Key cyber security threats in the health sector

Article, Lilia Guan , CIO Tech Asia

stethoscope 840125 1920
Overview of the cyber security environment within the health sector over a twelve month period January – December 2020.
The Australian Cyber Security Centre (ACSC) has released a snapshot of the of key cyber security threats in the health sector. The report offers advice to executives and cyber security professionals within the health sector on what they can do to protect their organisation from cyber threats.

COVID-19 has fundamentally changed the cyber threat landscape for the health sector, with malicious actors increasingly targeting and compromising health networks, which are already under pressure in a pandemic operating environment.

Malicious actors are primarily financially motivated and may seek to gain access to valuable data stores, use the branding from high-profile victims and incidents to bolster the legitimacy of the targeting activity, and can cause disruption to business operations and continuity through methods such as ransomware. The ACSC assesses that ransomware is currently the most significant cybercrime threat to the Australian health sector.

During the reporting period, the ACSC received 166 cyber security incident reports relating to the health sector. This is an increase from the 90 reported incidents affecting the health sector during the 2019 calendar year and likely a result of increased targeting of the health sector due to COVID-19. Incidents reported by the health sector are primarily from health care providers, as well as customers falling victim to health-related scams or data breaches.

Rates of health sector incidents in this reporting period are trending down towards pre‑COVID‑19 levels; however, we expect cyber incidents will fluctuate. Globally, COVID-19 themed scams occurred during the height of the pandemic last year, and will potentially increase throughout the vaccine’s research, manufacture, distribution and administration phases.

While the ACSC has not yet observed this activity in Australia, international reporting suggests cybercriminals are attempting to scam the public in other countries by taking advantage of the COVID-19 vaccine rollout, and targeting companies involved in the vaccine supply chains. As such, the ACSC advises that organisations maintain a heightened state of awareness as malicious actors search for new vulnerabilities or seek to exploit existing ones.

The ACSC offers ongoing support to the health sector through incident management services and the ACSC Partnerships Program to ensure the health sector is protected and resilient to malicious cyber activity. If you are a health sector organisation, the ACSC encourages you to join the Partnerships Program by emailing [email protected].

Key Takeaways:

  • Outside of government and individuals, the health sector reported the highest number of incidents to the ACSC during the period.
  • The health sector remains a valuable and vulnerable target for malicious cyber activity because of:
  • its highly sensitive personal data holdings
  • its valuable intellectual property on technology and research, particularly those relating to COVID‑19 vaccine research and development
  • the criticality of services delivered by the health sector
  • the pressure on health sector organisations to maintain and, if disrupted, rapidly restore business continuity
  • public trust in health sector organisations, particularly those linked to Government services.

COVID-19 has changed the threat landscape for the health sector:

  • there are numerous new health-related targets, as non-traditional entities enter the sector and targeting extends to medical transport and supply chains
  • existing organisations are under increased operational pressure and therefore more vulnerable to cyber security attacks and financial extortion
  • changes to social and working environments, such as working from home, have increased ‘attack surfaces’ and exposed networks to new vulnerabilities
  • malicious actors are seeking to capitalise on a pervasive environment of fear and uncertainty, and an influx of new entrants and stakeholders in the sector.
  • Financially-motivated cybercriminals will continue to target the Australian health sector because of its access to sensitive data and increased reliance on telehealth and internet-enabled services.
  • It is critical that health sector organisations ensure that their networks are protected from malicious cyber actors who may seek to disrupt essential services and/or compromise business-critical systems, such as to profit from ransom. Further advice outlining how organisations can protect themselves can be found on page 7 under Preventative Measures.

Health Sector Incidents Statistics

Between 1 January 2020 and 31 December 2020, the ACSC received 166 incident reports relating to the health sector. This is an increase from the previous calendar year where there were 90 reported incidents affecting the health sector.

The bulk of reported incidents were for compromised systems.

This number only reflects those incidents reported to the ACSC and does not necessarily represent the extent of total incidents experienced by the health sector.

During April 2020, there was a significant spike in the number of incidents reported to the ACSC relating to the health sector. This was likely a result of malicious actors capitalising on COVID-19, and an increase in online activity from the Australian population following changes to working environments. Figure 1 provides the number of health-related incident reports received by the ACSC in this reporting period.

Outside of government and individuals, the health sector reported the highest number of incidents to the ACSC during the period. The highest proportion of health sector incidents reported to the ACSC related to compromised systems (52 per cent), compared with 41 per cent in the previous calendar year. These numbers align with broad trends across all sectors: compromised systems and malicious emails represent the highest incident types reported to the ACSC in 2020.

