Global technology experts warn of growing cybercrime as the Australian health sector faces attack.
“It feels like someone broke into my home, and even though the locks have been changed, it still somehow feels dirty.”
Sami Laiho was a victim of the 2020 cyberattack on the Finnish psychotherapy company, Vastaamo. His data, including transcripts from therapy sessions and banking information, was stolen and ransomed. He was one of the first victims of a new era of crime – which is now hitting the Australian health sector with unprecedented force.
2020 saw 166 cybersecurity incident reports from Australian medical organisations – an 84% increase from the previous year. After the government and individuals, the health sector reported the highest number of incidents to the Australian Cyber Security Centre (ACSC).
In 2021, cyber attacks on the health sector remain high, despite the government’s injection of 500 new jobs and $1.35 billion into the ACSC and the Signals Directorate (ASD).
More and more Australian’s might find themselves in situations like Sami Laiho. Vastaamo, which has treated some 40 000 Finns, was breached by a hacker who stole tens of thousands of patient records. The ransomed files included mental health history and therapy transcripts detailing sensitive information, such as marital affairs.
“[The ransom] was a lot of money,” Laiho says.
“But if someone asks you ‘Do you want to destroy your marriage? Or do you want to pay 200 euros?’ ‘Do you want to destroy your career or 200 euros?’ 200 is actually relatively low.”Sami Laiho
Not only was Laiho a victim, but he is also a world-leading professional in Windows OS and security. In 2019, Laiho was chosen by TiVi-magazine as one of the top 100 influencers in Finland’s IT industry. He was a part of the investigation.
“For me, it was just a couples therapy session with my ex-wife. It’s an annoyance, but that doesn’t destroy my life,” explains Laiho, who has since had to place restrictions or reset much of his banking and personal information.
The Health Sector as a Prime Target
The Australian health sector holds Personal Identifiable Information (PII), which can be sold on cybercrime marketplaces and used to commit identity theft.
The urgency of health services also makes these organisations vulnerable.
“You’re in a crisis where your systems need to work. If they can lock systems away from you, you’re more likely to pay,” states Richard Campbell, reflecting on the healthcare sector globally from his home in Canada.
Campbell has been a pivotal member of the technology community since its early days. He’s a Microsoft Regional Director and Most Valuable Professional (MVP), now working as an entrepreneur, advisor and host of some of the most respected podcasts in the industry – like .NET ROCKS.
Campbell explains the incentive for state actors to target medical intellectual property, such as COVID‑19 vaccine research.
“It’s valuable [for state actors] to demonstrate ‘We can get into health systems if we want.’ That’s a very invasive step.”
Breaching Medical Organisations
The COVID-19 pandemic created optimal conditions for security breaches. Medical organisations required remote access solutions – many of which progressed too quickly, without security considerations.
These remote access solutions also increased the digital ‘attack surface’, exposing more of the organisation to compromise methods, including sophisticated internal phishing and ransomware.
“Both the mail server and the employee’s computer would have been controlled by an IT person with much more significant security restrictions. Running the business email on your own machine [at home] – it doesn’t have the same level of protection,” Richard Campbell explains.
Vulnerabilities can also be found on medical devices, from computers to oxygen machines and defibrillators. Often these specialised devices are not patched for fear of rendering critical systems unavailable.
Troy Hunt reflects on his experiences in the Australian healthcare system.
“How many times will you pass a machine in a hospital and it’s unlocked, or the password is on a sticky note on the monitor. We’re talking about environments that traditionally just haven’t had great security.”
In the case of the Finnish company, Vastaamo – it’s a checkmate situation. The hacker won’t be able to cash in his earnings without being caught, explains Sami Laiho.
“He didn’t think he did anything but a technical breach. Just, ‘I have your data, give me money.'”
The attacker didn’t appear to understand his crime’s severity until all eyes fell on him in disgust. Even other ‘black hats’ – the colloquial name for criminal hackers – began aiding the investigation.
“And when he started realising what he had actually done… That’s when he just went totally silent. The only time he surfaced was when he withdrew the money from the several Bitcoin accounts to a single one.”
This is where the problem lies for hackers, explains Richard Campbell.
“At some point, you have to convert that Bitcoin into money.”
Investigators usually follow the bitcoin until it reaches an institution that can be subpoenaed, such as a bank.
Troy Hunt explains how perpetrators can leave traces of themselves behind.
“The attacker might use a particular handle somewhere, and then that same handle pops up somewhere else with an IP address.”
Just like handwriting, Hunt explains, “there are often observable styles in the way code is written. These styles can tie multiple campaigns back to the same perpetrators.”
Often it isn’t finding hackers that is the problem – it’s what to do next. When cyber warfare is committed over international borders, extradition isn’t always possible.
“We even know their names. Hafnium is a state-sponsored hacking group in China. Cozy Bear the same thing in Russia. The West knows the building in Saint Petersburg’s where Cozy Bear is. And what do you do? What’s legal? Remember – you’re the good guy.”Richard Campbell
Preventing Australian Health Sector Breaches
In response to last years increase in cyber attacks, health providers have been encouraged to review ACSC’s Strategies to Mitigate Cyber Security Incidents.
“A good place to start is ACSC’s Essential Eight,” explains Troy Hunt.
The Essential Eight include strategies to prevent malware attacks (e.g. installing the latest patches), to limit the extent of attacks (e.g. multi-factor identification) and to recover data (e.g. completing daily backups).
Despite the best recommendations, experts worry that it will take a catastrophic incident to increase security awareness and regulations. Sami Laiho in Finland speaks from experience.
“Now, people are asking questions when they have to give their data. They’re asking ‘why?’ They remember Vastaamo.”
From Laiho’s experience in completing security audits and increasing organisations’ cyber safety, he’s noticed “they finally see that this is actually valuable. And it’s cheaper for them to pay for the services beforehand than afterwards.”
There is still a need for more significant global regulations. Richard Campell compares it to the evolution of road rules.
“It’s only when there were enough cars that were disrupting things that we said, ‘Hey, maybe we should have some rules.’ You don’t start with traffic lights and crosswalks and speeding tickets.”
Troy Hunt explains how internationality complicates the situation.
“What makes it really different from cars is that you’re not driving between Australia, and the UK, and the US on a regular basis.”
“When we get online, borders just evaporate into nothing in the blink of an eye. Not just because you could be anywhere in the world, but because it is so easy to make yourself appear like you’re anywhere in the world. We’re trying to apply these laws to a paradigm that has no boundaries.”
While these global regulations are still to be developed, the Australian health sector remains in urgent need of protection. Richard Campell suggests a new kind of defence.
“Maybe buy fewer fighter planes and spend more money on hackers.”