Cyber attack on local health services

THE information technology world came to a halt at Gippsland health services earlier this week, after cyber terrorists hacked computer systems in a number of hospitals.

Central Gippsland Health was one of the targets hit, along with Yarram, Latrobe Regional, Bairnsdale and Warragul hospitals.

The cyber attack, uncovered on Monday, used ransomware in an attempt to bring down a number of networks in the Gippsland area, as well as other health services in the state’s south-west.

The term ‘ransomware’ is used to describe hackers who block an IT system until a ransom is paid.

The attack affected a small number of clinical services, including outpatient appointments and elective surgery.

Once hackers gained access to the network, the affected hospitals took the precautionary step of disconnecting their systems to quarantine the infection.

Emergency surgery and emergency departments were not compromised.

A hospital in Barwon was forced to suspend some clinical services, and most of its outpatient appointments and elective surgeries that had been scheduled for Tuesday.

An aged care facility in Warnambool was also affected, as were Gippsland radiation services.

The Department of Premier and Cabinet, Victoria Police and the Australian Cyber Security Centre moved swiftly to rectify the issue and ensure there were no additional compromises.

In a press conference, Victorian Premier Daniel Andrews said it could take weeks to secure the affected networks and clear out the “virus”, and confirmed there would be some disruption to patient services.

“There’ll be no impact on emergency care,” Mr Andrews said.

“There will be some disruption to outpatient appointments, there will be some disruption for non-urgent care, so elective surgery.

“The exact nature of that will unfold so we’ll keep the community updated, particularly affected patients in the coming days.”

As uncertainty loomed while the attacks took place, some hospitals reverted to manual systems to maintain services.

The mood at Central Gippsland Health on Tuesday morning was calm, with staff and members of the public going about their business as if nothing serious had happened.

Although the service was affected by the cyber security breach, services are continuing.

CGH chief executive Frank Evans thanked patients and staff for their patience.

“We want to assure everyone that services, including appointments, are continuing as usual,” Dr Evans said.

“If you have any questions or concerns, just ring your service directly.”

Dr Evans said there was no indication that any patient or staff information had been compromised by the security breach.

“With the help of the Department of Health and Human Services and cyber experts, we hope to have services back to normal as soon as possible,” he said.

Other affected hospitals have since worked on their bookings and scheduling to minimise effects on patients, but may need to reschedule some services where they don’t have computer access to patient histories, charts, images and other information.

In May 2019, the Victorian Auditor General handed down a ‘Security of Patients’ Hospital Data’ report, warning the public health system was highly vulnerable to the kind of cyber-attacks which could steal or alter patient data.

“There are key weaknesses in health services’ physical security, and in their logical security, which covers password management and other user access controls,” the report stated.

“Staff awareness of data security is low, which increases the likelihood of success of social engineering techniques such as phishing or tailgating into corporate areas where ICT infrastructure and servers may be located.

“We exploited these weaknesses in all four audited agencies and accessed patient data to demonstrate the significant and present risk to the security of patient data and hospital services.

“The audited health services are not proactive enough, and do not take a whole-of-hospital approach to security that recognises that protecting patient data is not just a task for their IT staff.”

Shadow health minister Georgie Crozier said the state government’s approach to cyber security and patient data was to give Victorian hospitals “loose change and a Band-Aid” despite the grim warnings that an attack was imminent.

“With no additional money given to these hospitals after May’s audit warning of security breaches, Daniel Andrews has forced these hospitals to make cuts to other services they normally offer so they can attempt to address security,” he said.

The state government allocated $13 million in this year’s Victorian budget for the latest digital infrastructure and cyber security.

The Victorian Cyber Incident Response Service is available 24-7 all year round to provide an emergency response to cyber attacks on government computer systems.

Since launching the Victorian government Cyber Incident Response Service in July 2018, the department of Premier and Cabinet has responded to more than 600 cyber attacks on Victorian government organisations.

A full review will take place to address what occurred, and identify what additional measures may be needed to ensure hospitals have the best protection against cyber security incidents.