By Dean Dimkin, Ambika Aggarwal, Ranil Jayasekere & Jaynesh Narain
Share this article
As the healthcare sector continues its rapid shift to virtual models of care and reliance on new technologies to offer better experiences for clinicians, patients and other stakeholders, there is growing concern about these digital enablers being susceptible to cyber attacks and security breaches. 2020 saw a distinct shift in the cyber threat landscape with ransomware becoming the most significant cyber threat faced by all sectors including healthcare.
In PwC’s 2021 Global Digital Trust Insights Survey, almost 60% of respondents from the healthcare industry said they believe it is very likely that a ransomware attack will target their organisation in the next 12 months. And 95% of Australia’s CEOs cite cyber as a threat to business growth, as per PwC’s 24th Annual Global CEO Survey.
Source: PwC’s 24th Annual Global CEO Survey, 2021
As with many other industries, the healthcare sector has seen an increase in targeting since the start of the COVID-19 pandemic from financially motivated threat actors. As per PwC’s analysis in the first three months of 2021 there have been 25 ransomware attacks against the healthcare sector globally. This is due to a combination of factors, including the opportunities COVID-19 has presented to threat actors for crafting more convincing lure documents, as well as the critical nature of healthcare organisations during the outbreak.
Figure 2: Top five sectors affected by ransomware, reported to the ACSC in FY2019-201
Due to the necessity of these services being available, criminal actors tend to assess that the executives would do anything to bring their operations back online - including paying ransoms (the Australian Cyber Security Centre (ACSC) advises and PwC recommends to never pay a ransom demand). The severity of these attacks cannot be understated, and has caused all number of harrowing consequences, including hospitals having to turn away members of the public2, and even the death of patients3.
In August 2020, the ACSC released an alert4 warning of ransomware campaigns targeting the aged care and health sectors. In November 2020, a second alert5 was released, warning of a different strain of ransomware that had begun targeting the health sector.
Running alongside the growth in interest of the healthcare sector by these cybercriminal groups is their evolving tools, techniques, and procedures (TTPs), as well as the number of groups that are now operating in this space. These symbiotic issues allow for a vicious cycle where cybercriminal gangs are able to expand their operations and increase the sophistication of their TTPs, which simultaneously grows their business, thus generating more revenue (Figure 1).
The average cost to the organisation to rectify the impacts of the most recent ransomware attack (considering downtime, people time, device cost, network cost, lost opportunity, ransom paid etc.) is over AUD$900,000.6
Figure 3 - Basic visualisation of the cycle of ransomware operators (PwC UK Threat Intelligence)
The evolution of these TTPs involves not just the increased sophistication of the malware itself, but a change in tactics when it comes to infecting a victim. In a trend that has become the norm amongst multiple cybercriminal threat actors, ransomware operators no longer merely encrypt their victim’s systems and then demand ransom, but will also exfiltrate sensitive information from the victim. This is done in order to further coerce the victim into paying their ransom.
The ACSC attributes the healthcare sector’s attractiveness to threat actors to the large amount of sensitive personal and medical information held by healthcare organisations, and how critical this information is to maintaining operations and patient care.8
The health sector is a prime target for cyber criminals due to the following reasons8:
Beyond these, there are a number of factors that increase the exposure of this sector to ransomware and other cyber attacks.
While the healthcare sector is a prime target of cyber attacks, apart from Privacy Act 1988, Healthcare Identifiers Act 2010, My Health Records Rule 2016 and state-specific privacy laws, there are no healthcare sector specific cybersecurity standards in Australia to help manage cyber risks.
While other more global frameworks exist (such as the NIST Cyber Security Framework), none exist (to date) that are specific to healthcare, or the requirements of healthcare organisations.
In other sectors, such as financial services and energy, frameworks and regulations have been put in place that can advise organisations on how to manage cyber risks. The financial services industry has Prudential Standard CPS234 - Information Security. Similarly, critical infrastructure, which has traditionally included utilities and port organisations, is regulated by the Security of Critical Infrastructure Act 2018 (SOCI). The Australian Energy Market Operator (AEMO) recognised the complexity of implementing the requirements of this act, and helped create the Australian Energy Sector Cyber Security Framework to help energy providers ensure their cyber security is effective.
The regulatory landscape for the health sector will be changing soon. On 10 December 2020, the Security Legislation Amendment (Critical Infrastructure) Bill 2020 was introduced and read into Parliament, and aimed at strengthening the security of infrastructure in a number of key sectors, including the healthcare and medical sector. The Bill introduces a new host of cyber security obligations for any organisations covered by the Act. Soon, falling victim to a ransomware attack will not only cause potential harm to your patients, and loss of revenue - but failure to comply with the Act can result in potential fines and penalties. (For more information, see PwC’s Defending Australia’s critical infrastructure.)
