On May 14, 2021, the Conti ransomware gang conducted a ransomware attack on Ireland’s Health Service Executive (HSE) that resulted in the shutdown of IT systems supporting healthcare across the entire country. The attack resulted in the encryption of around 80% of all HSE IT equipment, more than 700 GB of sensitive data was exfiltrated from its network, including protected health information (PHI), and it took more than 4 months to fully restore its systems at a cost of hundreds of millions of dollars.
The HSE commissioned PricewaterhouseCoopers (PwC) to conduct an independent review of the attack and the response. The Post Incident Review was published by PwC on December 3, 2021, and ran to 157 pages. The PwC report explored the background of the attack, how the Conti ransomware gang executed their attack, the security failures that allowed the attack to succeed, and the response of the HSE.
While the PwC report is specific to the HSE, the weaknesses, vulnerabilities, and security failures that allowed the ransomware attack to succeed are pervasive in healthcare. The lessons the HSE learned from the cyberattack apply to many healthcare organizations in the United States. This week, the HHS’ Health Sector Cybersecurity Coordination Center (HC3) released a threat brief based on the PwC report and is encouraging the Healthcare and Public Health Sector in the United States to learn from the cyberattack.
One of the key findings was the HSE was underprepared for a ransomware attack and that lack of preparedness increased the severity of the attack and contributed to the high cost of mitigation and the lengthy recovery period.
The HC3 threat brief explains there was no single person at the HSE that was responsible for cybersecurity at a senior executive or management level, nor a dedicated committee to provide direction and oversight of cybersecurity and activities to reduce the HSE’s cyber risk exposure. There was also no centralized cybersecurity function for managing cybersecurity risk and controls.
There were known weaknesses and gaps in virtually all key cybersecurity controls, and it was known that teams with responsibility for cybersecurity were under-resourced. The sprawling network and adopted technologies created a very large attack surface with an unclear security boundary, and the complexity of its IT environment increased the risk of cyberattacks.
The HSE had no effective monitoring capabilities to allow it to rapidly detect, investigate, and respond to security alerts. Alerts were generated by its system that Cobalt Strike had been deployed on six servers a week before the attack, but the alerts were not properly actioned. Even though the attacker was not stealthy and performed a noisy attack, the cyberattack was not identified and contained before the ransomware was deployed.
The response to the incident was hampered as the HSE did not have a documented cyber incident response plan and had not performed preparatory activities such as exercising a technical response to a ransomware attack, even though there was a high risk of ransomware attacks occurring. The lack of a response plan meant the HSE was heavily reliant on third parties to guide its response efforts, and the lack of planning meant a considerable amount of time was lost.
The attack highlights the need for governance and cybersecurity leadership, the importance of planning for an attack, and ensuring business continuity planning and IT disaster planning includes ransomware attacks. Similar attacks could be conducted in the United States if similar vulnerabilities and weaknesses are not addressed.
You can view/download the HC3 report on this link: HC3: Lessons Learned from the HSE Cyber Attack.