Australian Medical Facilities Hit by RansomwareOfficial Hints That Backups May Aid in Recovery
See related story: Latest U.S. Healthcare Ransomware Attacks Have Harsh Impact
See Also: How to Defend Your Attack Surface
Medical facilities and hospitals across the state of Victoria in Australia were infected by file-encrypting ransomware on Monday, causing the shutdown of patient booking systems and financial systems.
At least one hospital has reverted to using paper-based systems, but so far the infections haven't disrupted emergency services.
The ransomware infected facilities in two large health networks: the Gippsland Health Alliance and the South West Rural Health Alliance. SWARH serves an area of 23,000 square miles extending from Melbourne west to the border with South Australia.
"A number of servers across the state have been impacted," according to a statement by Victoria's Department of Premier and Cabinet. "Hospitals have isolated and disconnected a number of systems such as internet to quarantine the infection."
The department says "there is no suggestion that personal patient information has been accessed."
The lack of internet access means that some patient record, booking and management systems weren't available, which affects scheduling, the department says.
"Where practical, hospitals are reverting to manual systems to maintain their services," it says. "The affected hospitals are now working on their bookings and scheduling to minimize impact on patients, but may need to reschedule some services where they don't have computer access to patient histories, charts, images and other information."
Shared Systems, Shared Infection
Emergency departments have not been compromised, and some hospitals have not suspended clinical services, according to a statement from Jenny Mikakos, Victoria's minster for health. Outpatient appointments and elective surgeries at some facilities, however, have been impacted.
One regional health network in the Geelong region, Barwon Health, suspended some clinical services, but most outpatient appointments and elective surgery proceeded on Tuesday, the statement says. Barwon Health, which includes University Hospital Geelong, serves 500,000 people.
"In situations like this, the hospital reverts to manual paper-based systems to maintain services."
— Dan Weeks, CEO, West Gippsland Healthcare Group
It wasn't immediately clear what type of ransomware infected the hospitals.
One affected medical group, West Gippsland Healthcare Group, says that the Gippsland Health Alliance and SARH have shared IT systems. That may be the reason the ransomware spread so widely.
"In situations like this, the hospital reverts to manual paper-based systems to maintain services," says Dan Weeks, chief executive officer of WGHG. Despite the infection, many of WGHG's systems were working, Weeks says. That includes the internal intranet, the phone and public address systems, printers and its website.
Backups May Exist
Aiding in the response is the Victorian Cyber Incident Response Service, which was set up three years ago. Also involved is the Australian Cyber Security Center, which is part of the Australian Signals Directorate, and Victorian Police.
In an interview with the ABC, Victoria's Premier Daniel Andrews said the ransomware incident was a criminal attack. Andrews told the ABC that it may take weeks of effort to secure systems.
David Cullen, heads the Victorian Government Cyber Incident Response Service, tells the ABC Radio Melbourne the attackers managed to bypass security controls.
"What we are dealing with is the encryption of those files, which has the unfortunate effect of inhibiting or preventing us from accessing that important data," Cullen says.
Cullen says the attackers haven't made a specific ransom demand. Cullen alluded that the medical facilities may have backups systems that will allow for recovery. He said organizations should not pay a ransom, if one is demanded, because there's no guarantee it will result in recovered data.
"Ransomware is not the be all and end all for us," Cullen says. "We have controls, we have arrangements in place that will allow us to recover from this virus."
The city of Baltimore, one of many cities across the U.S. that has been struck by ransomware, recently concluded that its recovery was hampered by a lack of policy that ensured all computers were centrally backed up. The city was struck in May, and some of its files were subsequently lost forever (see: Baltimore Ransomware Carnage Compounded by Local Storage).