A large cyber attack has caused chaos in the New Zealand healthcare system over the past few weeks. Multiple hospitals in New Zealand became crippled due to locked phone lines and computers from a large ransomware attack. Though the ransom note didn’t contain a dollar amount the note indicates a “ransomware event” according to the head of Waikato’s district health board Kevin Snee. In another interview he said, “It’s probably the biggest cyber attack in New Zealand’s history. We are dealing in uncharted territory here.” News outlets just today reported the group that attacked Waikato healthcare system released “documents, records, and phone numbers and addresses of patients and hospital employees” to them in an apparent double extortion attempt. We have yet to see any of this information on the darkweb but we expect the group will release the private data at some time in the future.
Nurses couldn’t look up patient information due to this attack. Nurses and doctors resorted to pen and paper and asking patients what they came for and who they came to visit. The hospitals postponed many elective surgeries and transferred patients to other facilities. The hospitals have also asked patients not to come to the emergency room due to long delays unless they need immediate care for a life-threatening injury.
Investigators have not released how the group that hacked the hospitals first got access. In most cases like this one the malware starts as an email. Users tend to create the biggest holes in a network’s security. We shouldn’t blame the user who opened the email but encourage users to notify investigators of the issue. Administrators and security experts have the responsibility to teach users about suspicious emails and perform evaluations of users with periodic tests. Any security system must have a layered defense that includes the user.
It’s too bad nobody makes gateway and system solutions for IP, ID and DR…
IP is often neglected, and ID is too often not considered at all. So, DR from bare metal is really the be all end all in most situations. If you aren’t going to invest in preventing or recognizing a breach you sure should invest in a rapid recovery plan. In this case they still would have the entirely unacceptable loss of patient data, but would have not had lives put at risk from down systems. If they had bare metal capability they would have been able to shut down and spin back up in hours instead of being crippled for however long.
There really are industry best practices that mitigate this exact situation. While you might not be able to stop every data breach in every scenario you can absolutely control RTO and RPO for DR.
On another note, may be a good example of outdated and insufficient legal understanding of cyber threats. This attack could have or still could result in loss of life or physical harm to patients. It should be prosecuted as such on top of cyber crimes.