HSE shuts down IT system after cyber attack
14 May 2021 | 0
The Health Service Executive (HSE) has temporarily shut down its IT system after suffering what it described as a “significant ransomware attack”.
The health body said it has taken the precaution of shutting down all its IT systems to protect itself from the attack and to assess the situation with its security partners.
Speaking to RTÉ radio’s Morning Ireland, chief executive of the HSE Paul Reid said the attack has impacted all of its national and local systems, which are involved in all core services. The attack is focused on accessing data stored on central servers, he said.
Reid said the HSE is working to contain the “very sophisticated” “human-operated” ransomware attack on its IT systems.
It is not yet known who is behand the attack. No ransom demand has been made at time of writing.
The HSE is attempting to uncover the extent of the attack, and is working with the national cyber security team, An Garda Síochána and third-party cyber support teams to see what steps it should take next.
The attack has had no impact on equipment in hospitals, Reid added, which are run separately to its data system.
Unless patients are otherwise informed, Reid said they should continue to attend appointments.
The HSE has instructed those that have not yet logged on to the HSE’s network to keep their machines switched off.
The system for Covid-19 vaccinations has not been affected and the HSE has confirmed that vaccination appointments are going ahead as normal today. The National Ambulance Service is also operating as normal.
A number of hospitals around the country have been affected by the attack, however.
Speaking on Morning Ireland, Master of the Rotunda Hospital Prof Fergal Malone said the ransomware attack is affecting all the hospital’s electronic systems and records. He said he believed it has also affected other hospitals.
“We use a common system throughout the HSE in terms of registering patients and it seems that must have been the entry point or source,” said Malone. “It means we have had to shut down all our computer systems.”
Malone added that the hospital had contingency plans in place so it can function normally using a paper-based system.
However, the maternity hospital has cancelled most of its outpatients visits today. It said only those that are at least 36 weeks’ pregnant, or those with urgent concerns, should attend.
The National Maternity Hospital at Holles Street in Dublin said there will be “significant disruption” to its services today, but those with appointments today should still attend.
Cork University Hospital has said it will be “limited” in the services it can provide to patients today. It said its labs will be “severely affected” and that existing GP blood tests cannot be conducted at this time, but emergency blood tests will be processed. Radiotherapy appointments have also been cancelled. Patients should be aware that the hospital’s full suite of records may not be accessible today, it said.
The ransomware involved has been identified as ‘Conti’ a tool that has been in operation since at least December 2019 and is believed to be derived from the ‘Ryuk’ ransomware variant.
“Conti is often deployed using the ‘TrickBot’ infrastructure,” said Patrick Wragg, cyber incident response manager, Integrity360. “Conti is designed to be operated by the attacker, rather than via an automated process, and it contains unique features that allow a more targeted and quicker attack. Conti’s ransomware operations have targeted a wide variety of sectors globally, which include construction, manufacturing, and retail.”
“Rright now the health service has done the right thing – damage limitation, they seem to be taking all the right steps – containment being the first,” said Sam Mayne, senior partner account manager with Vipre Security. “Depending on their setup and IT infrastructure, they should be able to move through each step according to their disaster recovery plan – backups and retrospectives being key elements of any such plan.
“As soon as the main threat has passed, we would recommend that the HSE conduct a full retrospective, ideally without blame or scapegoats, and share their findings and steps taken with the world. Full disclosure is helpful for patient reassurance but also for other organisations to understand how they can prevent an attack of this type being successful in their space… Whether this attack was successful because of a human-layer vulnerability or whether it was a technology downfall, our advice is always that a layered approach is the key to success.”
Brian Higgins, security specialist at comparison website Comparitech, noted that the healthcare sector has become increasingly attractive to cybercriminals in recent years owing to the sensitivity of patient data.
“Lately, criminal organisations have upped their game by releasing selected data sets online to further pressurise victims into ignoring advice or protocols and paying up before any incident response has time to take hold. Finally, and this is why the Healthcare sector is so vulnerable, they will make their attack public as soon as they can so that the customers or patients of the victim organisation will start to panic that their personal information has been stolen,” he said.
“Because of the pandemic and because the data is so personal, anyone who even thinks they might be affected will be far more likely to fall victim to follow-up scams that play on their fears and convince them to share more information.
“These follow-up scams will come via text, e-mail, social media, telephone or sometimes even in person. In this case, Criminals will pretend to be from the HSE or a related organisation and ask for login credentials and/or bank details so that they can re-set account security following the attack. It is very difficult to resist this type of approach but at the same time, it is absolutely vital that people hold their nerve and any requests like this are reported and ignored. It is all too easy to fall victim and make a bad situation even worse. Give the HSE a chance to deal with the problem and be careful with your personal information.”
Niamh Muldoon, global data protection officer at OneLogin, added: “Out of all the various types of cyber crime activities, ransomware is the one activity that has a high direct return of investment associated with it, by holding the victims’ ransom for financial payment. Taking the global economic environment and current market conditions into consideration, cyber criminals will of course continue to focus their efforts on this revenue-generating stream.”
While the cost of the HSE cyber attack is as yet unknown the chances are it will be a minimum six-figure sum. According to research by Palo Alto Networks’ threat intelligence unit Unit42, the average cyber ransom paid more than doubled in 2020 to $312,493, compared to 2019, according to the 2021 Unit42 Ransomware Threat Report. So far in 2021, the average payment has nearly tripled compared to the previous year – to about $850,000. The highest demand in the last four months was $50 million, up from $30 million for all of 2020.
Irish Computer Society Secretary General Mary Cleary said that the proliferation of malware attacks will require more qualified professionals to deal with them. “Cybersecurity is one of many domains of IT, where there is a significant skills shortage not only in Ireland but right across Europe,” she told TechCentral.ie. “Part of the European Commission’s digital decade plans is to invest significant amounts of money into digital, both infrastructure and talent development.”
The attack comes four years after the WannaCry global ransomware attack, which took place during the week between 12 and 18 May 2017 and disrupted the services of one-third of the UK’s hospital trusts, and approximately 8% of GP clinics. It’s believed that around 19,000 hospital appointments were cancelled as a result.
A subsequent investigation conducted by the UK Dept of Health & Social Care found that the ransomware attack had cost the NHS an estimated total of £92 million, with the biggest cost being attributed to restoring its services to full operation and to the recovery of data.
Earlier this week it was revealed that Colonial Pipeline paid a $5 million to get its systems online following a cyberattack using software by developed by hacking group Darkside. The collective, which is believed to be operating in a former Soviet Union country, issued a statement saying it was not directly responsible for the attack.
Professional Development for IT professionals
The mission of the Irish Computer Society is to advance, promote and represent the interests of ICT professionals in Ireland. Membership of the ICS typically reduces courses by 20%. Find out more