‘Compromised systems’ leave Aussie healthcare providers sitting ducks for cyber criminals: ACSC Report

ACSC Compromise Systems

More than half of all cyber incidents reported by Australia’s healthcare sector last year were the result of internal vulnerabilities, or “compromised systems”, a Snapshot report by the Australian Cyber Security Centre (ACSC) has revealed, with the onset of the Covid pandemic, unsurprisingly, drawing a surge in cyber-attacks.

The report, which assessed the cyber threat landscape and overall cyber preparedness of the health sector throughout the 2020 calendar year, found that attackers were capitalising on vulnerabilities and lax cybersecurity provisions within Australia’s public and private healthcare organisations.

The ACSC identified easily hackable “hardcoded passwords” or insufficient storage of passwords that are “held in recoverable areas”, as well as “improper authentication” as the key culprits for systems compromise.

‘Compromised systems’ were responsible for the majority (52 per cent) of cyber incidents reported to the ACSC – representing an 11 per cent jump on the previous calendar year.

The ACSC defines ‘compromised systems’ as those that have been penetrated by attackers, allowing “unauthorised access to, or modification of, a network, account, database or website”.

Other incident types reviewed by the ACSC include reports of potential compromise from trusted partners, malicious emails, and, scanning, reconnaissance or brute force attacks.

In total, the ACSC received a total of 166 reports of incidents in 2020 – a notable jump from the 90 incidents reported in 2019.

Apart from government agencies and individuals, Australia’s healthcare sector reported more incidents in the last calendar year than any other sector.

The onset of the pandemic early last year left the healthcare sector particularly susceptible to cyber-attacks, the report found, with malicious actors taking advantage of the “persuasive environment of fear and uncertainty”, as well as the “increased operational pressure” on healthcare services during the pandemic.

In April last year, at the height of the initial global spread of Covid-19, the ACSC received reports of 70 separate health-related cybersecurity incidents. In May, which was also the next highest reporting month, the cyber centre received just 17 reports.

While some attackers targeted citizens with health-themed attacks, others zeroed in on healthcare providers themselves in an attempt to gain access to information relating to Covid-19.

Malicious actors targeted healthcare organisations for access to information “relating to vaccine development, treatments, research and national responses to the Covid-19 outbreak”. Such information became immensely valuable on a global scale.

The report showed that phishing campaigns also compromised email accounts, allowing hackers to access sensitive information. Cybercriminals impersonated health authorities, including the World Health Organisation (WHO) and government officials, when constructing these campaigns.

These phishing campaigns often aligned with the launch of government relief payments or public health advice “within days or even hours of announcements occurring”.

Parts of the health sector have “a number of control systems” which increases the number of opportunities for cybercriminals.

Vulnerabilities have also been reported in medical devices, such as implantable defibrillators and health record-connected hospital beds, according to the report.

These specialised devices are not always patched regularly, with many in the sector fearing they would “render critical systems or devices unavailable”.

In scenarios where it may be considered a risk to patch these systems regularly, the report advises that alternative methods should be taken to fix vulnerable systems, such as isolating vulnerable devices if they cannot be patched.

Remote working has also increased the number of vulnerable devices and increased the “attack surface” for malicious actors to target. Remote workforces, in some cases, may have been set up “without due consideration for cyber security”, the report found.

It recommends reviewing remote access solutions to ensure all medical devices are “effectively segmented from the remaining network”.

The report also recommends implementing multi-factor authentication and creating multiple offline backups of any critical information and systems.

While cyber-attacks in the healthcare sector have been decreasing in recent months, with the progressive rollout of vaccinations commencing across 2021 and a slow downward trend for Covid-19 case rates, the report is predicting that cyber-attacks on the health sector are likely to again increase – a trend being experienced in other countries.

According to the report, cybercriminals are attempting to “scam the public” in other countries “by taking advantage of the Covid-19 vaccine rollout”, often targeting companies involved in supply chains.

“Targeting of the health sector by malicious actors has the potential to interfere with service delivery, impede the supply of critical products to those in need, cause reputational and financial damage to health organisations, and threaten the delivery of health services and the lives of patients,” the report noted.

The ACSC said it assesses ransomware as “currently the most significant cybercrime threat to the Australian health sector”.

“Malicious actors likely view health sector entities as a lucrative target for ransomware attacks. This is because of the sensitive personal and medical data they hold, and how critical this data is to maintaining operations and patient care.”

“Financially motivated cybercriminals are seeking to access sensitive personal information held by health organisations (such as names, dates of birth, addresses, medical histories, Medicare details and health fund information) to commit identity theft or sell the data in cybercrime marketplaces.”

Cyber incident reports are volunteered by Australian organisations to the ACSC, providing a basis for the chief cybersecurity agency to offer post-incident assistance.