The healthcare sector is known to cyber criminals for its heavy reliance on legacy technology, with over 22% of healthcare organisations continuing to use legacy and end-of-life systems without vendor support and a further 26% which are unaware of any support9. This exposes organisations to critical vulnerabilities that cannot be fixed, making it a prime target for cyber criminals to perform ransomware attacks.
The 2017 global WannaCry ransomware attack brought this into perspective when the widespread use of obsolete software enabled malware to spread across the National Health Service (NHS) in the UK. Patient care was severely disrupted for an entire week - healthcare equipment was infected, pathology and radiology were unable to function, and nearly 7,000 medical appointments were cancelled.10
It is no coincidence that overall cyber literacy in healthcare is lower, with digital adoption rates in healthcare trailing many other industries.
Perhaps the opportunity resides in the implementation of cyber security awareness and training into the core clinical functions including annual clinical training and certification processes rather than relying on the traditional enterprise policy or ICT awareness training.
“Threat-aware employees are the first line of defense against cyber intrusions. Too often, that defense needs strengthening”
Regardless of their sophistication, cybersecurity capabilities are ultimately made, or broken, by an organisation’s people. In order to truly protect your organisation, it’s necessary to understand what drives people’s decision making, and create and foster a culture that places cyber risk management at the forefront of its efforts.
In PwC’s 2021 Global Digital Trust Insights Survey, almost 50% of respondents from the healthcare industry said they were likely to include cybersecurity and privacy implications into every business decision or planning post COVID-19. It is critical to recognise that a post-COVID-19 world requires a new cyber awareness and education strategy as organisations move towards an increasingly virtual workforce. Healthcare organisations need to start by taking small actions to enable the workforce to maintain basic digital hygiene (like not leaving a computer unlocked in a publicly accessible area or at home), and to embed cybersecurity in bigger decisions (such as deciding to buy a new MRI machine that connects to the internet). Without adequate focus on workforce elements the organisation may be inadvertently creating avenues for an attacker to infect the network.
The healthcare industry relies on an extensive network of suppliers, vendors and partners for day-to-day operations and to save lives. This includes medical equipment manufacturers, pharmaceutical producers, insurance providers, IT services, government agencies, and many more. Yet the more partners a healthcare facility uses, the greater the attack surface and therefore risk of a ransomware attack. Threat actors often use organizations with weaker cybersecurity protocols as a back door to the ultimate targets.
It is important to also consider your physical and digital connections to hospitals within the supply chain, which can be exposed to ransomware attacks. As the Australian COVID-19 vaccine campaign rolls out across the nation, the significant coordination of organisations across the supply chain means that ransomware poses an even bigger threat than ever before.
Cyber criminals are beginning to target the essentials required to distribute the vaccine, particularly areas where cyber security has not been a focus in the past. IBM has already announced that they had uncovered widespread phishing emails (a common way for ransomware to infect systems) targeted at employees and executives of trucking, rail and storage companies involved in the COVID-19 supply chain.11
Looking beyond the COVID-19 pandemic and eventual recovery, it is unlikely that the rise in ransomware attacks is going to slow down. The increasing trend of digital transformation in the sector will introduce a new host of integrations with other vendors, suppliers and service providers, and in doing so will increase the attack surface for supply chain ransomware attacks. More than ever, it will be important for healthcare innovation to consider security as a priority, as any vulnerabilities can and will be exploited by cyber criminals.
Cybersecurity responsibility doesn’t sit with just the executives and the board - it is every employee’s responsibility and, as such, everyone in the ecosystem has a role to play in addressing these challenges.
1. Australian Signals Directorate & Australian Cyber Security Centre, Ransomware in Australia, October 2020
2. BBC, US hospitals turn away patients as ransomware strikes, 2 October 2019
3. BBC, Police launch homicide inquiry after German hospital hack, 18 September 2020
4. Australian Signals Directorate, 2020-013 Ransomware targeting Australian aged care and healthcare sectors, viewed 1 March 2021
5. Australian Signals Directorate, SDBBot targeting health sector, viewed 1 March 2021
6. Sophos, The State of Ransomware 2020, May 2020
7. Australian Signals Directorate, 2020-013 Ransomware targeting Australian aged care and healthcare sectors, viewed 1 March 2021
8. Australia Cyber Security Center 2020 Health Sector Snapshot - Overview of the cyber security environment within the health sector over a twelve month period (1 January to 31 December 2020)
9. Health Informatics Society of Australia, Security check of Australia’s healthcare information: Cybersecurity across the Australian healthcare sector, June 2018
10. National Health Executive, Is the NHS ready for another WannaCry?, 2 May 2018
11. SecurityIntelligence, IBM Uncovers Global Phishing Campaign Targeting the COVID-19 Vaccine Cold Chain, 3 December 2020
Partner, Health Technology Consulting Leader, PwC Australia
Tel: +61 418 880 944
Director, Cyber Security, PwC Australia
Tel: +61 2 8266 2839
Director, Cyber, PwC Australia
Director, Cybersecurity & Digital Trust, PwC Australia