A general view of the Coombe Women and Infants University Hospital on Oct. 23, 2013, in Dublin, Ireland. Part of the Ireland HSE, the entire health system was impacted during a ransomware attack in mid-2021. (Photo by Dan Kitwood/Getty Images)

The Department of Health and Human Services urges healthcare provider organizations to review key mistakes made by the Ireland Health Service Executive prior to, during, and in response to its months-long network outage brought on by systems hack in mid2021.

The HSE first discovered the network intrusion in the early hours of May 14, 2021, with the deployment of ransomware that shut down the entire health IT systems across the country. The attack caused an extensive list of care disruptions, including numerous cancellations.

In total, 80% of the IT environment was encrypted with ransomware. The recovery efforts lasted for more than four months and cost more than $600 million, including $120 million in recovery. Those costs included the replacement and upgrade of all systems infected with ransomware.

The ransomware attack was one of the first instances where an entire national health service was impacted by a cyber incident. It’s also one of the longest-outages directly caused by a threat actor. Even with the global WannaCry attack in 2017, just a portion of the U.K. National Health Services was impacted.

The initial investigation also found the attackers persisted on the network for several months before the ransomware deployment, stealing 700MB of unencrypted patient data that were later leaked online. The data was later tracked to a commercial server in the U.S., operated by Conti.

The critical impact prompted a third-party investigation to uncover just what went wrong. The post-mortem into the incident painted a damning picture of mismanagement, failure to respond to multiple instances of suspicious activity, and other missed opportunities.

For HHS, these failures should be reviewed by U.S. healthcare entities to learn from the mistakes and ensure they’ve not overlooked similar blindspots. 

Some key items include failing to have a single, responsible owner for cybersecurity at a senior executive of management level at the time of the attack. HSE also lacked a dedicated committee able to provide direction or oversight of cybersecurity, or advice on recommended activities that could have reduced the risk of exposure.

“The lack of a cybersecurity forum in the HSE hindered the discussion and documentation of granular cyber risks, as well as the abilities to identify and deliver mitigating controls,” the report shows. “It was a known issue that the teams with cybersecurity responsibilities were under-resourced.”

HSE also overlooked known security gaps and vulnerabilities in its cybersecurity controls, failed to implement a centralized cybersecurity function for managing cybersecurity risk and controls, and “had a large and unclear security boundary that encompassed many of the organizations connected to the National Healthcare Network.”

And the effective part of its security boundary, didn’t align with the HSE’s ability to mandate cybersecurity controls.

The report also shows vast issues with the communication and personnel structure, including a heavy reliance on certain individuals rather than a team effort, which “likely contributed to a recovery timeline that was longer than could have been achieved.” The issue likely stemmed from the HSE’s failure to implement and practice an effective incident response plan.

“The impact of the ransomware attack on communications was severe, as the HSE almost exclusively used on-premise email systems, including Microsoft Exchange, that were encrypted, and therefore unavailable, during the attack,” according to the report.

“The HSE missed opportunities for efficiencies in the recovery of systems and applications due to a lack of preparedness,” it added.

The HHS report notes key actions for providers to take around governance and cybersecurity leadership, as well as preparedness for responding and recovering from an incident. As Mitre has consistently warned, cybersecurity basics and response plans are crucial for healthcare providers given that it’s impossible to completely eliminate risk.

Further, the Conti group remains an elevated risk for the healthcare sector. As human-operated ransomware actors continue to target vulnerable sectors, providers should review the report to better understand attack methods, threat status, targeted entities, and online presence. HHS tracked at least 40 ransomware incidents tied to Conti last year.