Categories
Guide Hacking Stories

Real Life Hacking Stories: Chapter 2: The attack on Ireland’s public healthcare system – HSE Ireland  

Real Life Hacking Stories

Chapter 2: The attack on Ireland’s public healthcare system – HSE Ireland 

Greetings! 

Every cyberattack comes with its share of consequences.  It does not only have financial impacts but also stakeholders, partners, and prospects across different locations. Over the past few years, attacks on the healthcare industry have become more frequent, with cybercriminals aiming to target the most sensitive personal and healthcare information. 

With healthcare being the most targeted industry in 2023, it is a mutual lesson for all healthcare providers to step their game up with a proactive defense.  A system that assists them to continue their operations in such situations and effectively recover their most sensitive data.  

Through our REAL-LIFE HACKING STORIES series, we will look into some real-life cyber-attacks. Let us explore the incident on the Health Service Executive (HSE), Ireland’s renowned healthcare system. The attack made the situation in Ireland even worse with the pandemic. 

A brief overview of HSE  

The Health Service Executive is one of the healthcare systems on which the country relies. It comprised 54 public healthcare institutions directly governed by the HSE authority. It has the largest staff in the state, with around 1,30,000 employees directly working for HSE and organizations funded by HSE.  

These hospitals were highly reliant on IT infrastructure, providing healthcare and social care services to a majority of citizens in Ireland. It comprises a massive database of healthcare and medical data specific to patient conditions, treatments, and other research-specific data. 

What happened? 

On 14 May 2021, a major ransomware attack was targeted at the Health Service Executive (HSE) that caused a massive disruption nationwide of their IT systems. It is known to be one of the most massive attacks in history, with the organization taking almost four months for full recovery. The attack caused operational disruption in many HSE hospitals, causing multiple services to shut down.  

The attacker used Conti ransomware that encrypted most of their IT infrastructure.  The attacker’s objective was to disrupt a majority of health services by targeting HSE’s IT systems and stealing their data in exchange for a ransom to hand over the decryption keys and not publish their stolen data.  

How the attack happened?  

The malware infection began spreading from patient zero workstation that clicked a malicious Microsoft Excel file that was downloaded through a phishing mail sent to the system’s owner on 16 March 2021.  

The attacker gained access to the IT infrastructure on 18th March 2021 and maintained access for 8 weeks until the Conti ransomware was detonated on 14th May 2021. While maintaining access, the attacker engaged in compromise of multiple accounts exfiltrating data, leveraging admin level privileges and moving latterly to other hospitals causing significant disruption.  

The impact of the attack 

  • Conti ransomware group carried out the attack.  
  • It encrypted over 80% of the HSE’s data, including sensitive medical records of patients, preventing primary functions such as diagnostics.  
  • It impacted 70000 devices spread across 4000 locations in 52 hospitals.  
  • The data exfiltrated includes protected health information (PHI) and medical records, making it highly challenging for medical experts and emergency service providers. 
  • Healthcare professionals weren’t able to access critical IT systems that consisted of patient information, laboratory systems, and clinical care systems.  
  • It also impacted administrative, financial, and other functions like payroll and procurement.  
  • It caused a massive disruption in operations, forcing many healthcare professionals to go back to pen and paper to ensure the continuity of their service.  
  • Communication channels between operational services, including phone lines and emails were disrupted. 
  • The staff had to rely on analog phones, faxes, and in-person meetings to communicate.  
  • Attackers exfiltrated over 700GB of data that was exposed in a server in the U.S.  
  • The organizations had to bear damages, financial costs, and lawsuits filed by patients who experienced interruptions in patient care services.  

What are the remediation and recovery measures taken by HSE? 

The organization identified the attack through the detection of malicious activity and communicated it to the HSE OCIO. The HSE’s Antivirus Security Provider communicated the activity to their Security Operations team. The HSE immediately enabled their Critical Incident Process that began by switching off their IT systems and disconnecting internet facing National Healthcare Network (NHN) to contain the attack and stop the attacker from further impacting the systems.  

Access to NHN was immediately shut down government agencies were sought for support with response.  HSE set up a dedicated war room for responding to the breach and after five days a court order was obtained to restrain sharing of HSE data.  

The Sec Ops team released a comprehensive process for the recovery of systems, which helped them recover 47% of servers and 51% of applications in one month.  Within four months, the organizations recovered most of their servers and 99% of applications.  

1. Cybersecurity wasn’t prioritized

One of the biggest lessons learned from the attack is that cybersecurity if not prioritized at an executive level can have a domino effect, especially at critical times of incident response. It reflects the status quo approach towards cybersecurity in a majority of businesses across industries.  

2. No dedicated team for cybersecurity

HSE didn’t have a dedicated round-the-clock team for cybersecurity for making proactive decisions and providing direction to all the cybersecurity activities from policy framing, management of risk & controls, identification of risks, to incident response planning 

3. No documented incident response plan

There was no documented incident response plan with preparedness for containment, remediation, and recovery   

4. Limited teams lead to limited outcomes 

Their limited team for cybersecurity was under-resourced both in terms of expertise and solutions to address the known vulnerabilities and identify the gaps in their current security controls quickly and effectively. For example, HSE’s antivirus detected the commonly used tool Cobalt Strike by ransomware groups but effective action the alert was not taken.  

5. Large and complex technology-driven network

The HSE had a large, highly complex tech-driven network of hospitals. Their limited team wasn’t able to create an effective cybersecurity framework that worked for such a complex network of hospitals  

6. High dependence on anti-virus tools 

HSE relied heavily on antivirus for detection and prevention of threats on endpoints instead of having round-the-clock security monitoring capabilities that identified and responded to threats across IT infrastructure 

7. Lack of governance for cybersecurity

There was a lack of governance for cybersecurity which led to increased delay in incident response and more than 80% of encryption of sensitive information. HSE had to rely heavily on limited individuals and third-party experts to effectively respond to the attack.  

In Chapter One, we take a deep dive into how one of the world’s oldest libraries, The British Library, got hacked with some key takeaways.   

In case, you haven’t read Chapter One, you can read it here

In Chapter One, we take a deep dive into how one of the world’s oldest libraries, The British Library, got hacked with some key takeaways.

Are you a healthcare services provider looking to level up existing cybersecurity?  

Read More

All
Endpoint Security