Healthcare held to ransom: how to protect Australian healthcare systems and patients from cybercrime

Zak Khan, director of custom cyber defence at Trend Micro Australia and New Zealand

We’ve entered the year faced with a wave of cybercrime attacks on healthcare organisations around the world, showing us yet again that healthcare continues to be a prime target for cyber criminals and Australian healthcare providers need to pay particular attention to security in order to protect themselves and their patients.

Australian healthcare providers paid serious attention when, in January, Melbourne Health was hit by a new variant of the Qbot malware which infected Windows XP computers through Royal Melbourne Hospital's pathology department.

This local attack was followed by the recent ransomware attack on a Hollywood hospital – the Hollywood Presbyterian Medical Centre – which fell victim to ransomware and was forced to pay the ransom of 40 Bitcoins, equivalent to approximately $US 17,000, in order to regain access to their medical files. In the UK, the British Association for Counselling and Psychotherapy (BACP)'s website was hijacked by malware and held to ransom.

The most recent Trend Micro security roundup report found that throughout 2015, the healthcare industry was the most affected sector in data breaches across the world, with almost 30 percent of all data breaches.[i] This isn’t a new trend, either; the healthcare sector accounted for more than one quarter of all breaches (26.9%) this past decade.[ii]

With the recent reports of several healthcare organisations being hit with cyberattacks – from malware and hacking to ransomware and crypto-ransomware, the industry is facing a current pervasive threat which is getting easier for cybercriminals.

Why healthcare?

The continued rise of cybercrime targeted at the healthcare industry can be attributed to several factors:

  • Revenue potential for cybercriminals is extremely high
  • Healthcare organisations have critical systems that cannot be offline

Infection rates have increased as social engineering tactics have improved

The threat actors executing these attacks are very good, well-funded and globally dispersed

All of these factors have combined to support the heightened number of malware and ransomware-related attacks seen in recent months. The success of crypto-ransomware has been particularly fierce, with the percentage of detections shifting dramatically from a traditional ransomware to crypto-ransomware ratio of 80/20 in 2013, to 20/80 ratio today.

Since healthcare organisations hold extremely valuable data (patient personally identifiable information) and have critical systems, any downtime can lead to serious repercussions. As such, criminals are realising they can command a much higher ransom from these types of organisations.

Protecting Australian data, systems, health practitioners and patients

This needs to be a wakeup call for the Australian healthcare industry as it doesn’t matter if an attack is targeted, or if they are caught up in the day-to-day crypto-ransomware campaigns that we see across the globe. If systems become inoperable due to malware or encryption, it can cause major issues.

As part of this we recommend that a multi-faceted approach be taken to help the healthcare industry detect and prevent cyberattacks:

  • Educate employees on identifying suspicious emails (phishing). The majority of these attacks start with a socially engineered email to employees. They will contain weaponised attachments or embedded links and entice the user to open or click based on compelling language within the email.
  • Review your shared drive policy and require authentication to access.

Advanced messaging solutions which can improve the detection of phishing emails through purpose-built technologies developed to identify them. Linking a sandbox technology to the messaging solution can help identify weaponised attachments.

Endpoint solutions that have specific anti crypto-ransomware technologies such as behaviour analysis that can identify the encryption process and stop it from continuing.

Network-based security solutions like IDS/IPS, Firewall and Breach Detection Systems that can identify inbound/outbound Command & Control communications which are a key component of this threat lifecycle.

A robust backup solution. Organisations which perform regular backups and can rapidly restore systems will allow them to recover faster.

Unfortunately, the success of attacks on the healthcare industry encourages and empowers cybercriminals. We can expect more data breaches, malware and crypto-ransomware to target the healthcare industry until these threats can be effectively detected and blocked and we see more arrests and prosecution. Until then, the healthcare industry should work with its IT and security providers to be able to quickly detect, respond and recover from these threats.

Zak Khan is the director of custom cyber defence at Trend Micro Australia and New Zealand.

[i] Trend Micro 2015 security roundup report, Setting the stage: landscape shifts dictate future threat response strategies, 9 March 2016,

[ii] Follow the data: dissecting data breaches and debunking the myths, 22 September 2015,

Tags hackingcybercrimemalwareNetworkingendpointthreatwindows xptrend microIDPinfectionattackphishing emailSandboxing technologybreach preventionphishing scamsBACPsQbot

Show Comments