By Staff Writer
On a Sunday morning in Sydney, the computers freeze and digital systems go down at a leading hospital. The nurses on the ground don’t know it yet, but the hospital is under cyberattack. How is this going to unfold? That was the question posed at an Australian Cyber Week hypothetical on Monday.
The hypothetical, hosted by AustCyber, is one of a series of events marking Australian Cyber Week and designed to raise cybersecurity awareness. Monday’s hypothetical included experts from the Australian Cyber Security Centre, the Global Forum on Cyber Expertise, health provider BUPA, and cyber threat intelligence firm Cybermerc.
Home Affairs Minister Karen Andrew confirms nearly 500 ransomware reports in Australia in the 12 months to June 30, 2021. The critical nature of healthcare organisations and the extensive personal records they hold make them prime targets for bad actors.
Jessica Hunter, First Assistant Director General at the Australian Cyber Security Centre, said there’s always a lot of confusion when IT systems go down.
“Is it an IT issue? Is it a cybersecurity issue? Those first three or four hours, CEOs and boards are having those conversations,” Ms Hunter told the hypothetical.
But she says the quicker organisations like hospitals flag the possible cyberattack, the quicker a response plan can swing into action. In this hypothetical case, the ACSC was not formally notified until Sunday afternoon.
But by then, hospital devices connected to the network are showing a screenshot from the attackers demanding a $100,000 Bitcoin payment to get the hospital back online.
“Even if it’s a sophisticated organisation, often they haven’t prepared for the worse,” said Chris Painter, President of the Global Forum on Cyber Expertise Foundation. “Often, they haven’t done the kind of resiliency planning or even planning for an incident like this.”
Painter says if the hospital hasn’t planned for an event like this, there will be panic in the ward and the boardroom.
“This has second and third-order effects. The hospital is going to have to start prioritising to figure out what is essential and what they can put off.
“Very quickly, what the CEO has to do with his board is to decide how they’re going to communicate this to the public and not cause panic, and how they are going to deal with the Australian Cyber Security Centre.”
MySec.TV Recorded Tuesday 26 October 2021 – Celebrating #AUCyberWeek2021 and discussing the hypothetical exercise outcomesThe hypothetical raised several issues, including the effects of delaying notification, first moves by agencies like the ACSC, and should the hospital pay the ransom.
Jessica Hunter doesn’t want to see cyberattack notifications delayed until Sunday afternoon. The sooner the agency is contacted, the sooner they can initiate help. The ACSC triages cyberattacks. Their response will depend on various factors, including the level of cyber resilience and IT sophistication at the hospital.
In Monday’s hypothetical scenario, the hospital’s chief information security officer (CISO) had left about six months ago and hadn’t been replaced.
Two likely realities are playing at out the hospital, said Matthew Nevin, CEO of Cybermerc. There could be a well-organised incident response plan working off a template. Or there could be disorganisation and chaos. Often there can be both in big organisations like hospitals.
“We can have an executive team demanding IT security race around trying to understand what is happening. These two groups, almost been at odds with each other and scrambling to understand what they need to do to respond… I’d say the difference between being ready for this event or reacting to it is really about a preparedness coming beforehand,” Nevin said.
But Matthew Nevin does have some sympathy for hospital CEOs and boards who frequently aren’t on top of the risks cyber attacks pose.
“I think it’s always somewhat of a challenge to be a board member,” he says. ”We’re worried about how it’s going to look to the public; we’re worried about reputation. But we see here the secondary effects of delaying notification, and things get worse.”
The issue of report delays was a big one on Monday’s hypothetical. The panellists acknowledged many organisations are loathe to involve government in resolving what they often see as an in-house matter.
But that reluctance often makes things worse, especially if the organisation lacks a well oiled cyber incident response plan, and in this hospital’s case, a CISO.
“It sounds like the hospital hasn’t really thought this through and properly developed a plane to really understand the potential for a ransomware attack,” said BUPA’s CISO John Ellis.
He says hospitals need to know how to do critical decision making when experiencing a cyberattack. Who has autonomy and control? What are the backup procedures? Understanding and mapping out the response to a cyberattack before it happens is critical.
“But many (hospitals) don’t have that type of thinking,” Ellis said. “The reality of many hospitals in Australia is that they’re very hierarchical, so quite often they don’t have delegated autonomy or decision-making authority.”
Whether the hospital (or any organisation) pays the ransom was a no-brainer for most of the panellists. Chris Painter suggested some scenarios where paying the ransom might make sense, but there was overwhelming opposition to the principle of paying ransoms.
John Ellis says a cyber-resilient organisation would look at alternatives. Among other aspects, payment helps legitimise extortion. He says it’s wrong to look at ransom payment as a silver bullet, after which the bad actors would simply flick the switch back on.
“Even if the ransomware actors gave them access to the key to decrypt the information, it might take the hospital days to get back online, and there’s no guarantee the actors will follow through anyway.”
While the Australian Government doesn’t prohibit ransom payments, it does discourage them. Jessica Hunter says she would not encourage payment, but neither would she explicitly prevent an organisation from doing so.
The hypothetical hospital survived the cyberattack. It got its act together, called in help, and didn’t hand over any Bitcoins. But the scenario highlighted the risks hospitals face, and as the panellists noted, the risks aren’t necessarily hypothetical.
AustCyber is providing that platform of effective communication at its Australian Cyber Week 2021 event.
MySecurity Media is an official partner of the virtual conference to be held between 25-29 October.
