Primary targets – cyber risk in the health, aged care and community sectors

By Eden Winokur, Alison Baker and Sam Tempone

A successful cyber attack can cause devastating damage to commercial businesses, impacting reputations and striking at a company’s bottom line. But what if the target is a hospital, aged care facility or medical centre? The consequences can be catastrophic.

The health and aged care sectors are arguably the primary target for cyber criminals in Australia.

The health and aged care sectors have reported the most notifiable data breaches in Australia for each reporting period since 1 October 2018. In its most recent half-yearly report, the Office of the Australian Information Commissioner reported that the health and aged care sectors accounted for 18% of all data breaches (followed by finance at 12%).^[1]

Data breaches are no longer the only cyber security concern for health and aged care sector organisations.

The Australian Cyber Security Centre (ACSC) was notified of 166 cyber security incidents (including brute-force attacks, hacking, ransomware and compromised or stolen credentials) relating to the health and aged care sectors between 1 January and 31 December 2020. ^[2] This marks an 84% increase in incidents compared to those recorded in 2019. ^[3] In its 2021 report, the ACSC again reported the health and aged care sectors among the highest targeted by cyber criminals.

With the recent passing of the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (Cth) critical health and aged care sector organisations have additional cyber security obligations that may apply in relation to systems of national significance.

Why the health and aged care sectors?

The ACSC identified several key cyber security threats and trends, which are of particular concern for health service organisations. These include:

• malicious criminal and state threat actors exploiting the coronavirus pandemic environment – most likely motivated by access to intellectual property or sensitive information about Australia’s response to COVID-19;
• significant targeting of disrupting essential services; and
• an increase in ransomware attacks by 15% in 2021 – associated with an increasing willingness of cyber criminals to extort money from particularly vulnerable and critical elements of society.^[4]

There appears to be a view among cyber criminals that health and aged care sector organisations are a strong target to obtain ransom payments because they:

• deliver critical services – disruption may not only lead to lost revenue but also potential harm or loss of life;
• often hold highly sensitive personal data that is valuable to cyber criminals;^[5] and
• may be relying on outdated technologies and systems, with a lack of cyber security literacy and hygiene among health care workers who may be working in high pressure situations (it is estimated that 86% of cyber security breaches at hospitals are facilitated through email). ^[6]

Cyber attacks on the health and aged care sectors

There are many examples of cyber attacks on Australian health service organisations. In early 2021 alone, some of these attacks included:

• in January 2021, the publication of personal information of every Tasmanian who called an ambulance from November 2020 to January 2021;
• in March 2021, a ransomware attack on a Victorian health organisation, resulting in a shutdown of its network to retain critical systems. The impact of the attack included significant business interruption, cancelled surgeries across its facilities and lost revenue; and
• in April 2021, a cyber attack against a major private hospital group materially impacted its IT systems after its data was encrypted by ransomware. Various hospitals were affected, and the group paid approximately $300,000 as a ransom payment to retrieve a decryption key.

In addition, throughout 2021, the ACSC received intelligence that cyber criminals had installed malicious software on the networks of various Australian health and aged care sector organisations. Thankfully, due to prompt action, steps were able to be taken before ransomware was deployed.

Cyber attacks against the health and aged care sectors are also prevalent in other jurisdictions, including the US and Europe. One particularly heinous incident in 2020 involved a cyber attack on the German Düsseldorf University Hospital. Hackers disabled computer systems and a patient died while doctors attempted to transfer her to another hospital with functional systems.^[7]

How do I protect my organisation?

There are a number of key strategies that can be implemented by health and aged care sector organisations to improve cyber security and mitigate the chance (and devastation) of an attack. This includes having good security hygiene and employee training, and ensuring cyber risk management is integrated throughout the organisation.

As the most targeted sector in Australia, it is imperative that health and aged care sector organisations have battle-tested incident plans and strategies in place that can be activated in the event of an attack.

If you would like to discuss your organisation’s cyber hygiene and strategies to mitigate risk, please contact our team of cyber experts at Hall & Wilcox

[1] Notifiable Data Breaches Report for the most recent reporting period (1 July to 31 December 2021).
[2] Australian Cyber Security Centre, 2020 Health Sector Snapshot.
[3] PwC, ‘Proven Precautions to Help Protect Health Organisations and Patients from Cyberattacks‘.
[4] ACSC Annual Cyber Threat Report 2020-21.
[5] SecureLink + Imprivata ‘Hackers, Breaches, and the Value of Healthcare Data’.
[6] PwC, ‘Proven Precautions to Help Protect Health Organisations and Patients from Cyberattacks‘.
[7] BBC News, ‘Police Launch Homicide Inquiry after German Hospital Hack‘ (18 September 2020).