The Healthcare Industry: A 'Healthy' Target for Cyber Attacks

Updated October 2024.

While it's not a record that should be celebrated, US-based Change Healthcare has informed around 100 million Americans that their personal, financial, and healthcare records were compromised in a ransomware attack in February 2024, marking the largest known breach of protected health information to date globally. A notification letter from Change Healthcare said the breach involved the theft of:

• Health Data: Medical record #s, doctors, diagnoses, medicines, test results, images, care and treatment;
• Billing Records: Records including payment cards, financial and banking records;
• Personal Data: Social Security number; driver’s license or state ID number;
• Insurance Data: Health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers.

The cost of the Change Healthcare ransomware attack has risen to US$2.457 billion, according to UnitedHealth Group’s Q3, 2024 earnings report.

Why Hackers Love Healthcare

In today's increasingly interconnected age, cyber security has become a critical concern for businesses across all sectors. However, few industries face as significant a threat as healthcare. With its vast stores of sensitive data and often vulnerable systems, the healthcare sector has become a prime target for cyber criminals. In this post, we'll explore why healthcare is so attractive to hackers and look at some of the most significant breaches in recent years, with a focus on Australian healthcare providers.

There are a number of reasons why the healthcare industry is particularly vulnerable to cyber attacks:

1. Valuable Data: Healthcare organisations are treasure troves of sensitive information. From a broad range of personally identifiable information (PII) through to detailed medical histories, the data held by hospitals and clinics is a goldmine for cyber criminals. This information can be sold on the dark web or used for identity theft and fraud, making it incredibly lucrative for hackers.
2. Vulnerable Systems: Many healthcare providers rely on outdated technology and interconnected medical devices. This expanded attack surface, combined with a shortage of cyber security professionals in the industry, creates numerous entry points for malicious actors.
3. High Stakes and Willingness to Pay: Healthcare organisations often feel pressured to resolve cyber incidents quickly due to the critical nature of their services. This urgency, coupled with the high costs of downtime and potential regulatory fines, makes them more likely to pay ransoms, further incentivising attackers.
4. Business Continuity Plans don't always consider cyber: Business Continuity Plans (BCP) focus on health and safety; not cyber or ransom attack.

Recent Major Healthcare Data Breaches

The healthcare industry has seen some of the largest data breaches in recent history, including several in Australia. Here are a few notable examples:

1. Change Healthcare (2024): While not an Australian company, the February 2024 ransomware attack on a U.S. health insurance billing firm Change Healthcare has impacted 100 million Americans, making it the largest healthcare data breach ever recorded. 
2. Medibank (Australia, 2022): This major cyber attack affected nearly 10 million patients, including high-profile individuals such as the Australian Prime Minister and cyber security minister. Russian-based hackers, believed to have ties to the REvil ransomware gang, stole personal information including names, dates of birth, and even medical records. They demanded a $10 million ransom, which Medibank refused to pay.
3. St Vincent's Health Australia (2023): Australia's largest non-profit healthcare provider was hit by a cyber attack in December 2023, resulting in data being stolen from its networks. The incident affected six public hospitals, 10 private hospitals, and 20 elderly care facilities across New South Wales, Victoria, and Queensland.
4. MediSecure (2024): A provider of an e-prescription platform fell victim to a major ransomware attack. The breach compromised a database containing personal and health information related to prescriptions distributed up until November 2023 which saw  6.5 terabytes of stolen prescription data leaked onto a Russian hacking forum. Unfortunately in June 2024, MediSecure entered administration.
5. Anthem Inc. (2015): Previously the largest healthcare data breach on record, this incident affected 78.8 million individuals. Hackers stole personal information including names, birthdates, and Social Security numbers. Ultimately this lead Anthem, Inc. to pay US$16 million to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and commit to take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.

The Australian Context

The Australian healthcare sector has seen a significant increase in cyber attacks in recent years. According to the Australian Cyber Security Centre (ACSC), there was an 84% rise in cyber attacks in the healthcare sector in Australia between 2019 and 2020, with 'Healthcare and social assistance' being the 5th most reported sector for cyber security incidents in their Cyber Threat Report 2022-2023. 

The Australian government has recognised this growing threat and has taken steps to address it:

• New Cyber security Strategy: The government has released a new cyber security strategy set to take effect by 2030, which includes measures to protect all industries, including healthcare.
• CISC Risk Assessment Advisory: In early 2023, the Australian Cyber and Infrastructure Security Centre (CISC) published a new risk assessment advisory specifically targeting the medical and healthcare sectors.
• Inclusion in the SOCI Act:  Currently, only critical hospitals with a general intensive care unit are considered to be healthcare and medical sector critical assets within the SOCI Act 2018.
• Increased cyber security requirements to connect with My Health Record: The Australian Digital Health Agency (the Agency) is strengthening My Health Record protections through a new mandatory security requirements conformance profile for clinical information systems (including those used in GP clinics, pharmacies and allied health services) connected to the My Health Record system.
• Establish an Information Sharing and Analysis Centre (ISAC) for the Australian healthcare system: In June 2024 the Australian Government announced an investment of AU$6.4 million to establish and launch an threat sharing network to connect businesses and organisations to help share information about cyber threats.

The Road Ahead

These examples underscore the ongoing and escalating cyber security challenges faced by the healthcare industry, particularly in Australia. As technology continues to evolve and become more integrated into healthcare delivery, the potential attack surface will only grow larger.

To combat these threats, healthcare organisations must prioritise cyber security investments, regularly update their systems, and train staff on best practices. Additionally, stronger regulations and industry-wide collaboration will be crucial in protecting patient data and maintaining trust in our healthcare systems.

As patients and consumers, we must also remain vigilant, regularly monitoring our personal information and being cautious about the data we share. By working together, we can help safeguard the critical infrastructure and sensitive data that our healthcare system relies upon.

Next Steps with Insicon

By leveraging Insicon's expertise to conduct comprehensive cyber security risk assessments that identify threats and vulnerabilities specific to each organisation, Insicon can provide a blueprint for risk remediation, allowing organisations to streamline their path to ISO 27001 certification, demonstrating commitment to information security and enhancing trust with stakeholders. Contact us to learn more.