BLOG

Case Study: Ransomware Locks Up 80% of 54-Hospital Health System

The U.S. Department of Health and Human Services (HHS) recently published an insightful ‘lessons learned’ document that chronicles a large-scale ransomware attack on the Health Service Executive (HSE) of Ireland [1]. The HSE is Ireland's publicly funded health care system, consisting of over 54 public hospitals directly under the HSE authority and voluntary hospitals which utilize the national IT infrastructure.

You may be thinking, why is HHS analyzing an Ireland-based health system attack? Well, it turns out that the attack mirrors many of the ransomware attacks that we have seen here in the states and provides ample lessons learned for the potential impacts to healthcare delivery organizations that are common across all health care providers, wherever they may reside.

This blog provides a summary of the HSE ransomware event, insights from HHS, and analysis and recommendations from Meditology based on our experience with helping healthcare organizations prevent and respond to ransomware attacks.

Massive Attack Cripples Large Health System

On May 14, 2021, HSE suffered a major ransomware cyber-attack that caused all its IT systems nationwide to be shut down. It became the most significant cyber-attack on Irish state agency, as well as the largest known attack against a health service computer system in history.

Timeline
  • March 18, 2021 – Initial Compromise. Attackers first gained access to an end user workstation on March 18, 2021. The attackers waited two months before launching additional attacks to actively attempt to compromise the HSE network on May 7th.
  • May 14, 2021 – Ransomware Attack Begins. The malicious actors then spent one week ‘noisily’ poking around the HSE environment before dropping their ransomware payload on May 14th. Soon thereafter, 80% of the HSE environment became encrypted with ransomware.
  • May 21, 2021 – Decryption Keys Obtained. Decryption keys were obtained one week later on May 21. The method for obtaining the decryption keys was not made public.
  • September 21, 2021 – Full Recovery of HSE Systems - The full recovery of HSE systems was not completed until four months later on September 21.
Malware Used in the Attack

The ransomware ‘flavor’ used in the attack was the high-profile Conti ransomware, which is a follow-on ransomware malware type to the Ryuk ransomware made popular by Russian and Eastern European criminal gangs in 2020-2021.

Refer to the following resources for more information on the Conti and Ryuk ransomware malware and attackers:

Assessing the Damage

The impacts from the ransomware event for this monster health system attack included a reversion to pen and paper charting for hospital staff. Moving from electronic to paper record keeping introduces material risks to patient safety and create operational nightmares for managing day-to-day clinical and administrative functions.

80% of the HSE IT environment was encrypted by the ransomware, severely disrupting the health care services throughout the country. The encryption of key systems prevented access to diagnostics and medical records that expose the private information of thousands who received COVID 19 vaccines.

The attackers were able to exfiltrate 700 GB of unencrypted data including Protected Health Information (PHI). Specialists tracked stolen HSE data to a commercial server in the United States. Lawsuits were also filed from patients over interrupted patient care.

Refer to the following resources for the downstream impacts to health systems from ransomware attacks:

Lessons Learned & Recommendations

HHS identified that HSE did not have a single responsible owner for cybersecurity or any senior executive management representative for cybersecurity at the time of the attack.

There was also no dedicated committee that provided direction or oversight to the cybersecurity and the activities required to reduce the organization's cybersecurity risk exposure.

The lack of cybersecurity accountability and reporting to executive leadership is a recipe for trouble. Awareness and transparency for cyber risks is a fundamental starting point for the establishment and maintenance of healthcare cybersecurity programs.

Refer to the following resources for additional guidance on establishing senior cybersecurity leadership and formalized structures for healthcare entities:

There were also known cybersecurity weaknesses and gaps in key cybersecurity controls and HHS noted that “the lack of a cybersecurity forum in the HSE hindered the discussion and documentation of granular cyber risks, as well as the abilities to identify and deliver mitigating controls.”

Cybersecurity can get buried within IT and underprioritized for some health systems, as appears to be the case with HSE. The lack of a centralized cybersecurity function also would have made it nearly impossible to effectively coordinate risk assessment and remediation across HSE’s more than 54 hospitals.

The report did note, however, that a few hospitals maintained stronger security teams that were able to detect and respond to some of the 2021 attacks. Unfortunately, the lack of a centralized communication and reporting model prevented those teams from communicating effectively to other HSE hospitals in time to prevent large-scale damage.

