Fig 1: Why it makes sense for cyber threat actors to attack Healthcare
Fragile Cyber Security In Healthcare In Australia:
Last year was a highly active year for cyber threat actors who operate within the health sector. In the US, healthcare breaches increased 55.1% in 2020 with hacking and IT incidents representing 67.3% of compromises2.
The Office of the Australian Information Commissioner (OAIC) noted that health was the highest reporting sector (22%) with 518 notified breaches3. During the 2020 reporting period, the Australian Cyber Security Centre (ACSC) experienced an 84.4% increase in the number of security incident reports relating to the health sector4.
Although we have seen numerous attacks targeting vaccine developers and sensitive personal information, the most disruptive and growing threat for the health sector is “ransomware”.
Ransomware is a type of malicious software designed to block access to a computer system (via encryption) until a sum of money is paid. In August 2020, the ACSC released an advisory of ransomware campaigns targeting aged care and health care sectors after a spate of high profile publicly disclosed breaches disrupted operations at these providers5.
We anticipate a continued threat of ransomware attacks in the health sector in 2021 albeit with a few changes to their tactics and techniques.
Double Extortion: Steal Data
Recently, we found ransomware operators exfiltrating sensitive data before they started disabling victim systems. The threat actors then threaten the disclosure of this sensitive data in an attempt to coerce victims to pay the ransom in what is now referred as “double extortion” schemes6.
Inherent cyber challenges in the healthcare sector
The health sector has several inherent challenges to improve their cyber maturity to a level that is commensurate to the threats faced. These challenges include:
- Limited cyber leadership: Most organizations do not have a leader with the right authority, resources, and access to senior executives and the board to drive outcomes. The other issue is conflict of interest in reporting structures. It is common to find the cyber risk function sitting within the Information Technology (IT) organization reporting to the Chief Information Officer (CIO) or Chief Technology Officer (CTO). The typical charter for a Chief Information Security Officer (CISO) and a CIO or CTO is generally in conflict especially as it relates to user experience, cost of controls, and expected velocity of IT changes. Not for profit organizations also struggle to acquire the right cyber leadership talent (CISOs) as these roles are in high demand and are expensive.
- Consistent under investment: The sector is known for its consistent under investment in digital and cyber technologies7. It is not uncommon to find ‘out of support’ systems used in production without appropriate basic hygiene like patch management, end point security controls, and user access management.
- Specialist systems: Specialist clinical and R&D systems have longer lifespans than traditional IT systems and vendors are inconsistent with the timely release of patches for known vulnerabilities. A number of these systems (e.g. radiological imaging system using the DICOM standard) also have technical constraints for the application of effective end point security and user access management controls8.
- High Performance Computing (HPC) environments: HPC is the ability to process data and perform complex calculations at high speeds9. HPC environments are typically used for medical research (e.g. modelling proteins and genomics to accelerate drug discovery for diseases) and they have their unique constraints. Traditional security technologies typically are not able to operate in environments with bandwidth characteristics required for HPC environments.