An independent post-incident assessment of the months-long network outage at Ireland’s Health Service Executive over the summer revealed that the ransomware attack and data exfiltration incident “had a far greater and more protracted impact on the HSE than initially expected.”
“The ransomware attack against the HSE would appear to be the first occurrence of an entire national health service being impacted by such an attack,” according to the report. While confined to Ireland, the attack and investigative report can provide relevant insights to U.S. health systems attempting to prevent a similar fate.
The cyberattack was first discovered in the early hours of May 14 with the deployment of ransomware and the recovery efforts lasted more than four months. The initial cost estimates totaled a whopping $600 million, including $120 million in recovery needs, replacing and upgrading the systems affected by the ransomware, and payments to a third-party cybersecurity support team.
Led by PricewaterhouseCoopers, the investigation consisted of provided documentary evidence and interviews with the HSE workforce, hospitals, chief healthcare officers, and other third parties relevant to the review. The health system provided the review team with a “significant volume of documentation.”
The report confirms that while the ransomware was deployed in May, the hackers first gained access into the HSE network eight weeks earlier on March 18 by infecting an HSE workstation with malware, after a user interacted with a phishing email that gave the attackers access to the network.
Once the hackers had access, they continued to operate in the environment over the course of the next several months, compromising and abusing a significant number of accounts with high levels and admin privileges, compromising a significant number of servers, exfiltrating data, and moving laterally to seven total statutory and voluntary hospitals.
The recovery efforts did not conclude until Sept. 21, where the HSE deemed all servers decrypted. But even then, 1% of the applications remained unrestored at that time. The recovery included all servers and 1,075 applications, out of a total of 1,087 applications.
“The attacker used relatively well-known techniques and software to execute their attack. A more sophisticated attack may have involved gathering intelligence in advance, before it could be successfully and subtly exploited,” the report authors wrote. “The impact of the Incident on the HSE and health services could have been significantly greater, with far more severe clinical impact.”
Missed opportunities
The HSE security team did not detect the hackers’ movements until the detonation of the Conti ransomware on May 14, and by then, the attackers had infiltrated the IT systems, including PCs and servers.
What’s more, “there were several detections of the attacker’s activity prior to May 14, but these did not result in a cybersecurity incident and investigation initiated by the HSE,” the report reads. “As a result, opportunities to prevent the successful detonation of the ransomware were missed.”
The timeline shows that servers were first compromised on May 7, while the statutory and voluntary hospitals were compromised between May 8 and May 12. One hospital identified malicious activity on a domain controller on May 10, and another communicated alerts of suspicious activity to the HSE The Office of the Chief Information Officer on May 12. The attacker began browsing and opening files on the HSE system on May 12 and May 13.
In two positive steps, the HSE’s antivirus security provider emailed the HSE’s Sec Ops team about the numerous threat events that hadn’t been handled, while one hospital and the Department of Health proactively prevented an attack on their networks.
But for the primary HSE the hackers’ presence went unnoticed or without action until the ransomware deployment on May 14 prompted HSE to launch its critical incident process and disconnect the National Healthcare Network from the internet in an “attempt to contain and assess the impact of the cyberattack.”
The move removed the threat actor’s access to the HSE environment, but shut off providers’ access to the IT systems, including patient information, clinical care and laboratory systems, as well as non-clinical platforms like financial, payroll and procurement systems.
Communication channels were also lost, which included email and networked phone lines, wherein staff were forced to use mobile and analogue phones, fax and face-to-face meetings to perform their job duties and maintain patient care.
“Significant disruption immediately occurred, and many healthcare professionals had to revert to pen and paper to continue patient care,” the report authors wrote. “Healthcare services across the country were severely disrupted with real and immediate consequences for the thousands of people who require health services every day.”
The report mirrors a recent SCHealth discussion, which provided multiple use cases for the potential care morbidities caused by cyberattack-induced network outages.
HSE was assisted by a number of government and third-party teams, as the “the response teams could not initially focus on the highest priority response and recovery tasks due to the lack of preparedness for a widespread disruptive IT event, e.g. through not having a pre-prepared list of prioritized clinical systems and applications to focus their efforts.”
Mitre has long stressed that healthcare providers must prioritize recovery efforts and business continuity plans to ensure recovery is expedient and efficient.
Finally, after media attention surrounding the leaked data, the Conti actors released a decryption key to release the encrypted files. It was validated by the HSE’s incident response provider. By using the provided tool, the HSE gained “access to the data that had been encrypted by the Conti ransomware.”
“It is unclear how much data would have been unrecoverable if a decryption key had not become available as the HSE’s backup infrastructure was only periodically backed up to offline tape,” the report authors wrote. “Therefore it is highly likely that segments of data for backup would have remained encrypted, resulting in significant data loss.”
“It is also likely to have taken considerably longer to recover systems without the decryption key,” they added.
It’s a concerning detail, considering the recovery took nearly five months.
Lessons learned
The investigation confirmed the purpose of the attack was to disrupt health services and IT systems, in addition to stealing health information. HSE previously confirmed the Conti actors stole troves of patient information and leaked it online in an effort to persuade leadership to pay the $19 million ransom demand. HSE and the Irish government refused to pay the attackers.
In the end, it was the workforce who allowed for care to continue with patient care. The investigators found clinicians and other care team members went above and beyond in their response, acting quickly and implementing “actions and workarounds to maintain even a basic continuity of service to their patients.”
“Transformational change is required across the technology foundation for provision of health services and its associated cybersecurity that will need to be executed over the coming years,” the investigators concluded.
To “deliver a significant and sustainable change in the exposure to cybersecurity risk, the HSE must focus on: establishing an executive level cybersecurity oversight committee to drive continuous assessment of risk and transformation, setting up an executive level IT oversight committee, and implementing a board committee to oversee an IT and cybersecurity transformation."
HSE also needs to establish clear responsibilities for IT and cybersecurity for every site and party connected to the national health network, including the development of a “‘code of connection’ that sets minimum cybersecurity requirements for all parties.”
The report contains a host of other elements that the HSE should overhaul in order to transform its current state of cybersecurity. U.S. healthcare provider organizations should leverage the document to see where their own programs stack up and whether there are security gaps that need to be addressed.
