Preparing the Australian health sector for ransomware attacks

Preparing the Australian health sector for ransomware attacks

Why healthcare leaders should be concerned about cyber threats to this most critical infrastructure

By Dean Dimkin, Ambika Aggarwal, Ranil Jayasekere & Jaynesh Narain

Share this article

As the healthcare sector continues its rapid shift to virtual models of care and reliance on new technologies to offer better experiences for clinicians, patients and other stakeholders, there is growing concern about these digital enablers being susceptible to cyber attacks and security breaches. 2020 saw a distinct shift in the cyber threat landscape with ransomware becoming the most significant cyber threat faced by all sectors including healthcare.

In PwC’s 2021 Global Digital Trust Insights Survey, almost 60% of respondents from the healthcare industry said they believe it is very likely that a ransomware attack will target their organisation in the next 12 months. And 95% of Australia’s CEOs cite cyber as a threat to business growth, as per PwC’s 24th Annual Global CEO Survey.

The number one top threat to growth

Source: PwC’s 24th Annual Global CEO Survey, 2021

Ransomware is a key cyber threat for healthcare

As with many other industries, the healthcare sector has seen an increase in targeting since the start of the COVID-19 pandemic from financially motivated threat actors. As per PwC’s analysis in the first three months of 2021 there have been 25 ransomware attacks against the healthcare sector globally. This is due to a combination of factors, including the opportunities COVID-19 has presented to threat actors for crafting more convincing lure documents, as well as the critical nature of healthcare organisations during the outbreak.

Figure 2: Top five sectors affected by ransomware, reported to the ACSC in FY2019-201

Due to the necessity of these services being available, criminal actors tend to assess that the executives would do anything to bring their operations back online - including paying ransoms (the Australian Cyber Security Centre (ACSC) advises and PwC recommends to never pay a ransom demand). The severity of these attacks cannot be understated, and has caused all number of harrowing consequences, including hospitals having to turn away members of the public2, and even the death of patients3.

In August 2020, the ACSC released an alert4 warning of ransomware campaigns targeting the aged care and health sectors. In November 2020, a second alert5 was released, warning of a different strain of ransomware that had begun targeting the health sector.

Running alongside the growth in interest of the healthcare sector by these cybercriminal groups is their evolving tools, techniques, and procedures (TTPs), as well as the number of groups that are now operating in this space. These symbiotic issues allow for a vicious cycle where cybercriminal gangs are able to expand their operations and increase the sophistication of their TTPs, which simultaneously grows their business, thus generating more revenue (Figure 1).

The average cost to the organisation to rectify the impacts of the most recent ransomware attack (considering downtime, people time, device cost, network cost, lost opportunity, ransom paid etc.) is over AUD$900,000.6

Figure 3 - Basic visualisation of the cycle of ransomware operators (PwC UK Threat Intelligence)

The evolution of these TTPs involves not just the increased sophistication of the malware itself, but a change in tactics when it comes to infecting a victim. In a trend that has become the norm amongst multiple cybercriminal threat actors, ransomware operators no longer merely encrypt their victim’s systems and then demand ransom, but will also exfiltrate sensitive information from the victim. This is done in order to further coerce the victim into paying their ransom. 

The ACSC attributes the healthcare sector’s attractiveness to threat actors to the large amount of sensitive personal and medical information held by healthcare organisations, and how critical this information is to maintaining operations and patient care.8

Why is the healthcare sector a prime target of ransomware?

The health sector is a prime target for cyber criminals due to the following reasons8:

  1. The criticality of services delivered by the health sector and if there is a direct threat to human life, health sector organisations are considerably more likely to pay a ransom. 
  2. Prevalence of Information Technology (IT) and Operational Technologies (OT) which are often legacy technology making this sector a high value target. 
  3. The rapid and unplanned increase in usage of virtual care technologies due to COVID-19 due to the extension of corporate networks into peoples homes, the increased usage of telemedicine and other virtual consultation infrastructure. 
  4. Valuable intellectual property on technology and research, particularly those relating to COVID‑19 vaccine research and development.
  5. The pressure on health sector organisations to maintain and, if disrupted, rapidly restore business continuity.
  6. Public trust in health sector organisations, particularly those linked to Government services.
  7. Personal or sensitive data are valuable to criminals as this information can either be sold on to other parties or it could (depending on the information) be used as part of a blackmail campaign against individuals or organisations i.e. “pay us or we will release this information. 
  8. Low cyber controls and capabilities maturity due to low level of investments in cyber security uplifts at an enterprise level.

Beyond these, there are a number of factors that increase the exposure of this sector to ransomware and other cyber attacks.

Limited health sector specific regulatory laws and obligations driving cyber security investments

While the healthcare sector is a prime target of cyber attacks, apart from Privacy Act 1988, Healthcare Identifiers Act 2010, My Health Records Rule 2016 and state-specific privacy laws, there are no healthcare sector specific cybersecurity standards in Australia to help manage cyber risks.

