Cybersecurity for Hospitals

While news of hacking efforts at major banks, credit card providers, and large multi-national companies grab the public’s attention all over the world, increasing attempts at attacking healthcare providers should raise equal or greater concern.

On 30 September Australians learned a major network of hospitals in Victoria was hacked, causing among other issues delays in surgeries. The Victorian government assured Australians “At this time there is no suggestion that personal patient information has been accessed.”

This is not the first hacking incident in the Australian healthcare system. In February we learned 15,000 medical records at the Melbourne Heart Group were hacked and scrambled around.

In 2018 online appointment booking site for medical practices, HealthEngine, disclosed a data breach in which 59,600 pieces of patient feedback “may” have been improperly accessed.

Some Australians may not be naïve enough to believe customer information is safe from healthcare data breaches. In 2016 Hackers accessed personal details of customers of the CBHS Health Fund used by Commonwealth Bank employees.

In the US the Department of Health and Human Services (HHS) began summarizing health care data breaches on its website in 2009. The HIPAA (Health Insurance Portability and Accountability Act) Journal there analysed healthcare breaches from 2009 to 2018, as seen in the following graph.

Healthcare systems worldwide are increasingly targeted by cyber-attacks, with Australia now seeing healthcare data breaches eclipsing the finance breaches receiving more press coverage. From the website of Australian information technology services and solutions provider Stanfield IT:

It appears hackers may be migrating towards healthcare systems for a reason. When it comes to digital transformation of critical operations, healthcare has lagged their corporate counterparts. In Australia, the fax and phone are still important communication tools in many healthcare operations. Hospitals have engaged in patchwork updates, quickly reaching outdated status.

In 2014 the Australian Cyber Security Centre (ACSC) was established, with the following responsibilities:

• responding to cyber security threats and incidents as Australia’s computer emergency response team (CERT)
• collaborating with the private and public sector to share information on threats and increase resilience
• working with governments, industry and the community to increase awareness of cyber security
• providing information, advice and assistance to all Australians.

During his successful campaign, Prime Minister Scott Morrison pledged an additional $156 million in funding for Australian cyber security.

The ASX now includes about 10 companies engaged in some form or other in cyber security, with a few pure plays. Investors in those companies reacted to the news of additional funding and increasing hacks here in Australia with a resounding yawn.

The ASX stock with the largest market cap — $83 million dollars — amongst a pool of micro-caps is Senetas Limited (SEN).

The stock price did experience a brief bump following the election, but quickly faded and then bounced upward again. However, since the ACSC came into being in 2014 as a response to the rapidly increasing threat, investors appear to see mixed opportunity in Senetas at best. From a high of $0.21 reached in July of 2015 the share price has dropped to $0.08.

The following table includes stock price information of some other ASX cyber security players.

Senetas and Tesserent are the only “pure play” cyber security providers in our table. Senetas is unique in several dimensions beginning with its use of encryption hardware. Although encryption technology is complex, the advantage is relatively simple to explain. Encryption is the process of converting information or data into a code, especially to prevent unauthorized access. Hacked data is rendered useless without the ability to crack the encryption coding. Many other cyber security providers focus on identifying and preventing data breaches. While no organization wants to see its system’s security breached, with encrypted data the harm is negligible.

Senetas makes the hardware that encrypts the data, and the company has the additional advantage of hardware certification from the world’s leading independent testing authorities as suitable for government and defence applications, with NATO being one of their customers. Although the technical details are important, investors should be impressed with the certifications, including the Senetas dual-accredited Layer 2 hardware encryption device for high-speed data security being the only one of its kind on the planet.

As hospital technology improves, it is becoming increasingly complex, Senetas sees its encryption solutions as ideally suited to healthcare organisations. The company serves commercial and government organizations in defence, energy and utilities, finance, and gaming, but it is the only company in our table directly pursuing the healthcare sector.

Senetas has been in business since 1999, with both the Australian and US governments among its first customers. Considering its global reach and stellar recognition of its products, it is somewhat surprising the company has not fared better for its shareholders, but over five years the share price is up more than 50% despite its rocky ride.

While the company maintains its analyst consensus BUY recommendation, investors were cautioned back in 2017 about potential trouble as European defence contractor with a competitive cyber security product, Thales, was looking to acquire Dutch distributor Gemalto, the source of close to 75% of Senetas revenue. However, the deal is done, and Thales has agreed to continue to distribute Senetas products.

Senetas has grown revenues in each of the last three fiscal years, but profit took a bit of a stutter step, falling from $1.9 million in FY 2018 to a loss of $463 thousand in FY 2019.

Prophecy International (PRO) has two core products. eMite is an analytical software platform, combining and correlating information from multiple sources within the business, displayed on user-customizable dashboards to enable better decision making. Snare (System iNtrusion Analysis and Reporting Environment) is comprised of two tools for monitoring, protecting, auditing, and archiving IT events. The Snare Server is a data server at the client site where IT events are gathered, indexed and stored. Snare Agents examine and isolate all user-defined security events.

