Ransom wars: Attack of the cybers
The big news this week was the cyber attack on hospitals in Gippsland and south-west Victoria, which knocked out clinical and administrative systems in the region including some large facilities such as University Hospital Geelong and Latrobe Regional Hospital in Traralgon.
We received word that the attack involves Ryuk, a particularly nasty piece of ransomware that has also affected hospitals in the US and Canada, including three this week in Alabama that had to turn away patients. It has also been causing havoc for financial organisations and some major US newspaper groups since it first appeared last year.
NZ-headquartered antivirus firm Emsisoft got in touch to tell us a little about Ryuk. Emsisoft – which has a tagline of ”Security solutions that do not suck” – has written a report on ransomware attacks just in the US this year, which total 621 major incidents costing potentially billions of dollars. The attack vectors of choice remain email and Remote Desktop Protocol.
Emsisoft's PR chief Brett Callow tells us that Ryuk is pretty bad news. “The code contains several bugs that causes it to damage about 1 in 8 files that it encrypts, so there’s pretty much always some degree of data loss in these cases unless they have backups that weren't affected,” he said.
“We can actually recover files encrypted by Ryuk (except the corrupted ones) but only in about 3 to 5% of cases.”
Victoria has had a run of bad luck with cybersecurity incidents in the last few years. There was the Qbot bug that wormed its way into Royal Melbourne Hospital in 2016, a thankfully unsuccessful attack on Western Health by WannaCry in 2018, and the Hermes 2.1 ransomware attack on Melbourne Heart Group earlier this year.
It seems unfortunate or perhaps just bad timing that of the state health services pinged by the Victorian Auditor-General's Office in May for having serious weaknesses in their cyber security arrangements, one just happened to be Barwon Health, which runs University Hospital Geelong.
Bad timing, bad luck or bad processes, either way it is only going to get worse. Emsisoft's report says most of the US organisations hit were in healthcare, and that cybercriminals know that healthcare providers are often inclined to pay the ransom as failure to do so may result in data loss that could potentially put lives at risk.
In brighter news, over in WA the state government released its promised digital health strategy. Developed with the help of Deloitte, it has been heavily influenced by the findings of the Sustainable Health Review, which encouraged a statewide EMR as a foundation to build the future health system upon.
The use of telehealth in such a large state with a comparatively small population is a no-brainer and it has a thriving rural telehealth system. Earlier in the week more details were revealed about the expansion of the WA Country Health Service's Command Centre, which features in the strategy. We were also pleased that primary healthcare has not been forgotten, with an interesting suggestion of rolling out a shared care planning solution within the decade.
At the end of the week, we heard from Best Practice Software, which has named start-up company Cubiko as one of the vendors in its new partner network. Cubiko is a practice dashboard system designed by data analytics and dashboard specialist Aginic and Brisbane GP practice Inala Primary Care. The latter is one of the most innovative in the country, servicing a low socio-economic region with very complex needs. It was the first practice to upload a shared health summary to the PCEHR way back in 2012 and is highly active in digital health, offering itself to vendors to trial their solutions to suit the Australian primary care market.
Speaking of which, late in the week the federal Department of Health released guidelines on exemptions (PDF) to the requirements of the PIP QI for those practices that do not wish to use the PHN-funded data extraction tools such as Pen or POLAR, or whose clinical software does not integrate with those tools, such as Intrahealth's Profile.
To get the exemption and keep receiving PIP payments, practices are being asked to take full responsibility themselves for developing a new solution by July 2020. DoH is asking practice owners to sign a form committing to some quite extraordinary things, including developing the solution itself, paying the full cost and accepting liability.
Apart from the likes of Inala Primary Care, there'd be few practices in the country with this capability, and we wonder if the Department has simply got the pip with groups such as the Australian General Practice Alliance (AGPA) that have pushed back on PHN involvement in the PIP. If you want the money come up with your own solution, DoH seems to be saying. Knowing AGPA, the fallout from this may be thermo-nuclear.
It also brings us to our poll question for the week: Should practices that refuse to use their PHN's chosen data tool for PIP QI be required to develop and pay for their own?
Last week, we asked: Do you think the national ePrescribing system will be functional before year's end? Cynics, all 86 per cent of you. Only 14 per cent were a bit more optimistic.