While other more global frameworks exist (such as the NIST Cyber Security Framework), none exist (to date) that are specific to healthcare, or the requirements of healthcare organisations.

In other sectors, such as financial services and energy, frameworks and regulations have been put in place that can advise organisations on how to manage cyber risks. The financial services industry has Prudential Standard CPS234 - Information Security. Similarly, critical infrastructure, which has traditionally included utilities and port organisations, is regulated by the Security of Critical Infrastructure Act 2018 (SOCI). The Australian Energy Market Operator (AEMO) recognised the complexity of implementing the requirements of this act, and helped create the Australian Energy Sector Cyber Security Framework to help energy providers ensure their cyber security is effective. 

The regulatory landscape for the health sector will be changing soon. On 10 December 2020, the Security Legislation Amendment (Critical Infrastructure) Bill 2020 was introduced and read into Parliament, and aimed at strengthening the security of infrastructure in a number of key sectors, including the healthcare and medical sector. The Bill introduces a new host of cyber security obligations for any organisations covered by the Act. Soon, falling victim to a ransomware attack will not only cause potential harm to your patients, and loss of revenue - but failure to comply with the Act can result in potential fines and penalties. (For more information, see PwC’s Defending Australia’s critical infrastructure.)

Legacy technology and end-of-life systems

The healthcare sector is known to cyber criminals for its heavy reliance on legacy technology, with over 22% of healthcare organisations continuing to use legacy and end-of-life systems without vendor support and a further 26% which are unaware of any support9. This exposes organisations to critical vulnerabilities that cannot be fixed, making it a prime target for cyber criminals to perform ransomware attacks.

The 2017 global WannaCry ransomware attack brought this into perspective when the widespread use of obsolete software enabled malware to spread across the National Health Service (NHS) in the UK. Patient care was severely disrupted for an entire week - healthcare equipment was infected, pathology and radiology were unable to function, and nearly 7,000 medical appointments were cancelled.10

Challenges in building a cyber-conscious workforce

It is no coincidence that overall cyber literacy in healthcare is lower, with digital adoption rates in healthcare trailing many other industries.

Perhaps the opportunity resides in the implementation of cyber security awareness and training into the core clinical functions including annual clinical training and certification processes rather than relying on the traditional enterprise policy or ICT awareness training.

“Threat-aware employees are the first line of defense against cyber intrusions. Too often, that defense needs strengthening”

Regardless of their sophistication, cybersecurity capabilities are ultimately made, or broken, by an organisation’s people. In order to truly protect your organisation, it’s necessary to understand what drives people’s decision making, and create and foster a culture that places cyber risk management at the forefront of its efforts.

In PwC’s 2021 Global Digital Trust Insights Survey, almost 50% of respondents from the healthcare industry said they were likely to include cybersecurity and privacy implications into every business decision or planning post COVID-19. It is critical to recognise that a post-COVID-19 world requires a new cyber awareness and education strategy as organisations move towards an increasingly virtual workforce. Healthcare organisations need to start by taking small actions to enable the workforce to maintain basic digital hygiene (like not leaving a computer unlocked in a publicly accessible area or at home), and to embed cybersecurity in bigger decisions (such as deciding to buy a new MRI machine that connects to the internet). Without adequate focus on workforce elements the organisation may be inadvertently creating avenues for an attacker to infect the network.

Increasing supply chain risk

The healthcare industry relies on an extensive network of suppliers, vendors and partners for day-to-day operations and to save lives. This includes medical equipment manufacturers, pharmaceutical producers, insurance providers, IT services, government agencies, and many more. Yet the more partners a healthcare facility uses, the greater the attack surface and therefore risk of a ransomware attack. Threat actors often use organizations with weaker cybersecurity protocols as a back door to the ultimate targets. 

It is important to also consider your physical and digital connections to hospitals within the supply chain, which can be exposed to ransomware attacks. As the Australian COVID-19 vaccine campaign rolls out across the nation, the significant coordination of organisations across the supply chain means that ransomware poses an even bigger threat than ever before.

Cyber criminals are beginning to target the essentials required to distribute the vaccine, particularly areas where cyber security has not been a focus in the past. IBM has already announced that they had uncovered widespread phishing emails (a common way for ransomware to infect systems) targeted at employees and executives of trucking, rail and storage companies involved in the COVID-19 supply chain.11

Looking beyond the COVID-19 pandemic and eventual recovery, it is unlikely that the rise in ransomware attacks is going to slow down. The increasing trend of digital transformation in the sector will introduce a new host of integrations with other vendors, suppliers and service providers, and in doing so will increase the attack surface for supply chain ransomware attacks. More than ever, it will be important for healthcare innovation to consider security as a priority, as any vulnerabilities can and will be exploited by cyber criminals.

