Ransomware attacks have targeted the information technology systems of a number of hospitals and health services in Gippsland and south-west Victoria, according to the government.
Despite the severity and wide-ranging nature of the attack, so far there has been no indication the hackers were able to access personal patient information, according to Victoria's Department of Premier and Cabinet.
The attack, which affected hospitals affiliated with the Gippsland Health Alliance and of the South West Alliance of Rural Health, impacted a number of servers across the state and has resulted in a loss of access to patient histories and other data sets.
"The cyber incident, which was uncovered on Monday, has blocked access to several systems by the infiltration of ransomware, including financial management," an advisory statement issued by the Department of Premier and Cabinet announced. "Hospitals have isolated and disconnected a number of systems such as internet to quarantine the infection."
The attack means some facilities have had to revert to manual systems to maintain services, and the advisory noted some services may need to be rescheduled.
The Victorian Cyber Incident Response Service is working continually with Victoria Police and the Australian Cyber Security Centre to manage the incident – since launching in 2018, the service has responded to more than 600 cyber-attacks on Victorian government organisations.
"Medical facilities continue to move to a system of entirely electronic health records, worldwide, to provide more complete and accessible health data while making operations more efficient than the older, paper-based processes," Dan Tuchler, CMO at SecurityFirst, said in a statement regarding the attacks.
But this leaves them more exposed to hackers, including ransomware, and extending to their financial IT systems as well. This is unacceptable. There are well-established best practices for protecting data on servers, and we should never have to read about a hospital turning away patients due to ransomware, as happened in this case."
The attack follows an audit released in May by the office of the Auditor-General, which found patient data stored in Victoria's public health system is highly vulnerable to cyber-attacks.
The report stated that Victoria's public health system is "highly vulnerable" to the kind of cyber-attacks that recently hit a Melbourne-based cardiology provider, which resulted in stolen or unusable patient data and disrupted hospital services.
The audit also noted many health agencies have low risk awareness of the security flaws, and found deficiencies in how health services manage user access to digital records.
These included unused and terminated employee accounts that were still enabled, as well as failures to keep user access forms as proof that users have had their access approved.