Prophecy was founded in the 1980’s as an accounting software provide, expanding into other financial areas and utilities before embarking on a product acquisition strategy in 2000. Snare was acquired in 2012 had yet to contribute substantially to the company’s financials. In FY 2018 Snare increased company revenues by 4.7% out of overall revenue growth of 16%. Profits fell 140%. FY 2019 results saw more of the same, with revenues increasing from 10.7 million to $12.1 million while profit saw the FY 2018 loss of $791 thousand ballooning to a loss of $1.4 million.

Investors were heartened by the news that Snare is starting to deliver, with an 8 October announcement from the company that Q1 of FY2020 saw Snare sales rise 67%.

Organisations world-wide need to collaborate with others from time to time, which means information sharing. A newcomer to the ASX listing in September of 2018 exclusively targets secure collaboration. The company is archTIS (AR9), in business since 2006.

The company offers consulting services to help clients identify critical security needs and then builds and implements solutions to meet those needs.

In addition, archTIS offers three secure content and collaboration services.

Kojensi Gov is a cloud-based content and collaboration platform allowing secure intra-agency and inter-agency collaboration. The platform meets both the Protective Security Policy Framework (PSPF) for information management standards, and security (ISM) requirements.

Kojensi Field is a server-based product allowing remote areas or personnel in the field secure access to accurate and up-to-date information needed for off-site decision making.

Kojensi is an on-site platform allowing collaboration and information sharing for multi levels of security, up to TOP SECRET.

On 5 September announced the office of the Attorney General signed on as the first government client for the Kojensi platform, following a successful Beta Test there.

The company came close to doubling revenue in FY 2019, growing from 573 thousand to $1 million 22 thousand. As is often the case in start-ups, sales, marketing, and administrative expenses led to a posted loss of about $4 million.

The company has a reseller agreement with New Zealand based TEAM Asparona, an established provider of Enterprise Content Management software services to the New Zealand Government.

archTIS also extended its consulting contract with the Australian government’s Department of Home Affairs’ Technology and Major Capability Group for an additional 12 months.

PS&C Group (PSZ) is a diversified IT provider, with a range of products focusing on its customers’ people, communications, and security.

The company’s broad-based offerings include strategy consulting, business analytics, cloud managed services, workforce management, and cyber security through its Defend + Secure.

The PS&C Defend + Secure offering was created through the merger of 4 leading Australian security firms — Pure Hacking, HackLabs, Certitude and Securus Global.

The company listed on the ASX in December of 2013, posting revenue and profit growth in its first three years. The bottom fell out in FY 2017, with revenues dropping from $85 million to $73 million, and the FY 2016 profit of $8.3 million dollars slipping to a loss of $5.6 million. The trend continued with the FY 2017 loss close to doubling, posting a loss of $10.1 million, although revenues did increase by 6.2%. The FY 2019 report restated the prior year’s revenue to remove discontinued operations, boosting the year over year increase to 39%, but once again PS&C posted a loss, improving to a loss of $4 million. Share price performance since listing has been less than spectacular, with the bottom falling out as the company began to post losses.

Corporate and government data breaches may grab headlines, but small and medium sized businesses are also at risk, many without the expertise and resources to combat the threat. A new entrant on the ASX WhiteHawk provides and online website and related support services to prepare those smaller organisations.

The company uses machine learning to support its online offerings, which begin with the CyberPath Solution Engine, a free service that assesses the customer’s risk of cyber-attacks and identifies existing issues and vendor supplied solutions. WhiteHawk’s security as a service product, the 360 Cyber Risk Framework, targets security risks from its client’s suppliers and sub-contractors. Operating as an online marketplace, the WhiteHawk site provides a comprehensive listing of available cyber security providers and information on current and growing trends. WhiteHawk also offers online consulting services designed to help clients complete the CyberPath Solution Engine and evaluate alternative solutions.

The company’s origins go back to a cyber security advisory service launched in 2016 in the US. WhiteHawk’s growth plan called for using machine learning algorithms coupled with an artificial intelligence platform to create a marketplace exchange designed to connect companies with appropriate vendors for their needs.

The company has announced an impressive string of contract signings with US government agencies and financial institutions in 2019.

Tesserent Limited (TNT) offers a cloud-based subscription service to the company’s Managed Security Service Provider (MSSP) Platform. The platform covers the primary security functions of an organization’s computer systems. The platform has three parts.

• A security engine, either hardware or software based,
• A management suite that communicates with the security engine, keeping it up to date and applying changes specific to the organization, and
• A monitoring system that analyses status and event information to detect issues and identify new threat intelligence.

Although Tesserent claims an impressive list of customers, the company has yet to report a profit since listing on the ASX in February of 2016 and the share price reflects that.