Business Continuity Management / Disaster Recovery , Fraud Management & Cybercrime , Governance & Risk Management
Ransomware Attack Leads to IT Shutdown for Irish Hospitals
Conti Ransomware Blamed; No Ransom PaidWatch for updates on this developing story.
See Also: Gartner Guide for Digital Forensics and Incident Response
After Health Service Executive, Ireland’s state health services provider, shut down all its IT systems serving hospitals in the wake of a ransomware attack early Friday, some security experts praised its decisive action and refusal to pay a ransom.
When unusual activity was spotted on IT networks at a Dublin maternity hospital and a ransomware virus was found, HSE shut down all its IT systems serving healthcare facilities throughout Ireland to prevent the spread of the malware, forcing clinicians to use paper-based processes, Irish state broadcaster RTE reports.
Paul Reid, CEO of Health Service Executive, said the shutdown followed a “significant ransomware attack” that caused widespread disruption to the HSE’s systems, RTE reports.
Fergal Malone, the master professor of the Rotunda maternity hospital, told RTE: “We use a common system throughout the HSE in terms of registering patients, and it seems that must have been the entry point or source. It means we have had to shut down all our computer systems.”
In an update, the HSE said Conti ransomware was used in the attack, and it confirmed the healthcare organization will not pay a ransom. HSE’s CIO, Fran Thompson, told the Irish Independent newspaper, “It’s government policy that we don’t pay ransoms.” (See: How Conti Ransomware Works).
An international cybercrime gang was behind the attack, Ossian Smyth, minister of state with special responsibility for public procurement and eGovernment, told RTE.
“This is not espionage. It was an international attack, but this is just a cybercriminal gang looking for money,” Smyth said. He said HSE would gradually reopen its IT network over the course of the weekend or possibly longer.
Reuters, citing HSE officials, reports that the attack exploited a zero-day flaw and mainly affected information stored on central servers.
Health Service officials said they were not aware of any compromise of patient data or any effect on hospital equipment, with the exception of radiography services, Reuters reports. Reporting of laboratory results and the ability to make or view appointments at maternity and oncology departments throughout the country were affected, according to the news report.
Applauding HSE's Actions
“HSE has managed this ransomware attack very well and they should be applauded for their approach,” Brian Honan, cybersecurity and data protection expert at BH Consulting, tells Information Security Media Group.
“Their communications from the very beginning have been very on point, transparent and open. They acknowledged they were victims of a ransomware attack at the very start, which ensured there was no speculation as to what was happening. Throughout the day, they have kept the media and public informed of what is going on and the impact on their services."
HSE immediately worked with An Garda Síochána, the Irish national police force; the Irish National Cyber Security Center; and the Irish Defense Forces, Honan says, "so that appropriate and skilled resources are dealing with the outbreak. In a proactive and preventive measure, the HSE took other systems that were not directly affe cted by the ransomware offline so that they could be protected from any further spread of the ransomware.
Thomas Naylor, who provides CIO consultancy services at enablement.tech, praised HSE for not paying a ransom.
"Paying a ransom finances and encourages further attacks - both against the ransom payer and against the wider community," he says. "If a health authority pays a ransom, it encourages further focus by criminal groups on ransomware attacks against hospitals.
"Often a ransomware attack happens at the end of the cyberattack cycle: The attackers have already had access to the network for a while, data has already been stolen and perhaps also monetized. Paying a ransom can result in de-encryption and restoration of files and system operations, but occasionally, even this fails - a ransom is paid, and the data is still not recovered. It is key to note that paying a ransom will not result in the attacker deleting any data that may have been stolen."
John Walker, a visiting professor at the School of Science and Technology at Nottingham Trent University in the U.K., adds: “The real issue with hacks such as the event that impacted Irish Healthcare is patients’ sensitive data and associated records are potentially being exposed and released into the view of unauthorized viewers."