12 minute read
Seeking a safer Cyberspace
by RANZCR
At the time of writing, the Australian Government was announcing a new senior bureaucratic post to bring the nation’s cybersecurity capabilities and their coordination up to scratch. At the same time, the Prime Minister was holding a roundtable meeting of corporate heavyweights and government security heads to discuss the rising tide of threats to our institutions and businesses from criminals and hostile states operating in cyberspace.
The proposed Coordinator for Cyber Security will head a National Office for Cyber Security within the Department of Home Affairs to ‘ensure a centrally coordinated approach’ in the government’s responsibilities. The Home Affairs Minister, Clare O’Neil, also released a discussion paper and sought submissions on potential reforms to the Security of Critical Infrastructure Act to better protect digital data and computer networks from attack. These reforms were intended, the Minister explained, to improve our ‘patchwork of policies, laws and frameworks that are not keeping up with the challenges by the digital age.’
O’Neil’s is the latest in a flurry of announcements by the federal government as it scrabbles to address the fallout from the recent Medibank and Optus data breaches in which hackers gained illegal access to the personal details of millions of Australians and the insurance claims data of about 160,000 health fund clients. While government may be primarily concerned about national security issues, they cannot ignore the fact that these high-profile breaches undermine public confidence in major private and public institutions, including those in an under-resourced health services sector dependent on poorly maintained, insecure, legacy systems and a shortage of competent IT professionals.
One may be inclined to view the Commonwealth’s latest move—which follows the establishment of a similar body in the US in 2021 (although the US office reports directly to the President)—with a degree of cynicism. O’Neil, who is also Minister for Cyber Security, announced only shortly before Christmas the creation of a three-member Expert Advisory Board to ‘lead the development of strategic advice to the Minister for Home Affairs and Cyber Security’, primarily for the purpose of delivering a new cybersecurity strategy for 2023–30; this strategy is to replace the previous 10-year strategy released in August 2020 after extensive consultation and roundtables with business and the community.
The new advisory board includes two members from the recently-disbanded Cyber Security Industry Advisory Committee whose job had been to advise the Commonwealth on how to implement the 2020 strategy—a strategy which planned for a government investment in cybersecurity of $1.67bn over 10 years. The Expert Advisory Board is itself being advised by a global advisory panel, chaired by a former CEO of the UK National Cyber Security Centre. Perhaps the new cybersecurity strategy, when it is released after further extensive consultation, will materially improve on the planned commitments outlined in the previous strategy, but we shall have to wait and see.
Nor was it clear at this time how the new cyber bureaucrat or the proposed cyber security office in Home Affairs would share their duties with the staff of the Cyber and Infrastructure Security Centre (CISC), also in Home Affairs, which is charged with the protection of critical infrastructure sectors of the Australian economy, including ‘how to protect and then respond to serious cyber security incidents.’
In turn, it is unclear how the new office and the existing CISC are to coordinate their efforts with the Australian Cyber Security Centre (ACSC), which resides within the Australian Signals Directorate, and is overseen by the Cyber Security Operations Board, partially under the Minister for Defence. The ACSC, according to its current annual report, ‘leads the Australian Government’s cyber security activities.’ If the intention is to confound simple-minded cybercriminals by creating a confusing array of federal agencies and boards charged with our cyber defence, the government has already achieved its objective.
What is clear is that cybercriminals are turning their attention increasingly to healthcare systems. According to the ASCS, the healthcare and social assistance sector reported more cybersecurity incidents in 2021–22 than did the IT, education and training, finance and insurance, utilities and retail sectors.
According to College’s general manager for IT, Sarah Vella, this is because the rewards for criminal activity are greater in health care. ‘The information stored in health networks are a far richer data source than just personal information.’ These networks contain massive amounts of patient data which, if acquired in a cyberattack, provide pathways into other organisations and sectors, allowing hackers to potentially lodge insurance claims, obtain prescription drugs and equipment and cause serious reputational losses for health providers and their patients. The appeal of healthcare providers as targets for cybercrime is heightened by the size and physical nature of hospitals. Typically, hospitals function as computerised networks containing many interconnected workstations, devices and expensive pieces of equipment, some of it dependent on legacy software, with their data stored in a complex of servers on premises and in the cloud. ‘Poor maintenance of these big networks creates vulnerabilities. If you are not keeping up with every new operating system and you don’t have the manpower to install the latest security patches, this leaves you open to attack,’ Vella said.
