Healthcare held to ransom: how to protect Australian healthcare systems and patients from cybercrime

Zak Khan, director of custom cyber defence at Trend Micro Australia and New Zealand

We’ve entered the year faced with a wave of cybercrime attacks on healthcare organisations around the world, showing us yet again that healthcare continues to be a prime target for cyber criminals and Australian healthcare providers need to pay particular attention to security in order to protect themselves and their patients.

Australian healthcare providers paid serious attention when, in January, Melbourne Health was hit by a new variant of the Qbot malware which infected Windows XP computers through Royal Melbourne Hospital's pathology department.

This local attack was followed by the recent ransomware attack on a Hollywood hospital – the Hollywood Presbyterian Medical Centre – which fell victim to ransomware and was forced to pay the ransom of 40 Bitcoins, equivalent to approximately $US 17,000, in order to regain access to their medical files. In the UK, the British Association for Counselling and Psychotherapy (BACP)'s website was hijacked by malware and held to ransom.

The most recent Trend Micro security roundup report found that throughout 2015, the healthcare industry was the most affected sector in data breaches across the world, with almost 30 percent of all data breaches.[i] This isn’t a new trend, either; the healthcare sector accounted for more than one quarter of all breaches (26.9%) this past decade.[ii]

With the recent reports of several healthcare organisations being hit with cyberattacks – from malware and hacking to ransomware and crypto-ransomware, the industry is facing a current pervasive threat which is getting easier for cybercriminals.

Why healthcare?

The continued rise of cybercrime targeted at the healthcare industry can be attributed to several factors:

  • Revenue potential for cybercriminals is extremely high
  • Healthcare organisations have critical systems that cannot be offline

Infection rates have increased as social engineering tactics have improved

The threat actors executing these attacks are very good, well-funded and globally dispersed

All of these factors have combined to support the heightened number of malware and ransomware-related attacks seen in recent months. The success of crypto-ransomware has been particularly fierce, with the percentage of detections shifting dramatically from a traditional ransomware to crypto-ransomware ratio of 80/20 in 2013, to 20/80 ratio today.

Since healthcare organisations hold extremely valuable data (patient personally identifiable information) and have critical systems, any downtime can lead to serious repercussions. As such, criminals are realising they can command a much higher ransom from these types of organisations.

Protecting Australian data, systems, health practitioners and patients

Read more: ​Office bug in September patch Tuesday reportedly under attack

This needs to be a wakeup call for the Australian healthcare industry as it doesn’t matter if an attack is targeted, or if they are caught up in the day-to-day crypto-ransomware campaigns that we see across the globe. If systems become inoperable due to malware or encryption, it can cause major issues.

As part of this we recommend that a multi-faceted approach be taken to help the healthcare industry detect and prevent cyberattacks:

  • Educate employees on identifying suspicious emails (phishing). The majority of these attacks start with a socially engineered email to employees. They will contain weaponised attachments or embedded links and entice the user to open or click based on compelling language within the email.
  • Review your shared drive policy and require authentication to access.

Advanced messaging solutions which can improve the detection of phishing emails through purpose-built technologies developed to identify them. Linking a sandbox technology to the messaging solution can help identify weaponised attachments.

Endpoint solutions that have specific anti crypto-ransomware technologies such as behaviour analysis that can identify the encryption process and stop it from continuing.

Network-based security solutions like IDS/IPS, Firewall and Breach Detection Systems that can identify inbound/outbound Command & Control communications which are a key component of this threat lifecycle.

A robust backup solution. Organisations which perform regular backups and can rapidly restore systems will allow them to recover faster.

Unfortunately, the success of attacks on the healthcare industry encourages and empowers cybercriminals. We can expect more data breaches, malware and crypto-ransomware to target the healthcare industry until these threats can be effectively detected and blocked and we see more arrests and prosecution. Until then, the healthcare industry should work with its IT and security providers to be able to quickly detect, respond and recover from these threats.

Zak Khan is the director of custom cyber defence at Trend Micro Australia and New Zealand.

[i] Trend Micro 2015 security roundup report, Setting the stage: landscape shifts dictate future threat response strategies, 9 March 2016,

[ii] Follow the data: dissecting data breaches and debunking the myths, 22 September 2015,

Join the CSO newsletter!

Error: Please check your email address.

Tags infectionNetworkingphishing emailbreach preventionmalwarethreathackingendpointwindows xpphishing scamstrend microattackfirewallBACPsIDPHealthcareQbotSandboxing technologycybercrime

More about AdvancedIPSMelbourne HealthRoyal Melbourne HospitalTrend MicroTrend Micro Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Zak Khan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place