A sophisticated cyberattack has brought down the computer systems of several regional hospitals in Victoria.

The attack affected hospitals in the Gippsland Health Alliance, in the state's east and South West Alliance of Rural Health.

This includes hospitals in Warrnambool; Colac; Geelong; Warragul; Sale; and Bairnsdale; as well as a host of services in smaller towns.

According to Dr Nalin Asanka Gamagedara Arachchilage, Senior Research Fellow in Cyber Security at La Trobe University, the attack can be attributed to human vulnerabilities.

“This is a ransomware attack,” he said. “The ransomware attack shut down the entire hospital systems from patient records, booking and management systems -- which may impact patient contacting and scheduling. Doctors will not be able to access to patients’ health records either.”

Although it is yet to be confirmed the type of attack and who was involved, the Department of Health and Human Services (DHHS) said the cyber incident was uncovered on Monday and the Victorian Cyber Incident Response Service has been deployed to block access to several systems by the infiltration of ransomware, including financial management.

“Hospitals have isolated and disconnected several systems such as the internet to quarantine the infection,” it stated. “The priority is to fix all affected systems and prevent any further compromise.”

According to DHHS, this isolation has led to the shutdown of some patient record, booking and management systems, which may impact on patient contact and scheduling. Where practical, hospitals are reverting to manual systems to maintain their services.

West Gippsland Healthcare Group chief executive officer Dan Weeks said most of the local IT services are still functional including internal intranet communications, phone system, public address system, access to printers and external websites.
Victoria’s Premier Office has confirmed Victoria Police and the Australian Cyber Security Centre are also on board to manage the incident and investigate the scope of the attack.

“A full review will take place to address what has occurred and identify what additional measures may be required to ensure hospitals have the best protection against cyber security incidents,” stated Premier Daniel Andrews.

Attack not exactly a surprise

The incident shouldn’t come as a surprise to the Victorian Government, as an enquiry into the Security of Patients’ Hospital Data by the Victorian Auditor-General’s Office, released in May 2019, found Victoria’s public health system to be highly vulnerable to cyberattacks.

According to the report there were key weaknesses found in health services’ physical security and in their logical security – which covers password management and other user access controls.

“Staff awareness of data security is low, which increases the likelihood of success of social engineering techniques such as phishing of tailgating into corporate areas where ICT infrastructure and servers may be located,” stated the report.

“The audited health services are not proactive enough, and do not take a whole-of-hospital approach to security that recognises that protecting patient data is not just a task for their IT staff.”

Archilage told Information Age, it was “very clear” that cybercriminals are interested in “breaking into people’s mindset rather than breaking into systems straightway”.

“Cybercriminals usually launch a ransomware attack by locking the data on a victim’s computer -- typically by encryption,” he said. “Ransomware attacks normally occur through phishing links – which is the art of human hacking.”

“Prevention is better than the cure,” said Archilage. He urged organisations to back their data and follow the Australian Signals Directorate introduction of top eight mitigation strategies to reduce cyber risk across the board of many enterprises as a baseline level of security.

Dane Meah, CEO of InfoTrust encouraged all businesses to implement email authentication controls, limiting the ability of cybercriminals to send spoofed emails.

“Unfortunately, when cyber security is not prioritised, it will take a major incident for people to sit up and realise a proactive approach is needed,” he said. “In a recent case we saw an organisation lose close to $2m in cash. A data breach can be even worse.”

Meah believes there has been a paradigm shift where it’s expected that attacks like these will occur, however it’s how an organisation detects and responds to an incident that matters most.

“I’m sure there’s more that could have been done to avoid this attack - hindsight is 20/20,” he said. “I’d encourage organisations concerned with being hit by ransomware to review the egress points that ransomware hits.”