Tuesday, 30 March 2021

Cyber attacks across the healthcare sector are spiking.

A series of breaches have placed the security of thousands of Australians at risk and wreaked havoc across hospitals, ambulance services and government departments. The goal of hackers is to control the personal data stored within these large facilities, demanding crippling ransoms for its return.

The most recent cyber breach resulted in all non-urgent elective surgeries being postponed at four Melbourne hospitals. Eastern Health was forced to shut down several IT systems when the breach was discovered. While patient safety was not compromised, the attack caused major disruption and delayed long-scheduled procedures.1

Just weeks before the Eastern Health incident, NSW radiology chain PRP Diagnostics publicly revealed that it had detected a breach two months prior. Many of its systems had been hacked, some of which held patient records. SunCrypt ransomware claimed responsibility for the attack and threats were made to release an avalanche of sensitive information.2

In Tasmania, the private details of every person who called an ambulance over a period of several months were accessed and published on a website. The hacker gained the information via outdated, unencrypted communications technology used by paramedics. Fortunately, in this case police contacted the website’s administrator who voluntarily removed the personal data, but the issue raised huge privacy concerns around the service and sparked an internal review.3 Given the sensitive nature of data stored in healthcare environments, it is important that the public have trust in the systems and how personal data is managed; cyber breaches can erode this trust and result in reputational damage.

What these and virtually all other victims of cyber crime eventually realise is that an attack has often occurred well before its discovery, often months and sometimes years prior. Additionally, investigations into these attacks can be laborious. In April 2020, for instance, NSW Health detected a potential cyber attack. The department’s investigation caused major disruption as around 3.8 million documents had to be analysed to assess the severity of possible breaches. In September 2020, after a four-month investigation, the department was then able to report on the incident and notify the 186,000 affected NSW Health customers and staff whose personal data had been leaked.4

Despite the healthcare and aged care sectors being identified by the federal government’s Australian Cyber Security Centre as lucrative targets for cyber criminals,5 it appears nowhere near enough attention is being paid to putting effective defence systems in place. Admittedly, the sector has traditionally struggled to fund updating computer infrastructure. No matter whether a medical facility is public or private, tight budgets are generally par for the course. Medical services understandably take priority over all else - including the IT department - but this has left healthcare virtually the most vulnerable sector of all.

One of the most serious problems we see are organisations running operating systems and applications so outdated they are no longer supported, yet reluctant to risk downtime associated with updating systems due to the critical services they provide and cost involved. They become perfect victims for cyber crime and highly susceptible to ransom demands – when lives are at risk, the organisation’s only conceivable option may be to pay the ransom, which can run into the millions of dollars.

While cybersecurity in healthcare is a growing concern, it must not be perceived as insurmountable - or prohibitively expensive to remedy. Rather than replacing entire computer systems, the answer lies with a ‘defence in depth’ approach, installing layers of defence within existing infrastructure, incident response preparedness and awareness training.

A major focus must be on software architecture: organisations need to be constantly ensuring their software is coded with up-to-date security and contains the latest and greatest technology able to meet the new threats. A single firewall, no matter how modern, cannot be considered adequate protection against cyber crime. This is where engaging the right IT consultant will prove invaluable. An organisation even with the most outdated systems can be helped to navigate the delicate balance between replacing technology or simply installing a new layer of defence.

Security must also be embedded into an organisation’s culture, with ongoing cyber awareness training a requirement to addressing the human threat from both inside and outside the organisation. Contractors should be monitored adequately when given access to systems, and disgruntled employees have been known to wreak havoc on company computer infrastructure. Understanding the security employed by every provider within an organisation’s supply chain is also imperative to identifying and mitigating risks. Even the simple process of making a list of the right names and numbers to contact once a breach is detected is something that is often ignored.

Healthcare administrators must recognise that their industry is a prime target for perpetrators due to the highly sensitive nature of data stored, which can be lucrative on the dark web. Where there are outdated systems and lax IT, entry for hackers is even easier. There is a delicate balance to be found between commercial performance and meeting patient care needs with the security of systems and data. Preparedness and a multi-layered defence are key to achieving that balance.

1 Shannon Deery, ‘Melbourne hospitals still reeling from cyber attack’, Herald Sun (online), 22 March 2021 <https://www.heraldsun.com.au/news/victoria/suspected-cyber-attack-wreaks-havoc-on-melbourne-hospitals/news-story/49aa790de89fe987f7b8498d0c1893ff?btr=e5e7ec55c5e827f9ed3eeb56f0914faa>
2 Ronald Mizen, ‘Law firm, X-ray provider hit by cyber attacks’, Financial Review (online), 18 February 2021 <https://www.afr.com/politics/federal/law-firm-x-ray-provider-hit-by-cyber-attacks-20210217-p573bm>
3 Erin Cooper, ‘Cybersecurity expert calls for replacement technology following Tasmanian ambulance patient data leak’, ABC News (online), 9 January 2021 <https://www.abc.net.au/news/2021-01-09/tasmanian-ambulance-data-breach-technology-overhaul-needed/13044780>
4 Matt Bungard, ‘Data of 186,000 customers leaked in Service NSW cyber attack’, The Sydney Morning Herald (online), 7 September 2020 <https://www.smh.com.au/national/nsw/data-of-186-000-customers-leaked-in-service-nsw-cyber-attack-20200907-p55t7g.html>
5 Australian Cyber Security Centre, Australian Government, 2020-013 Ransomware targeting Australian aged care and healthcare sectors (2 August 2020) <https://www.cyber.gov.au/acsc/view-all-content/advisories/2020-013-ransomware-targeting-australian-aged-care-and-healthcare-sectors>