A worrying pattern is emerging in the world of cyber crime: attacks launched against Australia's healthcare organisations.
Just as we were scrambling to make sense of the breach against private health insurer Medibank, in which the personal data of at least 4 million Australians was exposed, news hit that ACL-owned Medlab, a local pathology laboratory, had experienced its own attack. In this case, the personal information of at least 223,000 people was accessed.
The origins of both attacks are still somewhat hazy, but it appears the Medibank breach is the result of compromised staff credentials. Around 200 gigabytes of diagnoses, health claims and personally identifiable information (PII) was accessed and sold on a Russian-language cyber crime forum.
After investigating and dismissing suspicions in February, Medlab was in June informed its information was leaked on the dark web. This included medical and health records linked to pathology tests, credit cards (including associated CVV numbers) and Medicare numbers.
The theft of financial information presents clear and often devastating challenges to those affected. But the information stolen in the healthcare attacks could potentially jeopardise Australians in different ways.
Healthcare organisations are trusted by millions of people, including society's most vulnerable, to collect and store incredibly sensitive information. In the fallout from the Medibank hack, 1000 people, including politicians and celebrities, have had information leaked, including about drug and other addiction treatments.
In 2016, when the Australian Red Cross had its blood donor data hacked, confidential information about patients' sexual habits and orientation fell into the hands of criminals.
It's clear how this could be used in a cold-hearted extortion attempt.
The rapid escalation of attacks on Australian organisations has many people searching for a cause. While it largely remains conjecture, it's possible cyber criminals have identified and pressed upon a weakness in Australia's defences.
The fact healthcare organisations are being targeted, on the other hand, is unfortunately easy to understand.
Valuable data now close to fingertips of criminals
Over the past few years, fuelled largely by the pandemic, Australia's healthcare sector has undergone a digital revolution.
People now make bookings through their smartphones, exchange electronic prescriptions and use wearables to track their health and wellbeing. This has generated a lot of data, expanding the hackable footprint, and created endless entry points for criminals.
My Health Record, Australia's digital repository of health information, stores more than 680 million patient and staff records. Once criminals gain entry, that's a lot of valuable information they can exploit for financial gain.
Issuers of ransomware also have considerable bargaining power when peoples' lives are at stake. We've already seen hackers sink to this unfathomable level.
In 2021, Uniting Care in Queensland had its digital systems taken offline when it experienced a ransomware attack. This took more than six weeks to restore, and staff were forced to revert to paper-based methods in the interim.
In Germany, a 2020 ransomware attack caused a hospital to close its doors and turn away a patient experiencing an aneurysm. The patient was directed to a hospital 23km away, which delayed her surgery by an hour. She died shortly afterwards.
In a sad demonstration of how easily this information can be accessed, in July 2018, Singapore's largest group of healthcare organisations experienced a breach involving the personal information of 1.5 million patients - including the prime minister. Poor employee training was pinpointed as the reason.
Getting on top of the problem
The recent spate of attacks has already prompted the federal government to tighten data privacy laws in line with the stricter General Data Protection Regulation (GDPR) in Europe.
This week federal Attorney-General Mark Dreyfus tabled legislation that will force organisations under the Privacy Act to limit the amount of customer data stored on their databases. It will also increase the financial penalties for those repeatedly experiencing breaches.
Currently organisations are required to pay $2.2 million for repeated privacy breaches. Under proposed legislation this will raise to $50 million, or three times the benefit gained through the misuse of information.
These measures are both logical and overdue. There's no reason for companies to retain personal data for years, particularly that of former customers, when this information can always be requested again for verification purposes.
But business heads shouldn't wait for the law to change, and should start protecting customer, employee and business data now from the impacts of cyber crime. The first step is to educate staff on how to avoid falling victim to phishing or smishing (text messages aimed at stealing login credentials) campaigns.
READ MORE:
Red flags include receiving authentication text messages that weren't requested, messages with manipulative tactics designed to snap them into immediate action, or misspelled words and suspicious URLs. These messages should be immediately reported to IT teams.
Given the interconnectedness of healthcare systems, leaders should also engage comprehensive data protection that covers the entire spectrum of patient and staff behaviour, devices and applications. Attaining visibility and control over your entire system will reduce the risk and impact of ransomware and other cyber threats, and ensure personal information is better protected.
The raft of cyber-attacks against healthcare organisations is risking the livelihoods and lives of millions of Australians. Complacency is no longer an option, and the sector needs to take drastic and comprehensive steps to reverse the tide.
- Don Tan is a senior director at Lookout, an endpoint security company that analyses 100,000 apps per day to identify risks for mobile users.
