sb-au logo
Story image

In the shadow of COVID-19, a cyber health crisis looms

01 Sep 2020

Article by Wontok chief operating officer Bruce Perry.

On Sunday, August 2, four days before the Australian federal government released its long-awaited 2020 Cyber Security strategy, an alert to warn of rising ransomware cases in the healthcare sector was issued.

Canberra’s Australian Cyber Security Centre (ACSC) raised concerns about the increasing number of ransomware cases targeting healthcare, including hospitals and aged care homes amid the pandemic.

Specifically, cyber-criminals were using the ‘Maze’ ransomware to encrypt or lock an organisation’s valuable information, then threaten to go public unless a ransom is paid.

“Recently there has been a significant increase in healthcare or COVID-19 themed malicious cyber-activity, including targeting of the aged care and healthcare sectors by financially motivated cyber-criminals using the ‘Maze’ ransomware,” the ACSC said in the statement.

“Cybercriminals view the aged care and healthcare sectors as lucrative targets for ransomware attacks. 

“This is because of the sensitive personal and medical information they hold, and how critical this information is to maintaining operations and patient care. 

“A significant ransomware attack against a hospital or aged care facility would have a major impact.” 

Such an attack could have devastating consequences, especially in aged care settings already reeling from the deadly effects of the pandemic.

The warning signs have been there for a while.

The national cybersecurity strategy flagged the health sector as having the most cybersecurity incidents from July 2019 to June 2020.

Specifically, in the six months to December 2019, Australia’s Notifiable Data Breaches scheme recorded 537 breaches, including malicious or criminal attacks, and cyber-incidents. The health sector was the highest, with 22% of all breaches. 

Human error caused 43% of data breaches in the health sector, compared to an average of 32% across all notifications, according to the Office of the Australian Information Commissioner’s Notifiable Data Breaches Report.

And the day after the ACSC’s ransomware warning came news that South Australian aged care provider Regis, which cares for more than 6700 residents across 63 facilities, was the target of a ransomware attack.

According to the Australian Financial Review, documents with details of individual residents’ care and accommodation agreements, employee appraisals and passwords relating to one residential aged care home in Adelaide were posted to a public website.

While Regis told the Australian stock exchange that the attack had not affected service delivery or day-to-day operations, the organisation would have had to spend significant time and resources trying to ‘deep clean’ its IT systems and protect from any future cyber-incidents.

One can never tell what else cyber-criminals have planted or left behind in already compromised systems.

When Home Affairs minister Peter Dutton presented the refreshed Cyber Security strategy earlier this month, it was largely criticised for containing metrics not directly connected to realistic outcomes. 

Many levels of government have identified healthcare, especially hospitals and aged centre centres, as a prime target for cyber-attacks.

The strategy states that the minister will periodically update the action plan and “report to the Australian Government and the community on measures to continually enhance Australia’s cybersecurity”.

There is a clear and urgent need to address shortcomings in the healthcare sector’s cyber-safety preparedness or risk paying a high price for lack of action.