Ireland HSE Cyberattack is a Cautionary Tale For US Healthcare Orgs

February 07, 2022 - The Health Sector Cybersecurity Coordination Center (HC3) encouraged US healthcare organizations to learn from the large-scale May 2021 cyberattack against the Ireland Health Service Executive (HSE) that immobilized the country’s health IT systems and cost hundreds of millions of dollars in recovery efforts.

In a recent brief, HC3 took stock of the numerous lessons learned from the HSE cyberattack that began on May 14, 2021. It continued to cause nationwide IT outages, EHR downtime, health data exposure, and appointment cancellations across Ireland’s publicly funded healthcare system for more than four months.

Conti ransomware claimed responsibility for the attack against the HSE. HC3 tracked at least 40 ransomware incidents involving Conti in 2021 and noted that the group regularly targets the healthcare sector.

The HSE attack was the largest attack against any health service computer system in history. The attack impacted the HSE’s 54 public hospitals along with other hospitals that depended on the HSE’s IT infrastructure.

Conti successfully exfiltrated 700 GB of unencrypted data, including the public health information (PHI) of thousands of individuals who received the COVID-19 vaccine. Over 75 percent of the HSE IT environment was encrypted, restricting access to medical records and forcing hospital staff to revert to pen and paper. 

In December 2021, the HSE released a post-incident review outlining the details of the incident and its recovery process. The report served as the foundation of HC3’s brief. The report also revealed that the HSE was underprepared for the event of a ransomware attack, despite the increasing frequency of ransomware across the sector.

“The HSE did not have a single responsible owner for cybersecurity, at senior executive or management level at the time of the incident,” HC3 said.

“There was no dedicated committee that provided direction and oversight of cybersecurity and the activities required to reduce the HSE's cyber risk exposure.”

In addition, there were known cybersecurity gaps and vulnerabilities, and the HSE did not have a specific function that managed cybersecurity risk and infrastructure. The HSE relied heavily on simple antivirus tools to detect threats and did not have a cyber incident response plan.

As a result, “the [cyberattack] was not actively identified nor contained prior to the ransomware execution, despite the attacker performing noisy and ‘unstealthy’ actions,” HC3’s brief continued.

“Time was lost during the response due to a lack of pre-planning for high impact technology events. The HSE spent a significant amount of time during the response gathering information about applications, as this information was not recorded and up-to-date in a central or offline application register.”

The HSE’s lack of preparedness and slow response time negatively affected clinical and administrative efforts. But the mistakes made by the HSE can serve as a cautionary tale for other healthcare organizations across the world, HC3 suggested.

US healthcare organizations should ensure effective cybersecurity monitoring technologies are in place. It is essential to implement a cyber incident response plan and have a designated cybersecurity team whose priority is to secure the organization’s network.

Healthcare organizations should also prioritize business continuity planning and disaster recovery planning to reduce patient care disruptions.