Another month, another Australian hospital breached by malware—and as UnitingCare Queensland fights to restore normal operations after a crippling ransomware attack, local security experts anticipate the string of high-profile hits on healthcare organisations is far from over.
The latest ransomware incidents
The expansive healthcare service—whose more than 26,000 employees and volunteers staff over 460 locations across Queensland and the Northern Territory—saw a range of key systems taken offline, and manual backup processes initiated, after a suspected ransomware strike affected sites including Brisbane’s Wesley and St Andrews War Memorial Hospitals.
Recovery from the incident is still underway, and a timeline for full operation is not yet available, according to the latest media statement on the incident, but investigative support from external technical and forensic advisors—as well as the Australian Cyber Security Centre (ACSC)—was in place as staff fought to access key systems.
The 25 April attack came on ANZAC Day, the annual public holiday when Australia acknowledges the services of its war veterans; whether this was related to the St Andrews War Memorial’s founding “as a memorial to the service of war veterans” or whether ANZAC-themed malware might have been used to trick staff into loading the ransomware has not yet been determined.
Yet with doctors reportedly told to not expect to be able to access X-rays and other digital patient data, and IT and security experts fighting to bring the hospitals’ systems back online, the attack has proved to be the latest devastating blow after a series of successful ransomware hits on Australian hospitals.
Just two days after the UnitingCare breach, Victoria’s Eastern Health—which runs major regional facilities including Box Hill Hospital and Maroondah Hospital—reported that it was finally back online more than a month after its systems were hit by ransomware that caused “significant disruption” to its services.
All but the most urgent elective surgeries were postponed for several weeks as a result of the “criminal attack”, the hospital said, with a third of outpatient clinics cancelled and staff reverting to manual processes.
Weeks of recovery gradually brought systems back online and services delivered, thanks to extensive business continuity procedures.
The healthcare network “has learned a lot during this process,” CIO Lachland Blakewell said in a statement two weeks after the incident, noting that there has “been no sign of any exfiltration of data … and we can see that our file system and things are also untouched because we turn[ed] things off quickly. … We’ve positioned ourselves really well to strengthen and harden our network against any further attempts.”
Healthcare hygiene rigor often not applied to cybersecurity
The attacks continue a string of compromises that have disrupted services at private consulting groups, social-services organisations, aged-care groups, and regional public hospitals, leading to official ACSC warnings that a lack of cybersecurity hygiene was leaving them easy targets for ransomware perpetrators.
Some 56 breaches of healthcare organisations were reported in the first two months of 2021 alone. And cyberexposure provider Tenable noted in a recent analysis of healthcare breaches that some 106 million healthcare records were compromised last year alone.
For example, in a July 2020 compromise by “an international criminal organisation”, Regis Aged Care advised, its refusal to pay a ransom led to some patients’ personal information being published online “for several weeks”.
Even the government’s recent extensive Aged Care Royal Commission was targeted, with an attack on document management service provider Law in Order leading to the compromise of dozens of Royal Commission documents.
The healthcare sector’s ongoing exposure has been the subject of numerous investigations, with data security firm Varonis recently noting in its 2021 Healthcare Data Risk Report that a “woefully underprepared” sector was currently struggling to improve an average breach life cycle of 329 days—nearly 11 months—with average breach costs increasing to $9.2 million.
Healthcare employees have access to more than 11 million files each, the report found, warning that “all it takes is one account to be compromised to let a hacker in.”
Given the potential for compromise of patient data as well as the risks of weeks of service interruption, healthcare organisations should be working hard to head off such attacks before they happen, said James Bergl, APAC vice president at managed service provider Datto, noting that “the consequences are higher for healthcare organisations that can’t risk downtime. … What’s worrying is that most attacks on the industry are caused by basic cyber hygiene issues such as a lack of patching. Healthcare institutions maintain strict hygiene standards in their operations, but this is not extending into their IT infrastructure.”
With Australia’s coronavirus vaccine rollout entering a new stage this month, increasing government messaging is likely to be peppered by cybercriminals that have already shown their penchant for never missing an opportunity. “Organisations involved in the registration and tracking of distribution should expect to be a prime target for cybercriminals,” noted Tom Kellermann, head of cybersecurity strategy at security firm VMware Carbon Black. “Hackers will direct intrusion efforts towards these institutions in attempts to access the valuable personal data they will need to collect from customers and constituents.”