Waikato DHB cyber-attack likely from phishing email

NEWS - eHealthNews.nz editor Rebecca McBeth

An email attachment is thought to be the entry point for a cybersecurity attack on Waikato DHB which caused a full outage of its Information Services (IS).

The Ministry of Health has advised DHBs to be particularly vigilant in their online activity and asked them to go through their IT systems looking for patterns of a similar event.

The attack, first reported on 17 May, is affecting all clinical services across Waikato DHB hospitals (Waikato, Thames, Tokoroa, Te Kuiti and Taumarunui) crashing phonelines and computers and causing some elective surgeries to be deferred and outpatient clinics to be reduced.

The DHB says the IS team has been working throughout the night to get the Waikato DHB systems back online and have been making good progress. 

“Our staff are working to restore the infected systems and on the remediation process. We are working with the relevant government departments to ensure a secure environment is successfully re-established,” a DHB media release says.

“However, this is a complex process which will take more time to resolve. We currently have business continuity plans in place to keep our services running into the weekend.”

The statement says the DHB is working with other government departments to investigate the cause, but believes the initial incursion was via an email attachment. 

Ireland's Health Service was hit by a ransomware attack last Friday that shutdown its IT systems. Media reports reveal that the attackers are the Conti ransomware gang and have demanded a $20 million ransom.

Initial reports indicated Waikato may have been targeted by the same cyber criminals and the DHB's chief executive Kevin Snee stated that no ransom would be paid.

However, a Ministry of Health spokesperson says that at this stage the Waikato incident does not appear to be linked to Ireland's.

The spokesperson says Waikato DHB has engaged an external specialist cyber security company to help it recover and is working with the Ministry and National Cyber Security Centre. 

DHBs have been asked to check their antivirus and other security systems are up to date and can protect their systems from a cyber-attack.

"Staff are being urged to be extra careful clicking on links or attachments in emails, especially from people they don’t know,” the spokesperson says. 

The Ministry has also encouraged DHBs to have a plan to deal with a cyber incident and to have access to IT security expertise they can turn to for help.

Dave Parry, from the department of Computer Science at AUT, says the cyber-attack “demonstrates the degree to which the health system depends on IT systems working efficiently”.

While it is not yet clear what kind of attack this is, in a ransomware attack, the attacker manages to get some of their software onto the victim’s network and this encrypts files, making them unreadable. The attacker then offers to give the victim the key to unlock the encryption in return for money - usually in the form of bitcoin or other cryptocurrency.

"If the victim doesn’t pay, then they will normally shut down access to systems, check for the attacker’s software and delete it,” he says.

“After that the victim will then restore the encrypted files from backups and start up the services again. Normally very little data if any is lost. Generally, once the attack software is identified, the DHB can set up its firewall and other security software to identify it and not allow it to run on the network.

“The complexity of DHB systems and the relatively small IT teams can make the shutdown/clean/startup process very demanding - they will be getting help from the rest of the health system and government. It would be reasonable to expect critical systems to be up and running again in a day or so at most,” says Parry.

The Waikato attack follows news last week that health care and social assistance is the industry reporting the highest number of serious privacy breaches since the new Privacy Act came into force.

The Office of the Privacy Commissioner (OPC) received a 97 percent increase in privacy breach notifications in the first four months of the new Act, compared to the previous six months.

Breaches related to health care and social assistance make up more than 20 percent of those notified. The report notes that a high number of reports from one sector does not necessarily mean poor privacy practice, but may mean they are more aware of their obligation to report.

Medical IT Advisors chief executive Faustin Roman says around 90 percent of organisations operating in the healthcare space are small or medium-sized businesses that lack basic security controls and 90 percent of breaches are due to human error. 

“Healthcare environments use a lot of digital technology and are exposed to cyber risks as they inherently need to trust and collaborate with each other,” he says.

“The Covid-19 pandemic has created the perfect situation for the malicious actors to exploit organisations as there is a lot of fear and misinformation and opportunities for any staff member to fall for a scam.”