Blackmail with health records
Australians are at a growing risk of having their medical histories hacked and ransomed by cyber criminals, global technology experts have warned.
Last year saw 166 cybersecurity incident reports from Australian medical organisations – an 84 per cent increase from the previous year. After the government and the targeting of individuals (combined), the health sector reported the highest number of incidents of hacking to the Australian Cyber Security Centre (ACSC).
And the mass of vaccine information and research around COVID-19 has also become a target of state actors, seeking to exploit data from other countries.
Sami Laiho is one of the first victims of this new era of crime, from a 2020 cyberattack on the Finnish psychotherapy company, Vastaamo. The psychotherapy company, which had treated some 40,000 Finns, was breached by a hacker who stole tens of thousands of patient records. The ransomed files included mental health histories and therapy transcripts detailing sensitive information, such as marital affairs.
“[The ransom] was a lot of money,” Laiho told Central News from his home in Finland, “but if someone asks you ‘Do you want to destroy your marriage? Or do you want to pay 200 euros?’ ‘Do you want to destroy your career or 200 euros?’ 200 is actually relatively low.”
His data, including transcripts from therapy sessions and banking information, was stolen and ransomed.
Not only was Laiho a victim, but he is also a world-leading professional in Windows OS and security. In 2019, Laiho was chosen by Tibi-magazine as one of the top 100 influencers in Finland’s IT industry. He was a part of the investigation.
“For me, it was just a couples therapy session with my ex-wife. It’s an annoyance, but that doesn’t destroy my life,” said Laiho, who has since had to place restrictions or reset much of his banking and personal information.
“There were kids… You could have been a perfect student in school, and then suddenly, your darkest secrets are revealed to the internet.”
More and more Australian’s might find themselves in situations like Laiho.
In 2021, cyber attacks on the health sector remain high, despite the government’s injection of 500 new jobs and $1.35 billion into the ACSC and the Signals Directorate (ASD).
Vulnerabilities are appearing all over the globe, with recent attacks on the San Diego-based Scripps Health, the public health service of Ireland and multiple New Zealand hospitals.
HSE shuts down IT systems amid significant cyber attack https://t.co/ry3eqnVEsU
— The Irish Times (@IrishTimes) May 14, 2021
The Health Sector as a Prime Target
The Australian health sector holds Personal Identifiable Information (PII), which can be sold on cybercrime marketplaces on the dark web and used to commit identity theft.
The urgency of health services also makes these organisations vulnerable.
“You’re in a crisis where your systems need to work. If they can lock systems away from you, you’re more likely to pay,” said Richard Campbell from his home in Canada.
Campbell has been a pivotal member of the technology community since its early days. He’s a Microsoft Regional Director and one of their Most Valuable Professionals (MVPs), and works as an entrepreneur, advisor and host of some of the most respected podcasts in the industry, such as .NET ROCKS.
Campbell said there is an incentive for state actors to target medical intellectual property, such as COVID‑19 vaccine research.
Australian Microsoft Regional Director Troy Hunt agrees. The renowned cybersecurity expert, called to testify at US Congress in 2016, is also the revered creator of HaveIBeenPwned.com, a website where you can check if you are a victim of a data breach.
“It’s valuable [for state actors] to demonstrate ‘We can get into health systems if we want.’ That’s a very invasive step,” he added.
Breaching Medical Organisations
The COVID-19 pandemic created optimal conditions for security breaches. Medical organisations required remote access solutions, many of which progressed too quickly without security considerations.
These remote access solutions also increased the digital ‘attack surface’, exposing more of an organisation to compromise, including sophisticated internal phishing and ransomware.
“Both the mail server and the employee’s computer would have been controlled by an IT person with much more significant security restrictions. Running the business email on your own machine [at home] – it doesn’t have the same level of protection,” said Campbell.
Vulnerabilities can also be found on medical devices, from computers to oxygen machines and defibrillators. Often these specialised devices are not patched for fear of rendering critical systems unavailable.
“How many times will you pass a machine in a hospital and it’s unlocked, or the password is on a sticky note on the monitor?” asked Hunt. “We’re talking about environments that traditionally just haven’t had great security.”
Identifying Perpetrators
Laiho said in the case of the Finnish company Vastaamo, it’s a checkmate situation, where the hacker won’t be able to cash in his earnings without being caught.
“He didn’t think he did anything but a technical breach. Just, ‘I have your data, give me money,’” he said.
The attacker didn’t appear to understand his crime’s severity until experiencing the backlash. Even other ‘black hats’ – the colloquial name for criminal hackers – began aiding the investigation.
“And when he started realising what he had actually done… That’s when he just went totally silent,” Laiho added. “The only time he surfaced was when he withdrew the money from the several Bitcoin accounts to a single one.”
This is where the problem lies for hackers, said Campbell.
“At some point, you have to convert that Bitcoin into money.”
Investigators usually follow the bitcoin until it reaches an institution that can be subpoenaed, such as a bank.
Hunt explained that perpetrators leave traces of themselves behind.
“The attacker might use a particular handle somewhere, and then that same handle pops up somewhere else with an IP address,” he said, adding it is much like handwriting.
Often it isn’t finding hackers that is the problem – it’s what to do next. When cyber warfare is committed over international borders, extradition isn’t always possible.
“We even know their names. Hafnium is a state-sponsored hacking group in China. Cozy Bear the same thing in Russia,” said Campbell. “The West knows the building in Saint Petersburg’s where Cozy Bear is. And what do you do? What’s legal? Remember – you’re the good guy.”
Preventing Australian Health Sector Breaches
In response to last year’s increase in cyber attacks, health providers have been encouraged to review ACSC’s Strategies to Mitigate Cyber Security Incidents.
“A good place to start is ACSC’s Essential Eight,” said Hunt.
The Essential Eight includes strategies to prevent malware attacks (e.g. installing the latest patches), to limit the extent of attacks (e.g. multi-factor identification) and to recover data (e.g. completing daily backups).
Despite the best recommendations, experts worry that it will take a catastrophic incident to increase security awareness and regulations.
“Now, people are asking questions when they have to give their data,” said Laiho. “They’re asking ‘why?’ They remember Vastaamo.”
From Laiho’s experience in completing security audits and increasing organisations’ cyber safety, he’s noticed “they finally see that this is actually valuable. And it’s cheaper for them to pay for the services beforehand than afterwards.”
When we get online, borders just evaporate into nothing in the blink of an eye
But there is still a need for more significant global regulations. Campbell compares it to the evolution of road rules.
“It’s only when there were enough cars that were disrupting things that we said, ‘Hey, maybe we should have some rules’. You don’t start with traffic lights and crosswalks and speeding tickets.”
Hunt said internationality further complicates the situation.
“What makes it really different from cars is that you’re not driving between Australia, and the UK, and the US on a regular basis.
“When we get online, borders just evaporate into nothing in the blink of an eye. Not just because you could be anywhere in the world, but because it is so easy to make yourself appear like you’re anywhere in the world. We’re trying to apply these laws to a paradigm that has no boundaries.”
While these global regulations are still to be developed, the Australian health sector remains in urgent need of protection.
Campell said a new kind of defence is needed.
“Maybe buy fewer fighter planes and spend more money on hackers.”
Main picture by Eve Cogan.