Likely ransomware attack at Melbourne Heart Group located at Cabrini Hospital affects 15,000 medical files

February 21, 2019 |

The Fairfax press reports in Crime syndicate hacks 15,000 medical files at Cabrini Hospital, demands ransom that the Melbourne Heart Group, specialists who lease rooms at the Cabrini Hospital has suffered what is almost certainly a ransomware attack. 

Ransomware attacks are particularly prevalent in the health care industry.  The impact of an attack is immediate and serious if not catastrophic and the need to remedy it, by paying the ransom, urgent.  Health data is particularly sensitive.  In early February an optometry clinic in Connecticut was hit impacting 23,578 patient records, In Jacksonvill Florida a Obstetrics and Gynecology practice suffered a data breach involving ransomware in early January while a health center in Rhode Island was hit by a ransomware attack in early December last year.   In November hospitals in Ohio and Ireland were hit by ransomware attacks.  And the list goes on and on and on.

Ransomware attacks are maturing and becoming more, not less effective.  The average ransom in the US has increased by 13% in the last quarter of last year over the previous quarter from $5,973 to $6,733. 

That a specialist cardiology unit at Cabrini could be so compromised by the attack indicates that there was either no or inadequate back up of the health records  in that unit.  If the records were backed up to a separate server then even if the computers were compromised a copy of the records would have been preserved.

The report has no doubt caused the Cabrini Hospital angst as the assumption could be that the Hospital itself was affected.  As a media statement released today makes clear that was not the case with it stating:

“The protection of patient information is of the utmost importance and is a responsibility Cabrini takes very seriously. The cyber-security incident reported in today’s Age occurred at the Melbourne Heart Group, a group of specialists who lease rooms at Cabrini Malvern. Data storage and other information systems in specialist suites are owned and managed by the specialists, not by Cabrini. The specialists are not employees of Cabrini. No Cabrini data storage or patient related systems or operations have been impacted or compromised by this incident and there has been no breach of hospital patient data. Cabrini is providing support to Melbourne Heart Group in relation to this incident.”

Dr Michael Walsh, Chief Executive, Cabrini Health

The best way to deal with a ransomware attack is prevention.  Making sure staff is trained to spot phishing emails is a good start as well as developing proper security protocols.  That includes limiting access to servers only those who are properly trained and responsible.  The second limb is to secure records off site by backing up data on a weekly if not daily basis.  In that way an attack may be costly but will not cripple an organisation.  The final issue is to deal with the ransomware attack itself.  Some ransomware is capable of decryption.  For example one of the most prolific ransomware programs, Gandcrab which was first detected in January 2018 and has infected over half a million personal files now has a free decryption tool available for some versions of GandCrab.  Hopefully the Cabrini has cyber insurance to deal with notifications and remediation. 

In the United Sates the frequency and impact of cyber attacks has prompted the Department of health and Human Services to issue a a 36 page report titled Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients. This document is useful because it focuses on the health industry and its particular practices and challenges. There are also very useful manuals for cybersecurity practices for small health care organisations here and  here. There are also very good publications in Australia and one notably for health professionals being Information Security in General Practice published by the Royal College of General Practitioners.

Australia is some way behind the United States and the United Kingdom in dealing with data breaches.  In those countries there is a more sophisticated  response deployed to dealing with ransomware and other cyber attacks, involving legal, technical and human resources skills.  That is partly because the consequences for breaches are so much more significant legally.  In Australia the tepid approach by the Australian Information Commissioner makes compliance spotty and consequences for non compliance unlikely.  The problem for organisations who are comfortable with this state of affairs is that there are major reputational and financial consequences of non having proper data security and privacy practices which are independent of whatever steps the regulator takes.  In that way having a coherent and quickly implemented legal and technical response is important.  And having a plan to deal with reputational damage through the traditional and social media is also vital. 

The article provides:

A cyber crime syndicate has hacked and scrambled the medical files of about 15,000 patients from a specialist cardiology unit at Cabrini Hospital and demanded a ransom.

The attack is now the subject of a joint investigation by Commonwealth security agencies.

Melbourne Heart Group, which is based at the private hospital in Malvern, has been unable to access some patient files for more than three weeks, after the malware attack crippled its server and corrupted data.

The malware used to penetrate the unit’s security network is believed to be from North Korea or Russia, while the origin of the criminals behind the attack has not been revealed.

The online gang responsible for the data breach demanded a ransom be paid in cryptocurrency before a password would be provided to break the encryption.

The Age understands that a payment was made, but some of the scrambled files have not been recovered, among them patients’ personal details and sensitive medical records that could be used for identity theft.

Some patients were told that their files had been lost but were not given any explanation. Others have turned up for appointments for which the hospital had no record.

The Australian Cyber Security Centre, which is part of the Australian Signals Directorate – the government agency responsible for Australia’s cyber warfare and information security – said it was assisting the hospital with cyber security advice.

The Australian Federal Police has also been briefed.

A Melbourne Heart Group spokeswoman said it was working with government agencies to resolve the issue.

“The protection of personal patient information is of the utmost importance … patient privacy has not been compromised in this instance,” the spokeswoman said.

She also stressed there was no link between the encypted data and any function relating to cardiac implantable electrical devices, such as pacemakers and defibrillators.

The spokewoman would not say how many files had been affected or whether a ransom had been paid.

Leave a Reply