HC3: Learn from Ireland’s Health Service Executive Ransomware Attack Experience

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has published a report giving information about the Conti ransomware attack on the Health Service Executive (HSE) in Ireland last May 2021, as well as guidance for the healthcare and public health (HPH) sector in preparing, responding, and recovering from ransomware attacks.

The report gives data about the vulnerabilities and weaknesses that the Conti ransomware gang exploited, along with information about HSE’s lack of readiness for ransomware attacks that affected its ability to identify, react and remediate the cyberattack and led to the lengthy and costly recovery process.

The Conti ransomware gang, considered to be a rebranding of the well known Ryuk ransomware operation, initially acquired access to the HSE system on May 7, 2021, and the systems of one statutory hospital and six voluntary hospitals had been breached from May 8, 2021 to May 12, 2021. One impacted hospital discovered the ransomware attack on May 10, and alerted HSE on May 12. From May 12 to May 13, the attacker viewed data and folders on systems of HSE. The Department of Health and one hospital stopped attacks on their systems on May 13, however, in the morning of May 14, 2021, files had been encrypted in other hospitals and the HSE. The HSE mentioned approximately 80% of its system was encrypted during the attack.

The attackers made a ransom demand; but one week after, the gang gave the decryption keys for free. However, they demanded ransom payment from HSE to stop the publication or selling of the stolen information. Four months after file encryption, on September 21, 2021, HSE had restored 100% of its servers and 99% of its programs. The cost of recovery from the ransomware attack was hundreds of millions of dollars. If the Conti ransomware gang did not give the decryption keys, the cost and damage of the attack would have been worse.

The Conti ransomware group has performed a minimum of 40 ransomware attacks last 2021 in the United States, Europe, Columbia, Australia, and India, which include attacks on HPH entities in about 20 U.S. states. The healthcare entities that faced attacks include biotech companies, health/medical hospitals, home healthcare providers, hospices/elderly care, hospitals, pharma companies, healthcare sector services, and public health organizations.

In December 2021, the HSE published a 157-page report about PricewaterhouseCoopers’ (PwC) post-incident analysis that talked about the history of the attack, the chronology, the recovery process, cybersecurity downfalls, and provided a lot of advice. The PwC report was the HC3 report’s reference.

The PwC and HC3 reports mention a lot of cybersecurity problems that led to the poor recognition of the attack, the incapability to react immediately to security warnings and carry out mitigations, and the substantial recovery time. In spite of the great risk of ransomware attacks on the healthcare sector, the HSE was just not ready to handle a ransomware attack. It had

  • no single owner for cybersecurity in a management or senior executive level
  • no specific committee giving guidance and monitoring of cybersecurity activities
  • several weaknesses and holes in cybersecurity settings
  • no cybersecurity forum to talk about and record risks
  • no central cybersecurity function to handle cybersecurity threats and controls,
  • under-resourced cybersecurity teams

The technology employed by the HSE was excessively complicated, which elevated vulnerability to attacks. There was a huge and ambiguous security boundary. The efficient security boundary failed to line up with its capacity to handle cybersecurity controls. It lacked effective tracking of the capability to identify and react to attacks. High-risk breaks were discovered in 25 of the 28 cybersecurity settings that are most efficient at identifying and stopping human-operated ransomware attacks. The HSE was too dependent on antivirus software for securing endpoints. The HSE did not have a recorded cyber incident response plan and did not perform activities concerning the technical response to an attack. The HSE was consequently greatly dependent on third parties after the attack to give structure to its response tasks.

Although a lot of ransomware actors are sneaky, the Conti ransomware attack wasn’t. On May 7, 2021, the HSE’s antivirus identified Cobalt Strike on six servers; two hospitals recognized an intrusion prior to deployment of the ransomware; two organizations averted the deployment of ransomware, yet HSE had no central response.

The report shows the results of not having an efficient cybersecurity plan, the importance of preparing extensively for an attack, and the value of governance and cybersecurity management. Healthcare companies all over the world can learn from the lessons learned by the HSE to avoid attacks on their own IT system, and make sure they are effectively ready to respond to a ransomware attack when their security is breached.