Here’s why you need to.
If you operate in the healthcare sector, it’s not a matter of if, but when your organisation will be attacked by cyber criminals.
Australia’s health sector had the most reported data breaches (18%) of any industry in the first half of 2025, according to the Office of the Australian Information Commissioner.
Furthermore, cyber criminals had a success rate of 95% in healthcare incidents compared with a lower average rate of 52% across other industries, according to the Australian Cyber Security Centre.
With the recent escalation in the Middle East, this risk is only growing. In March, many Australian hospitals were on high alert following the Iranian hack on Stryker, the US-based global supplier of medical and surgical equipment.
The data shows that, unfortunately, many organisations are vitally unprepared when attackers come knocking. So, when it comes to protecting hospitals, the statement “practice makes perfect” has never been truer.
A cautionary tale
Let’s consider the following scenario involving a large Australian hospital.
Aware of the increasing cyber risk facing healthcare organisations, the hospital engages a third-party cybersecurity firm to help it develop a backup of all its data and an emergency response plan in the event of a cyberattack.
However, staff have never actually rehearsed or tested the plan beyond restoring some basic admin user access and logins, so they don’t know if it will work in a real crisis.
They carry on operations as usual, believing they have a solid plan should any attacks occur.
Staff have minimal education on password hygiene (resulting in easily guessed passwords being used throughout the network) and aren’t trained to spot the basic signs of phishing attacks.
Fast forward a few months, and cyber criminals decide to attack the hospital. They target staff with a phishing campaign and manage to convince one employee to reveal their user credentials.
Attackers then use these credentials to take over the network and steal sensitive patient data – and, most critically, the backup and crisis-response plans the hospital was counting on to restore operations – giving them detailed insight into the hospital’s every move before the team could even act.
The lesson here is – your crisis response plan is only effective if you’ve practised using it and have access to your crisis plan in time of need when your infrastructure goes down.
In addition, having out-of-band communications in place before a cyberattack is critical because most serious attacks target or impact the systems companies normally use to coordinate a response.
Cyber criminals want to succeed, so they will do anything they can to make your recovery more difficult, including deleting your data backup and emergency response plans. And the more you’ve practiced it, the better the team can respond when the unexpected happens; “unexpected” is the nature of incident response.
Managing a cyber crisis in real time requires speed, communication, and coordination. All too often, incident response plans rely on assumptions that fall apart during a real crisis.
Also in today’s edition:
- Is Heidi about to break ranks and build its own EMR?
- Support at Home fails to keep older Australians out of residential care
- Aged care assessment tool remains fundamentally flawed: Siegel-Brown
- The NSW mental health system is broken: report
- Best Practice fee hike higher for part-timers
- Medicines Australia ramps up push to reshape PBAC value assessments
- Suicide prevention councils established in NSW
What should your crisis response plan focus on?
Many healthcare organisations (and, in fact, 90% of businesses overall) use Active Directory (AD) as their core identity system to manage access to information systems.
In a hospital setting, AD functions like a master key system – it controls who can log in and what they can access, such as patient records, lab systems, imaging, devices and more.
Cyber criminals exploit vulnerabilities in AD to gain access to healthcare networks, propagate malware, and demand ransom. In the meantime, the organisation’s operations come to a standstill, causing life-threatening disruptions in patient care.
Until AD is restored, hospitals cannot start their recovery process or resume operations. Therefore, an effective cyber response plan must focus on restoring AD as its primary objective.
Many security tools (such as standard anti-virus or firewalls) lack the specialised capabilities needed to defend against identity-based attacks targeting AD’s unique architecture. So, healthcare organisations should also opt for a cybersecurity solution that specifically protects AD.
Furthermore, hospitals must ensure they have a reliable data backup that cannot be accessed, modified or deleted by attackers. This means backups must be kept on separate, completely isolated domains or local accounts.
Most importantly, emergency response plans (including backup recovery) need to be tested thoroughly and practiced regularly. Healthcare organisations should be regularly simulating worst-case scenarios where they lose complete access to their AD, to ensure their backup is readily accessible and functioning correctly when it counts.
Related
The takeaway
The difference between a quick response and a slow one – between successfully halting or recovering from an attack and falling victim to attackers – often comes down to how well you’ve planned ahead of time and how much you’ve practiced your plan.
Having a reliable recovery process enables healthcare providers to simply “say no” to ransomware by not having to bend to the demands of ruthless cyber criminals who threaten to disrupt their operations.
Sean Deuby is principal technologist at Semperis.