Melbourne hospital’s ransomware strike a reminder on malware's danger to your (data) health

Ransomware may be declining overall, but the paralysation of a Malvern hospital’s cardiac unit is a reminder that such attacks are an omnipresent threat to business continuity and the integrity of sensitive personally identifiable information (PII).

The Age reported that staff at the Melbourne Heart Group, a specialist group within Melbourne’s Cabrini Hospital Malvern, were unable to access files on more than 15,000 patients for over three weeks after being hit with a malware attack that corrupted its data.

The Age reported that a payment was made to the ransomware authors to unlock the files, but that some of the encrypted files remain inaccessible – “among them patients’ personal details and sensitive medical records that could be used for identity theft.”

Cabrini management emphasised in a statement that the compromised systems were maintained separately to Cabrini’s own systems, and that the ransomware had been limited to those specialist-managed systems. Speaking with CSO Australia, a Cabrini spokesperson disputed the number of compromised records reported by The Age, and rebutted reports that a ransom was paid to recover the files.

But that will be cold comfort for the many patients whose records were reportedly compromised – adding to the recent breach of 2.7 million calls for medical advice, and the more than 5 billion records exposed in data breaches during 2018 alone.

“Patient data is very valuable to hackers, with stolen information often used to commit further crimes like identify theft,” Webroot senior information security analyst Dan Slattery said in a statement.

“The evolution of ransomware means that patient data has become even more valuable without needing to take it out the network. Holding healthcare data to ransom, especially by encrypting possibly life critical information of heart patients, has become a very lucrative business model for cyber criminals.”

The Cabrini ransomware attack is the latest blow to a healthcare community that has already been struggling to tighten the security of the sensitive medical data that it manages on a daily basis.

Healthcare organisations have consistently recorded the most data breaches in quarterly performance reports into the notifiable data breaches (NDB) scheme published by the Office of the Australian Information Commissioner (OAIC), with 54 breaches of healthcare systems reported in the last quarter of 2018 alone.

This latest breach comes as new figures from Symantec corroborate the conclusions of a recent Proofpoint study that found ransomware was declining as a proportion of malicious activity as business email compromise (BEC) attacks surged.

Symantec’s latest Internet Security Threat Report (ISTR) saw Australia’s global rank as a ransomware target slide dramatically, from 13 in 2017 – when Australian ransomware attacks comprised 1.5 percent of the global total – to 33 in 2018, when the percentage of all attacks more than halved, to 0.6 percent.

Australia was more prominently targeted by other types of attacks, with overall malware and bot volumes increasing year-on-year as a percentage of all global attacks.

Tenable ANZ country manager Bede Hackney flagged the Cabrini breach as another example where consultation with the Australian Signals Directorate’s Essential Eight model may have improved the group’s ability to protect its data.

“Healthcare naturally has a target on its back due to the wealth of personal and sensitive data it shares,” he explained. “Furthermore, being locked out of critical health information can have life-threatening consequences. But the techniques utilised by ransomware can be prevented – and the probability of an infection dramatically reduced – just by taking a few proactive steps.”