Cyberattacks on hospitals may be highly disruptive and potentially put lives at risk. The ransomware attack on the Waikato District Health Board in New Zealand in May 2021 severely curtailed hospital operations. Hackers infected the hospital’s computers with the Zeppelin virus, a member of the Vegalocker family of ransomware, which has been widely used to attack healthcare and medical organisations worldwide. Critical files were encrypted, rendering them unusable without a decryption key held by the hackers, and personal information was also stolen for possible on-selling to others. The hospital’s switchboard failed, doctors lost access to patient files and laboratory, clinical radiology and radiation oncology services were offline for several weeks, forcing the transfer of dozens of urgent patients to other providers.
It took the hospital three weeks to restore function to four linacs used for its cancer treatments. Eventually some stolen data was released on the ‘dark web’. The NZ Ministry of Health later committed NZ$76 million over three years to improve protections for hospital data and digital systems.
Ransomware attacks are relatively uncommon forms of cybercrime, at least compared with online fraud and theft. Among reported cybercrimes, ransomware incidents comprise fewer than one per cent of the total, whereas online fraud makes up a quarter of all reported cases. But ransomware attacks are more likely to go unreported and individually they are the most costly form of cybercrime, especially as they sometimes result in so-called ‘double extortions’ where stolen data are sold to other criminals who may use the information for identity theft and the extortion of individuals.
A public survey of Australian computer users in 2021 found that 4.5 per cent of users had been a victim of ransomware at some time; however, the prevalence almost doubled to 8.7 per cent among owners of small and medium enterprises. In the field of healthcare and social assistance, one in every 25 SME owners said they had been victims of ransomware.
Paris-based security management firm Atos rates ransomware the number one cyberthreat in 2023, partly as a result of the Ukraine war and increased efforts by Russian-linked groups to attack targets in Western countries. But other types of cyberattack are rising too. High on the Atos top 10 for 2023 are so-called supply chain threats in which criminals target suppliers such as software firms and use these to gain access into the systems of their clients.
To combat such threats, client enterprises need to ensure their suppliers are compliant with documented standards for information security such as ISO/IEC 27001. Another high-risk threat are attacks on the cloud servers used increasingly by enterprises to avoid the capital cost and maintenance of onsite data centres. Cybercriminals may exploit insecure interfaces between software applications, where appropriate cybersecurity actions have not been taken; known as APIs, these applications are employed heavily in cloud computing to streamline the transfer of data between digital systems, for example, the YouTube API that allows a user to display videos on the YouTube website.
Public hospitals have recently become more active in providing online training modules to staff to improve awareness of ‘cyber hygiene’ in the workplace and in work-from-home settings. These lessons, which take the form of short instructional videos, deal briefly with issues such as phishing emails, suspect websites, ransomware, insider threats, and the risks posed by mobile devices. The lessons emphasise the basic need for good physical security and compliance with policies and procedures, as well as tips on creating strong passwords and spotting tell-tale signs in a suspicious email.
The uncomfortable reality is that a catastrophic failure in security in a major healthcare organisation may be triggered by a single member of staff clicking on a link in an innocuous-looking email or SMS. According to international surveys, over 80 per cent of data breaches involve some sort of human element, such as a staff member making an error in handling data or being manipulated by an external actor. Consequently, data security advisers are likely to emphasise what they refer to as ‘cyber resilience’—the ability of the target organisation to continue operating while under attack or recovering after an attack.
In achieving resilience, security experts emphasise the importance of incident response plans and comprehensive third-party backups of data. The Australian cybersecurity firm Intalock warns that the data retention built into common software products such as Microsoft 365 offers only limited scope for recovering emails, contacts, calendars, tasks and files stored in web-based platforms such as SharePoint.
The lesson from previous attacks on healthcare systems is that recovery can be slow and painful. According to the head of Waikato District Health Board’s radiology department, Leigh Harvey, hospital staff had to resort to handwritten notes for all record-keeping and communications. ‘Initially we had no patient stickers and patients were difficult to locate’, he said. Then, during the recovery phase, the radiologists were forced to re-report all CT scans performed in the first two weeks after the attack.
Among the lessons he learned from the experience, he advises his fellow radiologists to keep cloud-based or paper copies of report templates and staff contacts, to ‘shut down as much as you can and divert patients elsewhere if possible’, document the clinical risks associated with working during a cyberattack and ensure people get time off to recover after the crisis has passed.
