Learnings from a Big Healthcare Ransomware Attack

One of the most severe healthcare ransomware attacks happened in Ireland at the beginning of 2021. A serious attack on the Health Service Executive (HSE), the national health system of the Republic of Ireland, allowed Conti ransomware to be deployed and shut down the National Healthcare Network. Consequently, healthcare specialists throughout the country could not access the HSE IT systems, which include patient records, clinical care systems, laboratory systems, payroll, as well as other clinical and non-clinical systems. This disrupted the healthcare services throughout the country.

After the attack, the HSE Board called on PricewaterhouseCoopers (PWC) to perform an independent post-attack analysis to confirm the facts associated with technical and operational readiness and the conditions that permitted the attackers to obtain access to its systems, copy sensitive information, encrypt data files, and extort money from the HSE.

Cybersecurity Problems that are Prevalent in the Healthcare Sector

PWC’s recently released report shows several security problems that permitted the infiltration of the HSE systems. Although the report refers to the HSE cyberattack, its results could be applied to numerous healthcare companies in the United States that have the same unresolved vulnerabilities and insufficient readiness for ransomware attacks. The PWC recommendations may be employed to reinforce security and prevent the same attacks from happening.

Although the HSE ransomware attack impacted a substantial number of IT systems, it began with a phishing email. On March 16, 2021, a staff got an email having a malicious Microsoft Excel spreadsheet attachment. Upon opening the attachment, the malware was installed on the unit. Even though the HSE workstation had an installed antivirus software, it failed to detect the malicious file because the virus definition list was not updated for more than a year.

After one device was infected, the attacker moved laterally inside the network, accessed a number of accounts having high-level privileges, obtained access to many servers, and exfiltrated information. On May 14, 2021, 8 weeks from the first compromise, Conti ransomware was widely deployed to encrypt files. The HSE discovered the encryption and de-activated the National Health Network to control the attack. However, healthcare specialists throughout the country could not access applications and vital information.

In that 8 weeks of systems compromise, suspicious activity was found on over one occasion which must have prompted an investigation into a possible security breach, however, there was no response on those notifications. If proper action was carried out, it would have been possible to prevent the deployment of ransomware and the exfiltration of sensitive information.

Simple Strategies Employed to Devastating Result

As per PWC, the attacker used well-known and straightforward attack techniques to maneuver around the network, determine and exfiltrate sensitive information, and use Conti ransomware in many areas of the IT network easily. The attack may have been a lot worse. The attacker may have exploited medical devices, damaged data at scale, employed auto-propagation systems like those employed in the WannaCry ransomware attacks and may have targeted cloud systems as well.

The HSE clearly stated that it wouldn’t pay the ransom. On May 20, 2021, after 6 days of shutting down the HSE IT system access to control the attack, the ransomware attackers released the decryption keys. Thanks to a strong attack response and the release of the decryption keys, severe effects had been prevented. But despite having the decryption keys, it was only on September 21, 2021 that the HSE had completely decrypted all files in its servers and reestablished about 99% of its software. The HSE approximated the cost of the attack can grow to as much as 500 M Euros.

Ireland’s Biggest Company Had No CISO

PWC stated the attack happened because of a low level of cybersecurity readiness, weak IT systems and controls, and workforce problems. PWC stated there was not enough cybersecurity leadership, since there was no person in the HSE in charge of giving leadership and guidance over its cybersecurity initiatives, which is quite uncommon for a company with the size and sophistication of the HSE. The HSE is Ireland’s biggest company and had more than 130,000 personnel and over 70,000 devices during the attack, although the HSE only had 1,519 employees with cybersecurity functions. PWC stated that the staff members responsible for cybersecurity didn’t have the required skills to execute the tasks required of them and the HSE should have a Chief Information Security Officer (CISO) having overall accountability for cybersecurity.

Insufficiency of Monitoring and Cybersecurity Controls

The HSE had no capability to efficiently check and respond to security notifications throughout its entire system, patching was slow and updates were not employed immediately throughout the IT systems linked to the National Health Network. The HSE was additionally dependent on one anti-malware solution which wasn’t being checked or efficiently maintained through all its IT environment. The HSE at the same time kept on using legacy systems having known security problems and staying greatly dependent on Windows 7.

The same vulnerabilities in people, procedures, and technology could be seen in a lot of health systems around the globe, and the PWC advice is applicable beyond the HSE to strengthen cybersecurity and make it more difficult for attacks like this to be successful.

The PWC report, advice, and learnings from the attack are available here.