It seems hardly a day goes by without another report of a cybercrime incident. With last year’s cyberattack on health insurer Medibank still fresh in Australians’ minds, the latest assault in the country is on a Sydney cancer treatment facility, the Crown Princess Mary Cancer Centre in Westmead Hospital.
The cyber criminal group Medusa claims to have stolen thousands of files and is holding the facility to ransom.
In what has become a common practice, the criminal gang seems to be using double extortion. In such scenarios, criminals typically demand a fee to “release” the data back to the organisation, often with a “sample” made available to verify their claims.
The gangs then double-down with threats to publicise the data via their websites if payment is not made – in this case, a deadline of seven days.
Medusa is offering a range of options to delay the public release of data by 24 hours (US$10,000), or to download and/or delete the data from the gang for US$100,000.
It is currently unclear what will happen on Friday morning if the ransom is not paid. However, the Medusa Blog offers free access to data stolen from previous victims who did not pay the ransom by the deadline.
According to CyberCX, a cybersecurity firm in Britain, Medusa is the “second-most active cyber extortion group in the Pacific”. Medusa has been trying to compromise organisations in Australia and New Zealand since the beginning of 2023.
Why target health services?
Any cyberattacks on the health sector are dangerous. While some cyber criminals have previously avoided schools and healthcare organisations, it seems these are now fair game.
Knowing the services and data held by these organisations are critical, it is not surprising to see so many ransomware attacks are launched against critical healthcare infrastructure.
Some notable incidents targeting the Australian health systems have included Medibank, Melbourne Heart Group and Eastern Health which operates four hospitals in Melbourne’s east – an attack which resulted in elective surgeries needing to be postponed.
According to tech giant Microsoft, the healthcare sector (and aligned industries) is one of the top targets for cyber criminals.
What is the impact?
The health sector deals with our most private data, and none of us want this data in criminal hands. Apart from privacy issues, the inability to continue regular activities in any healthcare facility poses life-threatening risks.
A recent study showed that from 2016-2021, US healthcare providers experienced 374 ransomware attacks that exposed the private health information of nearly 42 million patients.
Nearly half of these attacks disrupted healthcare services, with impacts including electronic system downtime, cancellations of scheduled care and ambulance diversions.
Why does this keep happening?
Technical advances in health industries have undoubtedly improved treatment and overall patient care. While this growth in technology is a positive for healthcare, it exposes health systems to cyber criminals.
With each passing year there is increased connectivity between clinical systems and medical devices. The healthcare sector needs to be more staffed and heavily reliant on internet-connected systems, also known as digital health. This inter-connectivity makes health systems more complex and harder to secure.
With the exception of state-sponsored groups, cyber criminals are primarily motivated by financial gain. Healthcare is undoubtedly one of the most promising targets as, if compromised, the organisations are more likely to pay the ransom – ultimately, because lives are at stake.
Cyber-criminals capitalise on this, and even after good governance and enhanced cybersecurity within the sector, these incidents are likely to continue.
Living with cyber criminals around us
So far, reports about the cancer facility at Westmead have not indicated that operations have been significantly impacted. This may imply no computing devices have actually been compromised and locked. This could be seen as a positive.
However, those who have examined samples of data published on the Medusa Blog have suggested it seems genuine.
As Robert Mueller, a former director of the FBI, famously said: “There are only two types of companies: those that have been hacked and those that will be hacked.”
Cybercrime has become a global industry with estimates predicting the impact at more than US$8 trillion in 2023. With such potentially lucrative benefits, Australia has to accept it will be sharing cyberspace with criminals for the foreseeable future.
There are, of course, actions that can improve our cybersecurity preparedness, regardless of the sector. While nothing will completely eliminate the risk, making ourselves a less attractive target helps to reduce the likelihood of being a victim. So it is important to:
• protect your systems: apply ‘patches’ to all devices (including mobile phones), meaning installing patches released by software developers to close security holes; educate users to segregate personal and business activities; use strong and unique passwords for all systems/services
• include all systems: do not forget the ‘Internet of Things’ and operational technology (all the devices and software we use that connect to the internet); check default settings (changing any default passwords); and plan the disposal of old systems
• protect your data: data collected from all sources needs to be kept in appropriate locations; think about how long you will keep data; and ensure data is protected from creation to destruction
• protect your people: educate all staff on basic cyber hygiene; vet new staff; and think about how employees are dismissed from their jobs
• seek advice: when things go wrong, bring in the experts and liaise with law enforcement or other government agencies as appropriate
And, finally, do not pay the ransom – it may be a difficult decision, but it only encourages the criminals behind the ransomware campaigns to keep going.
Mohiuddin Ahmed is a senior lecturer of computing and security at Edith Cowan University. Paul Haskell-Dowland is a professor of cybersecurity practice at Edith Cowan University. This article was first published on The Conversation.