Malware, Ransomware

Costs from ransomware attack against Ireland health system reach $600M

The Ireland Health Service Executive (HSE) is continuing to operate under electronic health record (EHR) downtime procedures and experiencing continued care disruptions, after suffering a ransomware attack more than six weeks ago.

The June 28 update shows patients are still being warned to expect significant care delays and to bring health information that could help support their care, also pointing to investments to ensure more comprehensive network monitoring for malware in the future.

The recovery is slow-going with the HSE Director General Paul Reid projecting the costs to exceed $600 million, Reid recently explained during a Joint Committee on Health meeting.

Reid was joined by HSE Chief Operating Officer Anne O’Connor, Chief Clinical Officer Dr. Colm Henry, Chief Information Officer Fran Thompson, and Clinical Lead of the COVID-19 Vaccination Programme Damien McCallion, shedding light on the ransomware attack that has driven much of the country’s health system offline.

The $600 million cost estimate includes $120 million in current, ongoing recovery needs, such as hiring outside technical leaders to support recovery efforts. The remaining cost estimates will cover the replacement and upgrade of the systems crippled by ransomware, as well as payments to outside cybersecurity support.

Further, the HSE intends to implement a security operation center able to better monitor the network for potential threats. So far, the team has brought three-quarters of the network back online.

Cost comparisons

In the last three years, ransomware actors have worked to increase the likelihood of higher payouts. For many of these attacks, the goal is to not only hack into a network but to proliferate across the network in its entirety and exfiltrate data, Coveware researchers explained in a recent blog.

Part of this effort is data exfiltration, which occurs in 77% of ransomware incidents. And as attacks become more complex, ransom demands have rapidly expanded.

The previous Covewave quarterly ransomware cost estimates for 2021, so far, found the average demand rose 80 percent in the last year. The average price tag for downtime is just over $274,000.

But those costs are significantly higher in health care, as shown in cost estimates for downtime and recovery costs released by the impacted entities.

The attacks on Universal Health Services and the University of Vermont Health Network during the ransomware wave on health care in the fall were fairly similar in terms of the length of downtime, care impact, and recovery costs.

Both providers faced an average of downtime procedures and care disruptions, with UVM receiving support from the Army National Guard’s Cyber Response with its recovery.

A UHS earnings report in March showed the security incident resulted in $67 million in lost operating income, labor expenses, and overall recovery costs. Those costs were attributed to a significant increase in labor expenses and delays in coding and billing.

As the attack caused severe care disruptions to its acute care services, UHS also saw massive operating income losses that negatively affected operating cash flows.

UVM Health Network recently shared that its monthlong outage cost the health system at least $63 million in recovery costs alone. But officials are still working to calculate the full impact the incident will have on its finances.

Ongoing outages and care disruptions

“The pressure the COVID-19 pandemic has placed on our health service is unprecedented,” Health Committee Cathaoirleach Seán Crowe TD, said ahead of the meeting. “The criminal cyberattack on the HSE’s computer system compounded that stress and strain.”

“The impact of the pandemic and cyberattack combined is traumatic for staff and especially for the growing number of patients of all ages who need to access care.”

The cyberattack struck on May 14 and caused major IT disruptions across the Ireland East Hospital Group, with many patient appointments either being canceled or rescheduled. The attack has been attributed to Conti threat actors, who demanded a $19 million ransom payment to decrypt the system. However, HSE has refused to pay the attackers.

Previous reports revealed Conti leaked some patient data allegedly stolen from the HSE prior to the ransomware deployment. In total, it appears the attackers stole a total of 700 GB of data, which was downloaded 23 times before it was taken offline.

A report from The Irish Examiner shows HSE leadership is asking for help in identifying those who downloaded the stolen data from the online posting.

As the HSE IT team focuses on recovery, clinicians have continued to operate under EHR downtime procedures and backup processes. At the hearing, HSE leadership shared that the maternity and radiology departments have seen the most care disruptions.

Previously, Ireland’s Faculty of Radiologists offered examination workstations for the country’s radiology departments in light of the continued outages. The HSE has also received support from Ireland’s National Cyber Security Centre.

HSE is among a half-dozen global health care providers currently operating under downtime procedures following ransomware incidents, including the Waikato District Health Board in New Zealand, which was struck with an attack within days of the HSE.

In the US, Stillwater Medical Center in Oklahoma is still experiencing some care delays, as well as issues with its phone and email systems, following a June 13 cyberattack. Two hospitals of the University of Florida Health are also facing extended downtime, after a May 31 incident. The health system has not provided an update on the ongoing situation.

The latest US victim, St. Joseph's/Candler in Georgia, managed to bring its oncology services back online after a June 17 ransomware attack. However, much of its IT system remains offline. The IT team is continuing to investigate with support from the FBI and local law enforcement.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.