Cyber Crime
One year on: what can we learn from the HSE ransomware attack?
When a Conti ransomware affiliate struck Ireland’s Health Service Executive (HSE) a year ago, we discovered something very important about threat actors. Pandemic or no pandemic, they’re prepared to hit any target if it’s deemed lucrative and exposed enough.
With reports suggesting the incident could end up costing hundreds of millions, it’s vital for organisations everywhere to learn the lessons of this attack, in order to protect their digital assets in the future.
What happened?
The attack, which struck on 14 May 2021, forced the Irish health service to take its IT systems offline, leading to the cancellation of appointments in over half the country’s hospitals. Healthcare workers were forced back to using pen and paper to record patient care. And 80% of the HSE’s environment was encrypted, causing “a severe and long lasting disruption to healthcare services,” according to a PwC report on the incident.
What can we learn?
The report details multiple security failures which enabled the threat actors to use “well-known and simple attack techniques” to achieve their objectives: stealing patient records and deploying the ransomware payload. These included:
- A lack of security monitoring to detect, investigate and respond to security alerts across the HSE
- No effective patching programme
- An over-reliance on a single AV product which was not maintained
- An unsegmented network and “frail” IT estate suffering from years of under-investment
- No-one operating in a CISO role or similar
The HSE took several months to decrypt and restore all of its systems. And according to a more recent report, it has already spent €12.7m on IT infrastructure, €5.5m on cyber and strategic partner support, €15.3m on vendor support for applications and €8.4m on Microsoft 365 as a result of the incident. More spending will follow.
Digital healthcare represents the best chance we have of coping with the backlog of cases caused by COVID-19. If it is to be deployed confidently, against a backdrop of residual technological anxiety amongst clinicians, it’s vital that healthcare organizations learn the lessons of May 2021.
Trend Micro at Infosec Europe 2022
Trend Micro continues to work at the forefront of ransomware research, to help customer avoid the kind of nightmare scenario experienced by the HSE. Join us at Infosecurity Europe in June to hear our VP of Threat Intelligence, Jon Clay, reveal a fascinating behind-the-scenes look at what really happens in ransomware negotiations. He’ll also share advice on how to avoid being a victim, and what to do if your business is caught out.
What: Infosecurity Europe
Where: London ExCeL
When: June 21-23, 2022
Join Jon Clay on Tuesday 21st June at 10am for his Strategy Talk: Research Reveals Best Practices in Ransomware Response & Negotiation