The majority of reported health sector incidents were categorised at ACSC’s Category 5 incident level (59 per cent), generally affecting small to medium sized organisations experiencing low-level malicious activity such as targeted reconnaissance and phishing, or some form of network intrusion resulting in temporary system disruption. Refer to the Glossary for an explanation of the different incident types and ACSC’s incident categories.

Health Sector Threat Overview

  • Cyber security incidents in the health sector have the potential to cause devastating impacts on organisations and individuals, including threat to life (see Case Study 1).
  • Cybercriminals are adapting to the COVID-19 pandemic and increasing cyber attacks on the health sector.
  • Business email compromise (BEC) and ransomware present high-impact threats to the health sector and their medical transport and supply chains.

What are the impacts of a cyber attack?

Targeting of the health sector by malicious actors has the potential to interfere with service delivery, impede the supply of critical products to those in need, cause reputational and financial damage to health organisations, and threaten the delivery of health services and the lives of patients. During COVID-19, the ACSC observed malicious actors taking advantage of the pandemic to tailor their criminal activities. Cybercriminals will continue to take advantage of circumstances they can benefit from, and will likely target companies and organisations involved in the supply chain of the COVID-19 vaccine.

What are malicious actors seeking?

Malicious actors target organisations for a variety of reasons. As the COVID-19 pandemic continues to impact health sectors on a global scale, malicious actors may seek information and intellectual property relating to vaccine development, treatments, research and national responses to the COVID-19 outbreak as this information is now of higher value and priority globally.

Malicious actors likely view health sector entities as a lucrative target for ransomware attacks. This is because of the sensitive personal and medical data they hold, and how critical this data is to maintaining operations and patient care. Financially-motivated cybercriminals are seeking to access sensitive personal information held by health organisations (such as names, dates of birth, addresses, medical histories, Medicare details and health fund information) to commit identity theft or sell the data in cybercrime marketplaces.

The ACSC encourages all agencies to review their networks to establish where their most valuable and sensitive information lies, and apply appropriate cyber security measures proportionate to the risk of compromise.

Who are they targeting?

Malicious actors may seek to target a wide range of entities in the health sector including hospitals, general practice services, pathologists, research facilities, aged care providers and other medical service providers. Malicious actors may also seek to target the clients of these providers.

As the health sector adapts their business models to the COVID-19 response effort, non-traditional and new entrants are also becoming attractive targets. For example, gin distilleries adapting to develop hand sanitiser may unexpectedly become targets for intellectual property or ransomware. Malicious actors may also seek to disrupt operations by targeting vendors in the medical transport and supply chains.

Despite claims by some cybercriminal groups that they will not target essential health providers during COVID 19, victim reporting of major cybercrime types, including ransomware, BEC and fraud, have remained steady over the nine months since March 2020. Cybercriminals continue to leverage public concern during COVID-19 to target victims.

The ACSC has released further information and advice on the increased threat to the health sector resulting from COVID-19.

How are they targeting networks?

Vulnerabilities in remote access solutions, industrial control systems and critical devices

Various parts of the health sector have a number of control systems, which, while vital to their operations, provide opportunities for malicious cyber activity. Vulnerabilities have reportedly been found in medical devices from implantable defibrillators to health record-connected hospital beds. Common sources of compromise include hardcoded passwords, improper authentication or passwords held in a recoverable area. Often specialised devices are not patched regularly for fear of rendering critical systems or devices unavailable.

However, these devices should be considered for the potential risk imposed on individuals in the case of compromise and steps should be taken to update vulnerabilities, or isolate vulnerable devices if they cannot be patched. The Therapeutic Goods Administration (TGA) runs a program of testing for medical devices, including cyber vulnerability, and releases advice and recall statements in relation to medical devices and in vitro diagnostic medical devices (IVDs).

The cyber threat to the health sector is also evolving as a result of changes in the business model of health sector companies in response to COVID-19. Over the period, the health sector has increased reliance on remote work, including telehealth services and remote access solutions. As the health sector increases adoption of these services and relies on them, the ‘attack surface’ for these organisations will subsequently increase.

Implementing remote access solutions can connect new areas of a network to the internet, potentially exposing critical devices or industrial control systems. Operational imperatives for these remote access solutions, especially during COVID-19, may mean that these solutions were progressed too quickly, without due consideration for cyber security. These newly exposed parts of the network could now be vulnerable to compromise. Examples of compromise methods include phishing, ransomware, BEC, which may result in intellectual property or personally identifiable information being stolen or leaked.

