The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has released a report providing insights into the May 2021 Conti ransomware attack on the Health Service Executive (HSE) in Ireland, and advice for the healthcare and public health (HPH) sector to help prepare, respond, and recover from ransomware attacks.
The report provides information on the vulnerabilities and weaknesses that were exploited by the Conti ransomware gang, and how the HSE’s lack of preparedness for ransomware attacks hampered its efforts to detect, respond and remediate the attack and contributed to the long and expensive recovery process.
The Conti ransomware gang, believed to be a reincarnation of the notorious Ryuk ransomware operation, first gained access to the HSE network on May 7, 2021, and the networks of six voluntary hospitals and one statutory hospital were compromised between May 8, 2021, and May 12, 2021. One of the affected hospitals detected the attack on May 10, and the HSE was alerted to the cyberattack on May 12. Between May 12 and May 13, the attacker accessed files and folders on HSE systems. The Department of Health and one hospital prevented attacks on their networks on May 13, but in the early hours of May 14, 2021, other hospitals and the HSE started to have files encrypted. The HSE said around 80% of its network was encrypted in the attack.
The attackers issued a ransom demand; however, a week after files were encrypted the gang provided the keys to decrypt files for free, but then insisted the HSE pay the ransom to prevent the publication or sale of the stolen data. It took until September 21, 2021 – four months after files were encrypted – to restore 100% of HSE servers and 99% of its applications. Recovery from the ransomware attack cost the HSE hundreds of millions of dollars and the attack could have been even more costly and damaging had the Conti ransomware gang not provided the decryption keys.
The Conti ransomware gang has conducted at least 40 ransomware attacks in 2021 in the United States, Columbia, Europe, India, and Australia, including attacks on HPH entities in at least 20 U.S. states. Attacked healthcare entities include biotech firms, health/medical clinics, home healthcare services, hospices/elderly care, hospitals, pharma firms, healthcare industry services, and public health entities.
In December 2021, the HSE released a 157-page report of an independent post-incident review by PricewaterhouseCoopers (PwC) that detailed the background to the attack, the timeline, the recovery process, cybersecurity failures, and provided many recommendations. The PwC report was the reference for the HC3 report.
The PwC and HC3 reports detail many cybersecurity failures that contributed to the slow detection of the attack, the inability to respond quickly to security alerts and implement mitigations, and the extensive recovery time. Despite the high risk of ransomware attacks on the healthcare industry, the HSE was simply not prepared to deal with a ransomware attack. There was no single owner for cybersecurity at a senior executive or management level, no dedicated committee providing direction and oversight of cybersecurity activities, multiple weaknesses and gaps in cybersecurity controls, no cybersecurity forum to discuss and document risks, no centralized cybersecurity function to manage cybersecurity risks and controls, and the teams responsible for cybersecurity were known to be under-resourced.
The technology used by the HSE was overly complex, which increased vulnerability to cyberattacks. There was a large and unclear security boundary, the effective security boundary did not align with its ability to mandate cybersecurity controls, and there was no effective monitoring of the capability to detect and respond to attacks. High-risk gaps were identified in 25 of the 28 cybersecurity controls that are most effective at detecting and preventing human-operated ransomware attacks, and the HSE was overly reliant on antivirus software for protecting endpoints. The HSE had no documented cyber incident response plan and had not performed exercises of the technical response to an attack. The HSE was therefore heavily reliant on third parties in the weeks following the attack to provide structure to its response activities.
While many ransomware actors are stealthy, the Conti ransomware attack was not. On May 7, 2021, the HSE’s antivirus detected Cobalt Strike on six servers, two hospitals identified an intrusion before the ransomware was deployed, and two organizations prevented the deployment of ransomware, but there was no centralized response from the HSE.
The report highlights the consequences of not having an effective cybersecurity strategy, the need to prepare thoroughly for an attack, and the importance of governance and cybersecurity leadership. As serious as the attack was, some good can come out of it. Healthcare organizations around the world can learn from the attack and apply the lessons learned by the HSE to prevent attacks on their own IT infrastructure, and ensure they are properly prepared to respond to a ransomware attack should their defenses be breached.
The post HC3: Lessons Learned from the Ransomware Attack on Ireland’s Health Service Executive appeared first on HIPAA Journal.