The flipside to any discussion about improving cybersecurity is the unsexy subject of privacy. Successive government have shown little appetite over a long period for a strengthening of the privacy laws, but this may now be changing. The Australian Privacy Act dates from 1988, a time long before the widespread use of computer networks and web-based platforms in the health sector, yet the legislation has had only minor amendments since then. According to Digital Rights Watch, the Act is no longer fit for purpose; in any event, political parties and small businesses are not covered by the Act.
‘With the rapid expansion of large international private technology companies into the healthcare space, the AMA wants to see adequate regulation to ensure patient privacy is paramount, and patient ownership of data is protected and enshrined in legislation’, he said.
All these issues and opinions are now in the mix as the Commonwealth considers its next move. The expert advisory board in Home Affairs is currently conducting a series of roundtable meetings ‘focussed on the core policy themes’ related to our cyber security and it expects a new strategy will be promulgated before year’s end.
References
1 Hon. Clare O’Neil MP, Minister for Home Affairs and Hon. Anthony Albanese MP, Prime Minister [media release], 27 February 2023, https://minister.homeaffairs.gov.au/ClareONeil/Pages/prime-ministercyber-security-roundtable.aspx
2 David Crowe, The Sydney Morning Herald, 27 February 2023, https:// www.smh.com.au/politics/federal/cybersecurity-to-get-nationalsupervisor-in-wake-of-hack-attacks-20230226-p5cnpq.html
3 Comprising Andrew Penn (chair), former CEO of Telstra; Rachael Falk, CEO of the Cyber Security CRC; and retired Air Marshal Mel Hupfeld, former Chief of Air Force, RAAF.
4 Hon. Clare O’Neil MP, Minister for Home Affairs [media release], 8 December 2022, https://minister.homeaffairs.gov.au/ClareONeil/ Pages/expert-advisory-board-appointed-as-development.aspx
5 Australia, Dept. of Home Affairs, Australia’s Cyber Security Strategy 2020, https://www.homeaffairs.gov.au/about-us/our-portfolios/cybersecurity/strategy/australias-cyber-security-strategy-2020
6 Australia, Dept. of Home Affairs, 2023–2030 Australian Cyber Security Strategy [discussion paper], https://www.homeaffairs.gov.au/reportsand-publications/submissions-and-discussion-papers/2023-2030australian-cyber-security-strategy-discussion-paper
7 Australia, Dept. of Home Affairs, Cyber and Infrastructure Security Centre, “Our Team”, https://www.cisc.gov.au/what-is-the-cyber-andinfrastructure-security-centre/our-team
8 Australian Cyber Security Centre, Annual Cyber Threat Report, July 2021 to June 2022, https://www.cyber.gov.au/acsc/view-all-content/ reports-and-statistics/acsc-annual-cyber-threat-report-july-2021june-2022
9 Ibid.
10 Ellen O’Dwyer, Stuff, 7 June 2021, https://www.stuff.co.nz/ national/125367139/no-cancer-patients-worse-off-despitecyberattack-says-waikato-dhb--leader; Radio New Zealand, https:// www.rnz.co.nz/news/national/445819/waikato-dhb-won-t-face-finesfor-data-breach-but-may-face-liability-privacy-commissioner 30 June 2021.
11 New Zealand, Ministry of Health [media release], https://www. health.govt.nz/news-media/media-releases/significant-investmentcybersecurity-improve-resilience-health-and-disability-system
12 Isabella Voce and Anthony Morgan, Australian Institute of Criminology, Statistical Bulletin, no. 35, October 2021.
13 Verizon, Data Breach Investigations Report, 2022, https://www. verizon.com/business/resources/reports/dbir/
14 Intalock, “Respond and Recover”, https://www.intalock.com.au/ tactical-security-steps/respond-and-recover/
15 Digital Rights Watch, “Cheat sheet: getting privacy reform right”, 26 October 2022, https://digitalrightswatch.org.au/2022/10/26/privacyreform-cheat-sheet/
16 Stephen Robson, Australian Medical Association [media release], 3 February 2023, https://www.ama.com.au/media/ama-calls-majorreform-protect-patient-data
17 https://www.homeaffairs.gov.au/reports-and-publications/submissionsand-discussion-papers/2023-2030-australian-cyber-security-strategydiscussion-paper
