Hospitals and other healthcare organisations have recently been under heavy attack by cyber criminals according to information from both Microsoft and US Federal agencies. The attacks put lives at risk during what is already a challenging time due to the current COVID-19 pandemic.

Worryingly, pharmaceutical companies working on vaccines and treatments for COVID-19 have been included in the attacks. Gorilla Technology CEO and Futurist Paul Spain indicates that whilst every organisation is at risk from random cyber-attacks, it is likely that those leading the way with developing vaccines for COVID-19 were directly targeted by state sponsored attackers.

Microsoft indicates these attacks have been carried out by three hacker groups from Russia and North Korea. The Russian group, which Microsoft refers to Strontium (also known as APT28 or Fancy Bear) used a technique call a password spray attacks to break into systems.

Strontium is understood to have been behind disinformation and hacking ahead of the 2016 United States presidential election and has been blamed for many other cyber-attacks.

“We think these attacks are unconscionable and should be condemned by all civilized society,” said Tom Burt, Microsoft’s customer security and trust chief. Reports indicate that in some cases

But the risk is not just big target countries such as Canada, France, India, South Korea and the United States – Paul Spain advises that many New Zealand organisations related to healthcare are ill prepared for attacks.

In late 2019 Tū Ora Compass Health admitted they had suffered a cyber incident that lead to possibly as many as 900,000 patient’s information being compromised.

Spain says “Evidence myself and the Gorilla Cyber Security team have seen highlights that we have two major cyber security problems with the health sector in New Zealand. Firstly, organisations, often larger ones, with outdated systems that carry risk due to their age and inability to provide protection against modern cyber security threats. And secondly, a general lack of awareness and attention to cyber security from smaller to medium organisations such as general practitioners.”

“In both cases, a lack of investment in cyber security is a key limiting factor which urgently needs to be addressed both at a government level and with fund allocations internally within each organisation”.