Remote access solutions should be reviewed to ensure industrial control systems and critical devices are effectively segmented from the remaining network (see Preventative Measures). Essential steps for managing remote access solutions include enabling multi-factor authentication, ensuring appropriate logging and regularly patching remote access clients. Logs should be routinely reviewed and attention should be given to the locations and access times to ensure remote access is being utilised by legitimate staff only. Advice about using remote desktop clients can be found on the ACSC website.

Email and Phishing Campaigns

Malicious cyber actors are capitalising on the public desire for COVID 19 related information by generating specific COVID-19 themed spear phishing emails to attempt to compromise victims. While these phishing campaigns commonly target the general public, they may also impact internet-facing corporate devices that have access to an organisation’s network. Over this reporting period, cybercriminals registered a number of COVID-19 themed websites to conduct widespread email and SMS phishing campaigns that distribute malicious software or harvest personal information.

The ACSC has also observed the emergence of phishing campaigns aligned with breaking developments, such as Government relief payments or public health guidance, within days or even hours of announcements occurring. For instance, in March 2020, there was a global email phishing campaign purporting to originate from the World Health Organisation. The phishing emails contained a malicious attachment, which downloaded a keylogger – software that records keystrokes in order to steal credentials and exfiltrate data from victim devices.

The ACSC strongly encourages all organisations and individuals to remain vigilant against the threat of COVID‑19 themed cybercrime activity, including sophisticated scams, phishing emails and malicious websites. The health sector should be wary of being both the target of COVID-19 themed cybercrime activity, as well as have their branding used for legitimacy.

On 15 September 2020, Minister for Defence, the Hon Linda Reynolds, announced that the ACSC, in conjunction with Telstra and Services Australia, had launched a pilot program aimed at identifying phishing SMS text messages (also known as ‘smishing’) before they reach customers.

The ACSC has released the following updates about COVID‑19 malicious cyber activity:


Widespread phishing campaigns often lead to compromised accounts allowing for further malicious activity on a network, such as deployment of ransomware and exfiltration of data. The threat of publicly releasing or selling stolen data increases the pressure on the victim to pay the ransom – a ‘double extortion’ by cybercriminals.

In 2020, cybercriminals have compromised email servers of health sector entities in Australia, which have then been used to distribute COVID-19 phishing emails in an attempt to deploy malicious software, including ransomware. Cybercriminals also use these tactics to gain access to other organisations through service providers and inter-connected networks.

The ACSC advises against complying with a ransomware request, as there is no guarantee cybercriminals will decrypt files once a ransom is paid. There is also no guarantee information will not be sold on the dark web and your details provided to other criminals.

More information about ransomware can be found at the following locations:

Preventative Measures

Health providers are encouraged to review the ACSC’s Strategies to Mitigate Cyber Security Incidents in order to develop an appropriate cyber security posture for their organisation.

ASD’s Essential Eight is a prioritised list of mitigation strategies that form a baseline for cyber security strategies in organisations.

The ACSC released a Ransomware in Australia product on the ACSC website, which outlines preventative measures for ransomware incidents.

All health providers are encouraged to assess their individual requirements and tailor their cyber security strategies appropriately. In doing so, consideration should be given to the following measures:

Implement regular patching of systems and applications. Malicious actors constantly monitor for newly found vulnerabilities they can exploit. Often, proof-of-concept exploits become publicly available within days of a vulnerability announcement. Malicious actors can automate much of their exploitation efforts, allowing for broad deployment, rather than targeting of specific victims. Organisations must quickly and effectively patch their systems and applications to avoid becoming targets. For more information, visit the ACSC website.

Making regular offline backups of critical systems and databases. Rendering key information and systems unavailable is highly disruptive to the health sector. Backing up systems regularly, and practicing recovery processes, can minimise disruption to operations if an incident occurs. Critically, organisations should be aware that backups could be encrypted if they are not suitably segregated from the rest of the network.

Implement network segmentation and segregation. Health providers should review their networks to establish where their most valuable or sensitive information is stored and identify critical parts of their system. They should also review operational control systems and apply appropriate cyber security measures proportionate to the risk of compromise. This may involve partitioning components of the network or controlling communication between specific hosts and services to restrict access to sensitive information. For more information, visit the ACSC website.

Implementing multi-factor authentication. Adding an additional layer of authentication can prevent malicious actors using compromised details to access a network, and is particularly important when an organisation is relying on remote desktop access. For more information, visit the ACSC website.

Further preventative measures are available through the ACSC’s Strategies to Mitigate Cyber Security Incidents and Essential Eight.