The HHS reports that it was a known issue at HSE that the teams with cybersecurity responsibilities were under-resourced. This ultimately is a failure of leadership to recognize the pervasive cybersecurity threats introduced ransomware and other attacks that have been escalating for healthcare entities for several years.

The lessons learned report also mentions that “The HSE’s technology has grown organically and is consequently overly complex, increasing the vulnerability of the HSE to cyber attacks.” This hits on one of the most critical constraints faced by all healthcare providers, namely the wide IT and application footprint that introduces high degrees of complexity and challenges for cybersecurity teams.

Another factor that added complexity to the situation was HSE’s dependence and integration with Ireland's National Health Care Network (NHN). HHS noted that “HSE had a large and unclear security boundary that encompassed many of the organizations connected to the NHN. The HSE’s effective security boundary did not align with its ability to mandate cybersecurity controls.”

Connectivity to large, flat network structures and third-party hosted networks is not uncommon for healthcare entities. Unfortunately, such network architecture can often lead to unfettered proliferation of malware once it gets introduced to one or more nodes on the network.

Meditology recommendations conducting network security architecture reviews and targeted penetration testing to identify and validate network segmentation and isolation controls are working effectively.

Refer to the following resources for additional guidance and recommendations on this topic:

HSE’s antivirus tool was “over-relied upon” to detect and prevent threats on endpoints. This represents a legacy mindset around cybersecurity that was more common in healthcare entities 15-20 years ago. Antivirus and endpoint protections are an important part of the defense in depth model, but are not sufficient in and of themselves to protect an organization from sophisticated ransomware attacks.

There was also no effective security monitoring capability that was able to detect, investigate and respond to security alerts across the HSE's IT environment. HHS notes that “the cyber attack was not actively identified nor contained prior to the ransomware execution, despite the attacker performing noisy and ‘unstealthy’ actions.” HSE also did not have a documented cyber incident response plan and had not performed typical preparatory activities, such as exercising the technical response. HHS also states that time was lost during the response due to a lack of pre-planning for high impact technology events.

Routine tabletop exercises are essential to identifying gaps in communication and response processes prior to experiencing real-world attacks and outages. Meditology recommends conducting incident response tabletop exercises at least annually with various stakeholder groups ranging from technical resources all the way to executive leadership. Incident response scenarios should also include ransomware-specific simulated events and reference incident response playbooks and procedures that are specific to ransomware attacks.

Refer to the following resources for additional guidance on incident response planning:

HHS reports that HSE spent a significant amount of time during the response gathering information about applications, as this information was not recorded and up-to-date in a central or offline application register.

The organization had difficulties on the IT front when organizing their response to the attack. HHS noted that there was a lack of clearly defined and delineated decision-making authority between the HSE, hospitals and Community Healthcare Organizations (CHO) in the case of a health service-wide crisis. They also note that the OCIO was not able to provide or source (through third party) the scale of the IT support required by hospitals and CHOs during the extended response to restore applications, systems and services at pace.

The impact of the ransomware attack on communications was severe, as the HSE almost exclusively used on premises email systems (including Microsoft Exchange) that were encrypted, and therefore unavailable, during the attack. Maintaining and testing a backup communication plan for staff outside of email and traditional communications models is essential to prepare for any large-scale attack or outage.

Conclusion

Ultimately, HHS concluded that HSE missed opportunities for efficiencies in the recovery of systems and applications due to a lack of preparedness. There were clearly some fundamental flaws with the HSE cybersecurity program, or lack thereof, that greatly contributed to the adverse outcome of more than 80% of their environment being encrypted with ransomware.

Healthcare organizations of all shapes, sizes, and locations should take heed of the lessons outlined in this report and get to work on investment in cybersecurity leadership, assessments, remediation, and incident response planning and preparation. These attacks are not going away any time soon.

Meditology offers a full suite of cybersecurity services for ransomware prevention and response including:

  • Ransomware tabletop exercises and preparation
  • Incident response tabletop exercises
  • Incident Response Plan (IRP) development
  • Ransomware and network penetration testing services
  • Third-party vendor risk and ransomware assessments

Contact us to learn more or discuss how we can help support your program.

Most Recent Posts
HIPAA Risk Analysis, Risk Assessment, & Evaluation: Is There a Difference? Read More
New NIST Guidance on Compliance with the HIPAA Security Rule Read More
Hospitals Sharing PHI with Facebook: HIPAA Analysis & Recommendations Read More