for any social media or web-based mail,” he says.
“If a team member must use their personal device for work-related tasks, access to surgery files or webmail requires multifactor authentication on their device. This just helps us ensure that if a team member’s personal device is lost or stolen, the public cannot access work-related data.”
When considering where to even start with the process, Dr Vaughan recommends addressing the “weakest link in your cybersecurity” as part of overall business efficiency, such as enforcing BYOD use policies.
Dr Wani says dentists can adopt cost-effective measures without requiring a multimillion-dollar infrastructure.
A few daily habits can make a significant difference, such as implementing two-factor authentication, using authorised and updated operating systems such as iOS or Android, and ensuring devices are regularly updated. Additionally, using screen locks, limiting the storage of patient data on personal devices, and securely separating or password-protecting sensitive data folders can significantly reduce the risk of breaches.
Dr Vaughan believes in striking a balance between being cautious and avoiding unnecessary expenses in cybersecurity. In his newly acquired private practice, Dr Vaughan estimates he will spend around $8000 this year on the implementation of updated cybersecurity measures and IT support, claiming this is a “necessary and manageable” investment.
An IT consultant can be utilised for cloud-based patient data management and helps manage cyber risk basics like ensuring access mandates multi-factor authentication and firewalls.
“It was about limiting our liability to exposure or hacking or litigation in future years,” he explains.
Prevention is, of course, always better than cure. Dr Vaughan says his practice manager in collaboration with an external IT consultant is tasked with identifying and addressing weak points in cybersecurity.
Dr Wani advocates for stronger government policies and the use of AI-driven solutions to enhance cybersecurity protection, particularly in private and public dental facilities. He believes it all starts by raising awareness of the risks among healthcare providers.
“At the end of the day, a well-informed workforce is the first line of defence against cyberthreats. By combining basic security practices with ongoing education, healthcare providers can significantly reduce risks and protect their patients’ sensitive information.”
