Learnings from a Major Healthcare Ransomware Attack

One of the most serious healthcare ransomware attacks occurred in Ireland earlier this year. The Health Service Executive (HSE), the Republic of Ireland’s national health system, suffered a major attack that resulted in Conti ransomware being deployed and forced its National Healthcare Network to be taken offline. That meant healthcare professionals across the country were prevented from accessing all HSE IT systems, including clinical care systems, patient records, laboratory systems, payroll, and other clinical and non-clinical systems which caused major disruption to healthcare services across the country.

Following the attack, the HSE Board commissioned PricewaterhouseCoopers (PWC) to conduct an independent post-incident review into the attack to establish the facts related to technical and operational preparedness and the circumstances that allowed the attackers to gain access to its systems, exfiltrate sensitive data, encrypt files, and extort the HSE.

Cybersecurity Failures that are Common in the Healthcare Industry

PWC’s recently published report highlights a number of security failures that allowed HSE systems to be infiltrated. While the report is specific to the HSE cyberattack, its findings are applicable to many healthcare organizations in the United States that have similar unaddressed vulnerabilities and a lack of preparedness for ransomware attacks. The recommendations made by PWC can be used to strengthen defenses to prevent similar attacks from occurring.

While the HSE ransomware attack affected a huge number of IT systems, it started with a phishing email. An employee was sent an email with a malicious Microsoft Excel spreadsheet as an attachment on March 16, 2021. When the attachment was opened, malware was installed on the device. The HSE workstation had antivirus software installed, which could have detected the malicious file and prevented the malware infection; however, the virus definition list had not been updated for over a year, which rendered the protection near to non-existent.

From that single infected device, the attacker was able to move laterally within the network, compromise several accounts with high-level privileges, gain access to large numbers of servers, and exfiltrate data ‘undetected’.  On May 14, 2021, 8 weeks after the initial compromise, Conti ransomware was extensively deployed and encrypted files. The HSE detected the encryption and shut down the National Health Network to contain the attack, which prevented healthcare professionals across the country from accessing applications and essential data.

During the 8 weeks that its systems were compromised, suspicious activity was detected on more than one occasion which should have triggered an investigation into a potential security breach, but those alerts were not acted upon. Had they been investigated the deployment of ransomware could have been prevented and potentially also the exfiltration of sensitive data.

Simple Techniques Used to Devastating Effect

According to PWC, the attacker was able to use well-known and simple attack techniques to move around the network, identify and exfiltrate sensitive data, and deploy Conti ransomware over large parts of the IT network with relative ease. The attack could have been far worse. The attacker could have targeted medical devices, destroyed data at scale, used auto-propagation mechanisms such as those used in the WannaCry ransomware attacks, and could also have targeted cloud systems.

The HSE made it clear that it would not be paying the ransom. On May 20, 2021, 6 days after the HSE shut down all HSE IT system access to contain the attack, the attackers released the keys to decrypt data. Had it not been for a strong response to the attack and the release of the decryption keys the implications could have been much more severe. Even with the keys to decrypt data it took until September 21, 2021, for the HSE to successfully decrypt all of its servers and restore around 99% of its applications. The HSE estimated the cost of the attack could rise to half a billion Euros.

Ireland’s Largest Employer Had No CISO

PWC said the attack was possible due to a low level of cybersecurity maturity, weak IT systems and controls, and staffing issues.  PWC said there was a lack of cybersecurity leadership, as there was no individual in the HSE responsible for providing leadership and direction of its cybersecurity efforts, which is very unusual for an organization with the size and complexity of the HSE. The HSE is Ireland’s largest employer and had over 130,000 staff members and more than 70,000 devices at the time of the attack, but the HSE only employed 1,519 staff in cybersecurity roles. PWC said employees with responsibility for cybersecurity did not have the necessary skills to perform the tasks expected of them and the HSE should have had a Chief Information Security Officer (CISO) with overall responsibility for cybersecurity.

Lack of Monitoring and Insufficient Cybersecurity Controls

The HSE did not have the capability to effectively monitor and respond to security alerts across its entire network, patching was sluggish and updates were not applied quickly across the IT systems connected to the National Health Network. The HSE was also reliant on a single anti-malware solution which was not being monitored or effectively maintained across its entire IT environment. The HSE also continued to use legacy systems with known security issues and remains heavily reliant on Windows 7.

“The HSE is operating on a frail IT estate that has lacked the investment over many years required to maintain a secure, resilient, modern IT infrastructure. It does not possess the required cybersecurity capabilities to protect the operation of the health services and the data they process, from the cyber attacks that all organizations face today,” concluded PWC. “It does not have sufficient subject matter expertise, resources, or appropriate security tooling to detect, prevent or respond to a cyber attack of this scale. There were several missed opportunities to detect malicious activity, prior to the detonation phase of the ransomware.”

Similar vulnerabilities in people, processes, and technology can be found in many health systems around the world, and the PWC recommendations can be applied beyond the HSE to improve cybersecurity and make it harder for attacks such as this to succeed.

The PWC report, recommendations, and learnings from the incident can be found here (PDF).

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.