State of emergency: Healthcare organisations must step up their cyber security posture

It’s a heartbreaking situation; however, Genea is just one of a wave of Australian healthcare organisations being increasingly impacted by the ransomware ecosystem. And despite what some healthcare providers may believe, the exposure of medical data can have far-reaching consequences.

The cost of a healthcare breach

“Cyber attacks on healthcare providers instantly disrupt communities, often with critical consequences,” Trevor Dearing, director of critical infrastructure at Illumio, told Cyber Daily.

“This makes them prime targets for cyber criminals, and disruption rather than just data theft is now the driving force behind many attacks. In this case, there are reports that Genea patients have been left unable to contact their local clinic, with some missing time-sensitive fertility treatments.

VIEW ALL

“It is also evident that some critical systems needed to be completely shut down to allow Genea to investigate and control the attack. Phones and patient app access were interrupted for days.”

In fact, Illumio’s research has shown that fully three-quarters of Australian companies that fall victim to a ransomware attack have had to halt operations for at least 12 hours on average.

“All healthcare organisations must get to the point where they have the confidence that an attack won’t disrupt critical systems and patient care,” Dearing said.

“This requires a shift from trying (in vain) to prevent attacks, to breach containment. Any healthcare provider that hasn’t already should adopt a zero-trust strategy to restrict and control communication and movement through their network. This is the only way to maintain systems operations in the event of a breach, and stop attacks becoming so disruptive.”

A false sense of security

It may be old data (in internet terms), but Proofpoint’s 2023 analysis of the healthcare sector presented an industry that may feel secure yet was actually more in danger of serious compromise than it may realise. At the time, 97 per cent of public and private hospitals had some level of Domain-based Message Authentication, Reporting and Conformance – or DMARC – protocols in place, but only a shade over two-thirds had the highest level of protection in place.

Similarly, a January 2025 audit of Queensland’s health system found major deficiencies in the IT controls of many of the state’s hospitals, presenting a major risk to patients, staff, and stable operations. And it’s not a long bow to pull that other states are much better off, leaving the entire nation at risk of yet further damaging healthcare breaches.

“The healthcare industry has become one of the most targeted sectors for cyber criminals due to the highly valuable data it stores, including patient identities, bank account details, and medical history, combined with limited resources focused on staying operational to provide patient care,” Steve Moros, senior director, advanced technology group, Asia-Pacific and Japan, at Proofpoint, said.

“The Genea IVF breach, where sensitive patient data was stolen and has now been published on the dark web, underscores the severity of this risk. Not only does the exposure of Medicare records, test results, appointment details, and private health insurance details violate patient privacy, but it also opens the doors for identity theft, financial fraud, and emotional distress for thousands of Australians. With these types of attacks becoming more frequent, implementing robust email security protocols like DMARC adds a critical layer of protection.”

Best practice

Of course, while hospitals and larger clinics are at risk, the challenges faced by GPs and smaller practitioners are arguably even more of a challenge. The scale of the data may not be as great, but data is no less intimate, and general practices simply don’t have the on-premises resources.

COSBOA’s Cyber Wardens program is trying to make up that resource deficit through its Cyber Aid program – launched in the wake of hacks such as the Genea leak.

“The health industry is a lucrative target for cyber criminals, and the recent Genea attack is a timely reminder for every health service provider across Australia to bolster their cyber defences,” COSBOA CEO Luke Achterstraat said in a statement.

“Small businesses, including medical practices, lose an average of $49,600 per attack – a cost many simply cannot afford. It’s a burning issue for patients, too, with research showing 82 per cent of Australians fear unauthorised access to their health records.

“Cyber security is no longer just an IT issue – it’s a patient safety issue. With 95 per cent of cyber attacks caused by human error, every healthcare professional has a role in protecting sensitive information and ensuring compliance with privacy regulations.”