Where do healthcare providers start to prepare to respond to a ransomware attack?

Cybersecurity responsibility doesn’t sit with just the executives and the board - it is every employee’s responsibility and, as such, everyone in the ecosystem has a role to play in addressing these challenges. 

  • Have an enterprise wide ransomware plan ready and tested. Ransomware readiness and recovery plans, and playbooks must take account of technical, operational, legal, regulatory, insurance, reputational, and revenue implications. Think of the response plan within your resilience framework, and assess your resilience maturity. 
  • Executive and Board visibility. Be transparent with executives, the board and business partners alike in order to engender trust about the current state of legacy technology, cyber security posture and cyber incident response plan. Engage the COO, CMO, CISO and CIO in developing and executing these strategies. Get the CFO’s buy-in for any spending or investment needed to manage the impact.
  • Rapidly detect and contain incidents before they escalate. As the deployment of ransomware is the final stage of an attack that may have lasted months, there are almost always opportunities to detect and contain these attacks before data is encrypted or stolen. By effectively detecting and containing “commodity malware” infections, organisations can also prevent opportunities for the ransomware attackers to gain access in the first place. 
  • Up to date endpoint detection solutions. Ensuring you have an up to date endpoint detection and response technology can help SOC's and security teams respond to ransomware threats in a timely manner.
  • Disable macros in Microsoft Office where possible. Disable the use of Microsoft Office macros for users that don’t require them, and only allow the use of digitally signed macros for all other users. Macros originating from files from the internet should be blocked, and macro antivirus scanning used.
  • Build a cyber conscious workforce. Basic user education and tailored cyber training for doctors, hospital staff, clinicians, security specialists etc. is a vital control in protecting against a number of cyber threats, not just ransomware. Your workforce needs to be made aware of and trained to detect a threat so they’re less likely to access malicious hyperlinks.
  • Ensure operating systems and software are regularly patched. This should be done automatically where possible. Additional care should be taken ensuring internet-facing devices are configured properly, with security features enabled. Information about enabling software updates can be found on the ACSC’s website.
  • Back up computers, phones and other devices regularly, choosing automatic backups where possible. Backups need to be kept separately from the network, on separate devices, or using a cloud service. Disconnect external storage after backups are created to avoid backups also being encrypted. Ensure staff know how to restore files from backups and practice restoration regularly.
  • Implement network segmentation and segregation. Health providers should review their networks to establish where their most valuable or sensitive information is stored and identify critical parts of their system. They need to review operational control systems and apply appropriate cyber security measures proportionate to the risk of compromise. With network segmentation, you can better isolate an incident, reduce attack surface and prevent propagation of ransomware, for example. 
  • Implementing multi-factor authentication. Adding an additional layer of authentication for any remote access can prevent malicious actors using compromised details to access a network, and is particularly important when an organisation is relying on remote desktop access.


1. Australian Signals Directorate & Australian Cyber Security Centre, Ransomware in Australia, October 2020
2. BBC, US hospitals turn away patients as ransomware strikes, 2 October 2019
3. BBC, Police launch homicide inquiry after German hospital hack, 18 September 2020
4. Australian Signals Directorate, 2020-013 Ransomware targeting Australian aged care and healthcare sectors, viewed 1 March 2021
5. Australian Signals Directorate, SDBBot targeting health sector, viewed 1 March 2021
6. Sophos, The State of Ransomware 2020, May 2020
7. Australian Signals Directorate, 2020-013 Ransomware targeting Australian aged care and healthcare sectors, viewed 1 March 2021
8. Australia Cyber Security Center 2020 Health Sector Snapshot - Overview of the cyber security environment within the health sector over a twelve month period (1 January to 31 December 2020)
9. Health Informatics Society of Australia, Security check of Australia’s healthcare information: Cybersecurity across the Australian healthcare sector, June 2018
10. National Health Executive, Is the NHS ready for another WannaCry?, 2 May 2018
11. SecurityIntelligence, IBM Uncovers Global Phishing Campaign Targeting the COVID-19 Vaccine Cold Chain, 3 December 2020

Contact us

Dean Dimkin

Dean Dimkin

Partner, Health Technology Consulting Leader, PwC Australia

Tel: +61 418 880 944

Ranil Jayasekere

Ranil Jayasekere

Director, Cyber, PwC Australia

Jaynesh Narain

Jaynesh Narain

Director, Cybersecurity & Digital Trust, PwC Australia

Follow PwC Australia

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Policy and that you consent to our processing data in accordance with the Privacy Policy (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Contact us

Richard Ainley

Partner, Aged Care Health & Wellbeing, PwC Australia

Tel: +61 408 146 897

Nick Kotwal

Partner, PwC Australia

Tel: 612 8266 4725

Nicola Lynch

Health & Education Industry Leader, PwC Australia

Tel: +61 425 147 707