The incident, which occurred some three weeks ago, has been reported to the Australian Cyber Security Centre. It was first reported by Nine Entertainment.
An ACSC spokesperson told iTWire that it had been recently alerted to a cyber security incident by the MHG.
"[We] provided cyber security advice and assistance to MHG," the statement added. "As the matter is ongoing, it is not appropriate to comment further."
|
As MHG has no media contact, iTWire contacted Cabrini for comment. No response was received but this afternoon a statement posted on the hospital's site by its chief executive, Dr Michael Walsh, said the cyber-security incident occurred at the Melbourne Heart Group, a group of specialists who lease rooms at Cabrini Malvern.
"Data storage and other information systems in specialist suites are owned and managed by the specialists, not by Cabrini," he added.
"The specialists are not employees of Cabrini. No Cabrini data storage or patient related systems or operations have been impacted or compromised by this incident and there has been no breach of hospital patient data. Cabrini is providing support to Melbourne Heart Group in relation to this incident."
On contacting the general number at MHG, iTWire was told that the organisation had no statement on the situation at the moment. A spokeswoman said in the event that any statement was issued, it would be emailed to iTWire.
By late afternoon, an MHG spokeswoman sent the following statement: "In late January, Melbourne Heart Group experienced a cyber security incident in which our patient data was encrypted. This means that our patients' information became inaccessible to anyone, including ourselves.
"We have been assured that no patient's privacy has been compromised in any way. We are working through this issue with our IT provider and hope to resolve it as soon as possible.
"The health and well-being of our patients is always our primary concern. Their privacy is of the utmost importance to us. We are deeply sorry that this incident happened and encourage all our patients to contact our office so that we can keep them updated. No patients are being turned away from Melbourne Heart Group. The clinics are operating as usual."
Commenting on the attack, Bede Hackney, the ANZ country manager of cyber security firm Tenable, said: “Developers of ransomware and other malicious code are creating new methods of exploiting systems on a daily basis.
"Australian healthcare organisations, small and large, public and private, must protect themselves and the patient data they store in the face of a rapidly evolving attack surface. Healthcare naturally has a target on its back due to the wealth of personal and sensitive data it shares.
“Furthermore, being locked out of critical health information, such as what is stored in centralised databases like My Health Record, can have life-threatening consequences. But the techniques utilised by ransomware can be prevented – and the probability of an infection dramatically reduced – just by taking a few proactive steps.
“A good starting point is to consult the Australian Signals Directorate's Essential Eight Maturity Model which outlines security practices such as regular patching to minimise cyber risk. With patient lives and records on the line, healthcare organisations must take a proactive approach to preserve the integrity of the data they’ve been entrusted to protect.”
Another security professional, Dan Slattery, a senior information security analyst at Webroot, said" “Patient data is very valuable to hackers, with stolen information often used to commit further crimes like identify theft.
"The evolution of ransomware means that patient data has become even more valuable without needing to take it out the network.
"Holding healthcare data to ransom, especially by encrypting possibly life critical information of heart patients, has become a very lucrative business model for cyber criminals.”
Alvin Rodrigues, senior director, Security strategist - Asia-Pacific at Raytheon-owned security outfit Forcepoint, said the ransomware attack was a wake-up call for the healthcare industry in Australia to re-examine its existing cyber security posture.
"Hospitals are an attractive target for cyber criminals for the personal and sensitive medical records of patients it holds, and the value it offers if such critical data is compromised," he said.
"This gives hospitals little choice, especially when dealing with life-threatening situations, but to surrender to hackers' demands. We believe that this trend is going to continue and paying ransom isn’t always the best way out, as hackers may not keep their promise of returning all the sensitive data."
The most widely publicised case of ransomware hitting medical services occurred in May 2017 when the WannaCry ransomware, based on a leaked exploit from the NSA, hit the Web.
Britain's National Health Service went into meltdown at the time.
Quarterly breach reports from the Office of the Australian Information Commissioner have shown that health services providers are the sector that is most affected by breaches.
The OAIC has been issuing these reports since Australia put in place a data breach law in February last year.