Security experts warn Australia’s health sector will remain a high on the list of cyber criminals targeting critical infrastructure in 2024 as new federal legislation moves to fortify its ability to identify, share and act on threats.

Over the past year the nation and New Zealand’s healthcare sectors represented approximately 10 per cent of victims claimed by cyber extortionists on the dark web, according to Australia’s largest end-to-end private cyber security provider, CyberCX.

The company’s Cyber Intelligence Team found healthcare has one of the most unique cyber threat profiles as it is tasked with protecting sensitive data, research, vital care, and in many cases, human life.

“With more cyber extortion groups targeting healthcare organisations and increasingly adopting harm maximisation strategies, the cyber extortion threat to the sector will consistently remain high. Increasing attempts to weaponise health-related data exacerbates this threat,’’ the intelligence team said.

The federal government this week released a consultation paper on proposed cybersecurity legislation which identified “critical gaps” in the health sector’s cyber security.

Federal Home Affairs and Cybersecurity Minister Clare O’Neil released the paper on the new legislation and changes to the 2018 Security of Critical Infrastructure Act.

It follows the release of the federal government’s new cyber security strategy last month.

The government consultation paper discusses a “whole-of-economy threat picture” being critical to build preparedness and mitigate risk as cyber threats grow in scale and sophistication.

The paper noted that while existing initiatives enable threat sharing among government and industry, there is a need to improve “national mechanisms to share strategic and tactical threat intelligence’’.

“We need to enable better collaboration between government and industry to improve the quantity, quality and speed of threat sharing,’’ the paper found.

CyberCX Healthcare Industry lead Meegan Fitzharris said the biggest threat to the Australian health sector are highly organised cyber criminals who work offshore.

“Unlike some other sectors where nation state actors and espionage might be a more significant threat, that still exists in healthcare, but it really is cyber criminals …. with lots of people just constantly testing networks, constantly finding a way, finding a vulnerability.

“They can find their way into a network. There’s certainly a lot of hardening across the networks…organisations are very well prepared but those criminals are looking again for that value. The data they know that the community is really concerned about being stolen (and) being made available publicly and causes enormous harm to people’’ she said.

Ms Fitzharris said cyber criminals behind the 2022 attack on Medibank deliberately searched for particularly sensitive patient information.

“Any of your personal health information is sensitive, but your most sensitive, they (cyber criminals) looked for it as a way of continuing to raise the stakes and extortion,’’ she said.

Ms Fitzharris said while Australia is strengthening its resilience to cyber attacks, the health sector’s small and medium organisations, such as GP clinics and medical technology companies, remain vulnerable.

“The (government) strategy has good support for small and medium businesses…and its looking to build the information assessment centres (ISAC) so that they support an industry wide approach to sharing threat information  that our intelligence and forensic teams are seeing happening out there,’’ she said.

The government consultation paper also notes industry calls for a “harmonised” approach to cyber security standards for digital products and to align with international standards.

“…Consumers should have peace of mind knowing that their technology is protected from cyber attacks and does not have embedded vulnerabilities that will put them or their families at risk,’’ the paper said.

Ms Fitzharris said while health sectors’ digital networks are hardening their systems against cyber attacks, their operating systems like lifts and medical devices are at risk.

“We would like to see more effort made across the regulatory framework  …certainly some assessment around medical equipment making sure it’s safe and has standards that relates specifically to cyber security,’’ she said.

The government consultation paper found that unlike the financial sector, the health sector has one of the lowest “cyber maturities” with less capability to share, receive or act on cyber threat information, leaving large parts of the economy lacking a comprehensive threat picture.

The government will invest in a Threat Sharing Acceleration Fund (STAF) to support the development of Australian “sector-specific” Intelligence Sharing and Analysis Centres (ISAC)”, the paper said.

The STAF will help build industry capabilities for intelligence collection and dissemination of cyber threats, providing its first pilot program to the health sector, the paper said.

“Australians are rightly concerned about the cyber security of our health system – our hospitals and general practitioners hold some of the most sensitive data about Australians and their families.’’

Ms Fitzharris said the fact the first pilot project funded by the government is in the health sector is in “recognition of the risk”.

The paper also discusses the building of a Health ISAC to address critical gaps in the health system’s cybersecurity and integrate it into government threat sharing platforms to ensure a “unified national threat picture”.

“Our critical infrastructure must be resilient to cyber threats in the face of heightened geopolitical risk, capable nation-state actors, and sophisticated cybercriminals. Cyber incidents affecting critical infrastructure entities may cause cascading impacts across the Australian economy due to our heavy reliance on their services,’’ the paper noted.