First, do no harm. Despite being guided by this noble principle, hospital and healthcare providers consistently find themselves subject to attacks from ransomware gangs and cyber threat groups.
Although there is no industry that deserves to fall victim to a cyber incident, there truly is no honour amongst thieves when considering how often critical healthcare providers come under attack.
The latest Office of the Australian Information Commissioner's (OAIC) Notifiable Data Breaches Report, lays bare the scale of challenges hospitals face.
Between January and June 2023, Australian health service providers reported more data breaches than any other industry. Health services reported 63 breaches in the period (15 per cent of the total), followed by financial services which reported 54 breaches (13 per cent of all notifications).
While some of the breaches were classified as resulting from human error or system faults, the majority of notifiable breaches in the healthcare sector were from malicious or criminal attacks. Unfortunately, the OAIC's report is not an outlier.
The Australian Cyber Security Centre's latest Annual Threat Report outlined how the healthcare sector experienced the highest number of security incidents (excluding government sectors which are subject to additional reporting requirements).
Why are hospitals such an attractive target? There are two main reasons behind this - the value and volume of the data they hold.
It is first important to understand that a large proportion of cyber attacks are financially motivated. In fact, a recent report from Verizon found 86 per cent of breaches were financially motivated.
Following a successful attack, there are two primary ways in which attackers extort their victims - encryption and exfiltration. Encryption ransomware attacks involve the victim's sensitive and business critical data being scrambled before a ransom demand is made in exchange for a decryption key.
These ransoms are typically in cryptocurrency (as it is much harder to track) and in Australia, the average ransom paid is $250,000. Healthcare providers are seen as more willing to pay due to the life-and-death nature of their operations and their commitment to help those who depend on them.
Unfortunately, paying the ransom is no guarantee of recovery. Recent research from Rubrik Zero Labs found only 16 per cent of organisations were able to recover all their encrypted data after paying attackers for the decryption key.
Exfiltration attacks take a different route to monetisation, but healthcare providers are still seen as more likely to pay given the extremely sensitive and critical data they hold.
In this style of attack, data is stolen from the victim then a ransom is demanded on the threat of that data being published online. When the data being ransomed includes sensitive patient medical histories, insurance, and payment information, it's easy to see why attackers believe healthcare providers are more willing to give in to their demands.
Not only is there an incredible value in the data healthcare providers hold, but there is also an immense amount of it.
The vast majority of the data is what's called unstructured data - recent research suggests between 80 per cent and 90 per cent of all data is unstructured. This is essentially any data generated in the day-to-day running of a hospital including scans, clinical trial data, health records, videos, images, emails, etc.
One of the biggest problems with unstructured data is it has been traditionally difficult to identify exactly what's in there. So, when one of these data sets is compromised, the victim typically has no idea what has been taken.
So, how much unstructured data does a typical hospital hold? St Luke's University Health Network is a non-profit healthcare provider in the US that cares for more than 80,000 patients and 340,000 ER visits every year. This equates to more than 2.5 petabytes of data and patient records they need to secure every day - literally billions of files or equivalent to around 50 million tall filing cabinets.
After running cyber attack simulations, St Luke's discovered it would take months to recover and cost millions of dollars if they were hit with ransomware - not to mention the severe impact on patient care.
To overcome this risk, they pursued a strategy of cyber resilience. This involved transforming their data backups so they were immutable and rapidly recoverable in the event of an attack, while also gaining the ability to scan their backups to detect any anomalies and hunt for threats.
By doing so, St Luke's can now recover operations within just minutes and hours, as opposed to months.
In a perfect world, healthcare providers wouldn't ever need to consider the consequences of a cyber attack. Unfortunately, although "first do no harm" is not an official line in the Hippocratic oath, it appears cyber attackers follow an inverse of the oath to do as much harm as possible.
Sign up for our newsletter to stay up to date.