The warning comes in a new report from security firm CyberCX, which also revealed ransomware incidents against Australian and New Zealand targets had more than doubled this year, and healthcare firms involved in the Covid-19 vaccine rollout were at risk of more attacks from both criminals and foreign spies.

The report follows a series of dangerous attacks against Australian medical facilities this year which have shut down or stolen data from two hospital groups, two aged care providers, Tasmania’s ambulance service, a vaccine research agency, and a medicinal cannabis firm.

CyberCX intelligence director Katherine Mansted said criminals gangs were increasingly trying to “exploit the pandemic for their own needs” and attack essential health services that couldn’t afford any downtime.

“Hospitals and aged care facilities need to be providing frontline care so when a cybercriminal knocks them offline they’re increasing the chances that victim will pay a ransom,” she said.

“Their strategy is to cause harm to achieve a payday.”

But attacks on hospitals were increasingly attracting attention from law enforcement agencies, Ms Mansted said, and there was evidence organised criminals gangs were hunting new targets within the health industry to fly under the radar.

“We’re seeing them pivot into still lucrative but less high-profile targets like elective surgery practices, aged care facilities, dentistry and plastic surgery clinics,” she warned.

“All of these places in Australia are being targeted because they hit that sweet spot: lower heat from law enforcement, (criminals) can still achieve a payday, and they house incredibly private information.”

Cosmetique chief executive Dr Vivek Eranki, who runs 13 cosmetic surgery clinics across four states, said the prediction was alarming because many businesses within the industry did not take computer security seriously.

“There is definitely a lack of understanding about the importance of cybersecurity in plastic surgery,” Dr Eranki said.

“I’ve got peers who are still storing photos in (Apple) iCloud. All it takes (to steal images) is someone with access to an unlocked device.”

Dr Eranki, whose business uses encrypted communications, two-factor logins for staff, and a managed gateway to prevent theft, said even doctors who “think they know what they’re doing” should ask a security expert to set up a secure system and staff training, if not to prevent ransomware then to protect patients from extortion.

“We see about 2000 patients a month and some very famous celebrities and athletes as well,” he said. “We understand that we could potentially be a target.”

The CyberCX report also found ransomware attacks against Australia and New Zealand organisations more than doubled between May and June this year compared to the first three months of the year, and predicted healthcare operators involved in the Covid-19 vaccine rollout would continue to be a target of ransomware gangs and state-sponsored hackers launching “disinformation campaigns”.

And while both groups were based overseas, with most ransomware gangs based in Russia or one of 10 former Soviet republics, Ms Mansted said more action needed to be taken to prosecute criminals, prevent attacks and to “make Australia less of a soft target”.

“There needs to be a concerted effort from the Australian government to disrupt the business model of cyber criminals because, ultimately, they perceive Australia and our healthcare sector to be a permissive environment,” she said.

“We need to throw sand in the gears of their operation and make it harder for them to achieve a payday.”

Internationally, two ransomware gang members were arrested in Ukraine last week as part of a sting involving Interpol, Europol and the FBI. One suspect is alleged to have been involved in more than 100 ransomware attacks and the theft of more than $200 million.

An Australian push to shine a spotlight on ransomware payments in the country has stalled, however, with action yet to be taken on the Ransomware Payments Bill.

HOW TO AVOID BECOMING A RANSOMWARE VICTIM

— Patch software as soon as updates become available

— Use multi-factor authentication to secure accounts with more than just a password

— Maintain up-to-date backups of important information

— Carefully scrutinise email links and attachments before clicking on them

— Only download software from known, secure sources

More Coverage

Secret payment Pfizer wanted from Australia

Sue Dunlevy

$88.8 million: Aussie refugee’s fitness empire

David Aidone

Originally published as Australian plastic surgery and dental clinics are top targets for ransomware attacks, report warns