Health system at risk of further attacks
THE cyber attack that has forced Barwon Health offline for days could be one of the most significant experienced in Australia to date.
Authorities are keen to downplay the incident, with the State Government repeatedly saying cyber attacks are a reality of the modern world. But experts say that within Australia, the lengthy, wide-ranging attack is unusual.
It has forced health services, heavily reliant on digital systems, to wind back the clock and revert to paper and volunteers running messages between wards.
There is still no time frame for when systems will return to normal, after the ransomware attack forced them down on Monday.
Some Geelong patients have had appointments and elective surgeries called off due to the saga that has ensnared public health services in several regional areas including Colac, Gippsland and Warrnambool.
And it comes just months after a report warned of the risks of an incident like this.
Cyber security expert Matt Warren, deputy director of Deakin University’s cyber security research centre, explained that it was incident management that was ongoing, rather than the actual attack.
He said the attack itself was short, with the organisation likely infected by an unsafe link.
“The concern I have is that they’re not able to react to (a cyber attack) in an agile manner,” Prof Warren said.
Earlier this year, the Victorian Auditor-General’s Officer released a foreboding report highlighting the cybersecurity deficiencies of several health services, including Barwon Health. It may even have helped alert the hackers to Barwon Health’s vulnerability.
“Hospitals haven’t got the appropriate mechanisms in place to deal with a cyber incident,” Prof Warren said. “It seems as if nothing has been done since this report, and this highlights how spot on that report was.”
Prof Warren said the issue getting systems back up and running was the “sheer complexity” of the task.
“Companies should have generations of back up data, and tests where they actually have a mock cyber incident and then restore their backups to see where there’s problems,” Prof Warren said. “If they haven’t done that they’re dealing with an incident without that prior knowledge.”
However, Barwon Health chief executive Frances Diver said data is backed up to multiple locations and Barwon Health had no concerns “at this stage” about the current state of backups.
Prof Warren said Barwon Health was dealing with “many, many problems”. He praised the State Government’s cyber strategy, with the government using its incident management plan to assist Barwon Health.
Prof Warren said it was up for individual organisations to heed the warnings laid bare in the VAGO report. “The state government can’t protect every entity,” Prof Warren said. “It’s up to the entities to engage with it to make those changes.”
The Security of Patients’ Hospital Data report s aw VAGO
It concluded, across audited services, staff awareness of data security was low and there were key weaknesses in security. “Victoria’s public health system is highly vulnerable to the kind of cyber attacks recently experienced by the National Health Service (NHS) in England, in Singapore, and at a Me l - bournebased cardiology provider, which resulted in stolen or unusable patient data and disrupted hospital services,” it said.
The NHS was attacked in May 2017, and the cost of the attack was estimated to be the equivalent of more than $168 million in IT upgrades and disruption to services.
It lasted four days and forced the cancellation of thousands of appointments.
Health services audited by VAGO — including Barwon Health — advised key barriers to implementing cybersecurity controls developed by the DHHS was a lack of dedicated funding for cyber security and limited staff availability, the report said.
The State Government has said there was no suggestion patient data has been accessed from the attack.
VAGO made five recommendations to the DHHS and nine to Victoria health services in the report. Recommendations made to health services included: delivering mandatory training in data security to staff; develop a pol
icy that outlines when and how often information and communications and technology will be tested; and ensure they identify and risk assess all information and communications technology assets.
Barwon Health would not specify what stage each recommendation was at. In a statement released yesterday afternoon, it said: “The majority of the Auditor General’s recommendations were under way prior to the VAGO report being tabled and most will be implemented by the year-end.
“We’re progressively restoring system access, with a number of clinical applications expected to be restored over the weekend.”
It’s understood clinical applications are medical software typically running on networks, some online and some via an intranet.
“We constantly conduct exercises to ensure all our services are robust to cope with any emergency,” Barwon Health said.
Patient care is continuing as usual across all Barwon Health sites. The State Government didn’t directly respond when asked by the Addy if it knew of any cyber attacks on Australian hospitals which had lasted longer. It also would not specify whether it expected hospitals to come back online at the same time.
“Australia’s top cyber security experts are currently working around the clock to restore systems as quickly as possible,” a Department of Premier and Cabinet spokeswoman said. “It’s crucial that we put patient safety first and that’s why we’re leaving no stone unturned as all ransomware is removed before reconnecting systems.
“We want to thank patients for their understanding as we work to resolve this incident, and our hardworking nurses, doctors and other hospital staff for their efforts to manage the issue.”
The attack is being investigated by federal and state police.
Prof Warren said he knew international examples of “larger attacks” including on local government in the US and the National Health Service in the UK. “But in an Australian context this is one of the longer incident management problems,” he said. “They’re unprepared for this type of incident. Even though the VAGO report highlighted their vulnerability.”
And Prof Warren warned the risk wasn’t going away. “Ransomware isn’t going to disappear,” he said.
THE CONCERN I HAVE IS THAT THEY’RE NOT ABLE TO REACT TO (A CYBER ATTACK) IN AN AGILE MANNER. PROFESSOR MATT WARREN, DEAKIN CYBER EXPERT