Report Dissects Conti Ransomware Attack on Ireland's HSEOutlines Key Shortcomings That Country's National Health System Must Address
As healthcare sector entities worldwide continue to battle ransomware incidents, a new report analyzing the Conti ransomware attack on Ireland's Health Services Executive provides insights into factors that played into the attack's impact and offers a list of recommendations on how HSE, as well as other organizations, can be better prepared for such incidents.
The 157-page PricewaterhouseCoopers report, which was commissioned by the HSE and released on Dec. 3, says that the May attack took advantage of a number of vulnerabilities that are not unique to Ireland's national health system, including issues faced by other organizations.
Those issues included HSE having "a very low level of cybersecurity maturity" as evaluated against the National Institute of Standards and Technology's Cybersecurity Framework, the report says.
Examples of the lack of cybersecurity controls in place at HSE at the time of the incident include:
- The IT environment not having many security controls that are most effective at detecting and preventing human-operated ransomware attacks;
- Having no security monitoring capability that was able to effectively detect, investigate and respond to security alerts across HSE’s IT environment or the wider National Health Network;
- A lack of effective patching, including updates and bug fixes, across the IT environment that is connected to the NHN;
- Reliance on a single antimalware product that was not monitored or effectively maintained with updates across the environment.
For example, the workstation on which the attacker gained an initial foothold did not have antivirus signatures updated for over a year, the report says.
"The low level of cybersecurity maturity, combined with the frailty of the IT estate, enabled the attacker in this incident to achieve their objectives with relative ease," the report says. "The attacker was able to use well-known and simple attack techniques to move around the NHN, extract data and deploy ransomware software over large parts of the estate, without detection.”
The HSE attack began on March 18 from a malware infection on an HSE workstation - dubbed "Patient Zero Workstation" - as the result of a user clicking and opening a malicious Microsoft Excel file that was attached to a phishing email sent to the user on March 16.
"After gaining unauthorized access to the HSE’s IT environment on March 18, the attacker continued to operate in the environment over an eight week period until the detonation of the Conti ransomware on May 14," the report says.
"This included compromising and abusing a significant number of accounts with high levels of privileges, compromising a significant number of servers, exfiltrating data and moving laterally to statutory and voluntary hospitals."
The incident was not identified and contained until after the detonation of the Conti ransomware on May 14, which caused widespread IT disruption.
"There were several detections of the attacker’s activity prior to May 14, but these did not result in a cybersecurity incident and investigation initiated by the HSE and as a result, opportunities to prevent the successful detonation of the ransomware were missed."
Upon discovery of the ransomware detonation, HSE invoked its critical incident process, "which began a sequence of events leading to the decision to switch off all HSE IT systems and disconnect the National Healthcare Network from the internet, in order to attempt to contain and assess the impact of the cyberattack," the report says.
Those actions removed the threat actor’s access to HSE’s environment. But they also immediately resulted in healthcare professionals losing access to all HSE-provided IT systems - including patient information systems, clinical care systems and laboratory systems, the report says. Use of nonclinical systems, such as financial systems, payroll and procurement systems, was also lost.
Many clinicians had to revert to pen and paper to continue patient care, the report says. "Healthcare services across the country were severely disrupted with real and immediate consequences for the thousands of people who require health services every day."
Communication Lines Lost
Normal communication channels, both at HSE’s national center and within its operational services, were also immediately lost, including email and networked phone lines.
"The aim of the attacker was to disrupt health services and IT systems, steal data, and demand a ransom for the non-publication of stolen data and provision of a tool to restore access to data they had encrypted," the report says.
The HSE initially requested the assistance of the Garda National Cyber Crime Bureau, Interpol and the National Cyber Security Center to support the response.
The ransomware created ransom notes with instructions on how to contact the attacker.
"The attacker also posted a message on an internet chat room on the dark web, with a link to several samples of data reportedly stolen from the HSE. The HSE and the Irish Government confirmed on the day of the attack that they would not pay a ransom," the report says.
It says the incident had "a far greater and more protracted impact on the HSE than initially expected," with recovery efforts continuing for over four months.
Other Factors - Including No CISO
Among some of the other factors contributing to HSE's risk for the attack were IT security leadership and staffing issues. Most notably, there was no CISO, the report says.
"The HSE does not have a single responsible owner for cybersecurity at either senior executive or management level to provide leadership and direction," the report says, and adds that such an omission "is highly unusual for an organization of the HSE’s size and complexity with reliance on technology for delivering critical operations and handling large amounts of sensitive data." As a result, the report says, there was no one to ensure recognition of the risks that the organization faced due to its cybersecurity posture and the growing threat environment."
