Uniting Care Queensland IT responds to major cyber attack
Uniting Care Queensland IT (UCQ), an organisation responsible for servicing four hospitals and dozens of aged care & disability services in Queensland, fell victim to a cyber incident on Sunday 25 April.
In a statement released by the company only 24 hours after the attack, UCQ reported that a number of the organisation’s systems were made inaccessible and that there was no confirmed timeframe for recovery.
Unfortunately, the Australian health sector is no stranger to cyber-crime. In 2018, it saw over 300 data breaches in only four months, and in 2019 it accounted for 22% of all data breaches, making it the highest reporting sector in the country.
This attack in itself is particularly reminiscent of 2019’s Gippsland hospital breach, which impacted a multitude of regional Victorian hospitals and similarly left highly important systems unavailable.
It may go without saying, but cybersecurity breaches in the healthcare sector are particularly problematic; not only for their potential to disrupt real-life healthcare services – such as this German hospital ransomware that led to a civilian death in late 2020 – but also for their potential to expose highly-sensitive personal data.
Consider, for example, the contentious ‘opt-out’ My Health Record system in Australia.
My Health Record houses a significant amount of personal & medical data used in healthcare services. A breach to a hospital, medical I.T. system, or even your local GP can expose said records and compromise personal privacy, and considering that My Health Record saw a reported 38 breaches in 2019 alone, one can understand the heightened consequences and added importance of security in the healthcare sector.
So how do these breaches happen? In the case of the recent UCQ breach, the incident is reportedly undergoing further forensic investigation, and a further statement on the attack method is yet to be released.
The Australian Cyber Security Center (ACSC) has recently commented on the dangers of ransomware targetting the healthcare sector, while recent statistics by the Office of the Australian Information Commissioner (OAIC) attribute nearly two in five breaches to human error. Based on recent trends in phishing, hacking, and ransomware it’s safe to assume that a common method of cyber-attack may have been used in the breach against UCQ.
When cybercriminals target major industries such as healthcare or defense, it’s easy to imagine that complicated algorithms and sophisticated methods were behind the attack.
However, it’s often the same tried-and-true methods that target the smallest business to the largest organisation, indiscriminate of industry.
As such it’s best to act as though your organisation will definitely face a cyber attack at some point, and it’s best to prepare a strong Incident Management Plan in advance; one that prepares your organisation to respond, recover and continue operations following the incident.
UCQ’s response to the recent cyber incident is an example of a well-made Incident Management Plan, and using their response as an example, here are a few key considerations to make when establishing your own Incident Management Plan:
Prepare a statement in advance: After an attack, it’s important to let your customers, partners, and stakeholders know the details of what has happened. UCQ released their public statement within only 24 hours of the attack, detailing the known extent of damages and the steps they were taking to resolve the issue. Preparing a statement in advance enables you to promptly communicate events to the public, and helps to mitigate the reputational damage that often follows a cyber attack.
A good statement is broad, readily editable, and accounts for factors such as service unavailability and data loss.
Set up backups and redundant work systems: If your work systems were taken offline, how would your organisation continue to operate? UCQ reported a return to manual booking processes while the attack was under investigation, wherein other impacted systems were still able to be used.
Consider what you would do in an attack, and prepare systems to ensure that your business is capable of operating during a potential system outage. Furthermore, prepare data backups so that in the event of ransomware or data loss, your organisation has a level of flexibility in deciding the best recovery plan.
Know your requirements. Different regulations and legislations at an industry, state, and federal level will apply to your organisation and determine your requirements in the event of a data breach. For example, all Australian organisations are required under the Notifiable Data Breaches scheme to notify the OAIC within 30 days of a notifiable data breach.
UCQ’s prompt and detailed statement on the breach was likely released with industry requirements in mind, as oftentimes, failure to adhere to relevant legislation can incur significant penalties.
Don’t wait until the last minute to learn your responsibilities. You wouldn’t leave your OHS obligations untended to, and the same applies to data breach regulations.
Not sure about the next steps to take for your cybersecurity? Visit cyberaware.com for key safety tips and takeaways..