Personal information has been published following a ransomware attack on publicly listed aged care provider Regis Healthcare, prompting a warning to all providers from the Federal Government.
Ransomware is a type of malicious software that makes a device or files unusable unless a fee is paid, and it is affecting other aged care providers too, according to the sector’s technology peak body.
The cyber attack occurred over the weekend and resulted in data being encrypted, stolen and published, a spokesperson from Regis Healthcare told Australian Ageing Agenda.
Regis Healthcare issued a statement to the Australian Securities Exchange on Monday reporting that an overseas actor had copied some data from Regis’ IT system and released certain personal information.
“The company is contacting parties whose personal data has been publicly released,” the provider said in statement.
Regis Healthcare implemented its back-up and business continuity systems and the attack did not affect resident care or service delivery. And the incident did not “materially impact” day-to-day operations, the provider said.
“Our priority is maintaining safe and reliable operations while ensuring the security of personal information of our residents, clients, and employees,” said Dr Linda Mellors, chief executive officer and managing director of Regis Healthcare.
“To this end, we are working with expert IT and security advisors to continue to investigate and deal with this incident,” Dr Mellors said.
Regis Healthcare declined to provide any further comment.
Providers warned about increasing threats
The incident prompted the Australian Department of Health to issue an urgent warning to all providers about the potential of similar attacks.
It included new advice from the Australian Cyber Security Centre about a significant increase in malicious cyber activity targeting the aged care and healthcare sector using ransomware Maze.
Maze is designed to lock or encrypt an organisation’s information so it cannot be used.
The ACSC’s recommends providers:
- never pay a ransom demand
- identify and backup critical information and systems
- keep systems and software up to date through regular patching
- use antivirus software and keep it up to date
Providers unprepared, says peak
Aged Care Industry Information Technology Council CIO Forum committee chair Gavin Tomlins said cyber attacks were not uncommon for Australia’s aged care providers.
“Cyber security is very lacking in the whole industry at this present point in time,” Mr Tomlins told AAA.
Other aged care providers have also experienced ransomware attacks.
“Some of the organisations are paying because they don’t have the necessary processes in place, and they need to release the data,” he said.
“My suggestion is all aged care providers should have cyber insurance, which I still don’t think is commonplace,” he said.
Tips to prevent cyber attacks
Mr Tomlins said providers should also have a firewall, virus and malware software protection, and a backup system that is regularly tested.
Ongoing awareness education for all staff is also vital, Mr Tomlins said.
“As part of induction and part of the ongoing development of staff members, there should be either e-learning, or it should be a conscious thing to be educating staff around digital literacy, data privacy and cyber security as well,” he said.
Providers should also undertake annual system penetration testing, which is where an ethical hacker tests how secure an organisation’s systems are, Mr Tomlins said.
Other ways to prevent cyber attacks include:
- ensure email servers are secured to stop impersonation
- regularly check and change passwords
- regularly audit accounts to remove departed staff
- undertake dark web scanning to check for compromised accounts.
Mr Tomlins recommends aged care providers not pay a ransom, where possible.
“If your backup systems are in place, I wouldn’t pay them if you can get away with it. Organisations should be monitoring the dark web more closely, which isn’t common practice,” he said.
He said providers should use two-factor authentication where possible and ensure good policy and procedures are in place.
Find our more on ransomware and recommendations from the ACSC here.