HSE also had only about 1,519 full-time equivalent staff in cybersecurity roles, and they did not possess the expertise and experience to perform the tasks expected of them, the report says.
Could Have Been Even Worse
Despite those weaknesses, the report says that HSE personnel - including IT and operations personnel in the HSE center and the hospitals, as well as healthcare professionals - made considerable effort to respond to and recover from the incident while continuing to provide patient care throughout the ordeal.
"If this significant effort had not been made by these people, the impact of the incident on the Irish public healthcare system would certainly have been much worse," the report says.
"The HSE is operating on a frail IT estate that has lacked the investment over many years required to maintain a secure, resilient, modern IT infrastructure. It does not possess the required cybersecurity capabilities to protect the operation of the health services and the data they process, from the cyberattacks that all organizations face today."
"The challenge is that it takes commitment from the board level down through the organization to get cybersecurity practices in place that minimize the risk."
—Jon Moore, Clearwater
Emergency and crisis planning at HSE previously focused on scenarios such as adverse weather, pandemic, serious accidents and terrorist attacks, which generate a temporary surge in demand for acute services, the report says.
"Similar to many other organizations, the HSE did not conduct contingency planning for a cyberattack or any other scenario involving the complete loss of infrastructure, people, or facilities."
In the report, PwC outlined a series of strategic and tactical recommendations for HSE.
Strategic recommendations include focus and improvements in several key areas, including:
- Governance of IT and cybersecurity;
- Leadership and transformation of the IT foundation on which provision of health services depends;
- Leadership and transformation of cybersecurity capability;
- Development of clinical and services continuity and crisis management capability to encompass servicewide events such as prolonged total outage.
Tactical recommendations, including some that the report says require immediate HSE attention, include:
- Appoint an interim CISO to be responsible for driving cybersecurity improvements and managing third parties that provide cybersecurity services;
- Ensure that the HSE’s incident response provider’s managed defense service or an equivalent is maintained to detect and respond to incidents on endpoints;
- Develop, document and exercise a plan for managing and coordinating a cybersecurity incident involving multiple organization connected to the NHN;
- Prioritize the remediation of critical legacy systems.
The HSE must "maximize the learnings" from the incident, including implementing a coherent operational resilience capability, including clinical and services continuity and crisis management, across the organization, the report says.
"Reducing cybersecurity risk requires both a transformation in cybersecurity capability and IT transformation, to address the issues of a legacy and complex IT estate and build cybersecurity and resilience into the IT architecture."
According to the report, the investment commitment HSE will have to make to improve its cybersecurity posture "is likely to be a multiple of the HSE’s current expenditure on technology and operational resilience." But, the report says, such an expenditure is necessary to protect the HSE against potential future attacks that could be even more damaging.
In a statement provided to Information Security Media Group, HSE says it has already made urgent changes to protect the organization against a similar future attack, including "embarking on implementing recommendations in the PwC report and engaging with Ireland's Department of Health for a cybersecurity transformation program."
HSE Chairman Ciarán Devane says, "We commissioned this urgent review following the criminal attack on our IT systems which caused enormous disruption to health and social services in Ireland, and whose impact is still being felt every day. It is clear that our IT systems and cybersecurity preparedness need major transformation. This report highlights the speed with which the sophistication of cybercriminals has grown, and there are important lessons in this report for public and private sector organizations in Ireland and beyond."
The HSE has accepted the report’s findings and recommendations, and is in the process of putting in place appropriate and sustainable structures and enhanced security measures, he says.
Paul Reid, CEO of the HSE, says: "We have initiated a range of immediate actions and we will now develop an implementation plan and business case for the investment to strengthen our resilience and responsiveness in this area."
The statement from HSE says it has already implemented a number of high-level security solutions - including new cybersecurity controls, monitoring and threat intelligence measures based on international expert advice.
The damage from the HSE attack and similar ransomware attacks on other healthcare delivery organizations, including in the U.S, could, for the most part, have been avoided, says Jon Moore, chief risk officer at privacy and security consultancy Clearwater.
"The challenge is that it takes commitment from the board level down through the organization to get cybersecurity practices in place that minimize the risk," he says.
He says it requires investment in time and resources and that business leaders need to understand the role security plays in helping an organization achieve its mission, the risk to the mission from threats such as ransomware. Organizations need to "make informed decisions about how best to allocate their limited resources," Moore says.
"This includes having the right governance structure and people in place, implementing and maturing cybersecurity practices based on recognized frameworks like NIST … and using technology effectively to identify, protect detect, respond, and recover from attacks," he says.
"Unfortunately, that doesn’t happen overnight."