Download PDF

Ransomware attack on Irish Health Service Executive and implications

May 2021
Sean O'Halloran and Andrew Jones

The Irish national healthcare management agency, the Health Service Executive (HSE) has today announced that it is dealing with a “significant ransomware attack” on its IT systems and, as a precaution, has shut down certain computer systems in order to assess the scale of the attack and react appropriately.

The impact of the shutdown will be significant. The HSE, Ireland’s largest employer with almost 70,000 direct employees, manages 86 hospitals and a large number of community healthcare facilities, many of which have had to cancel appointments. However, the impact of the shutdown will likely knock-on to other public bodies, with social services agency Tusla confirming that it also has been affected by the shutdown, as has the Covid-19 testing referral system.

It is reported in the media that no demand has yet been received by the HSE, but that it believes the attack was carried out to extort money. In an interview with RTE, HSE CEO Paul Reid noted that the attack is “sophisticated” and “human-based”. The scale of the attack will not become clear for some time, but Reid confirmed that the HSE is working to ensure that both IT systems and the information they hold are protected.

It is likely hoped that the attack is ransomware, as if the attack is instead a malware attack designed to cause maximum disruption, such as the NotPetya malware attack which affected shipping giant Maersk in 2017, the impact on the HSE could be very significant.

Medical records

In addition to the potential disruption to the Irish health and social care service, a further concern will be whether any medical records of patients have been compromised. Early reports suggest that it is not medical equipment but systems containing patient medical records that have been impacted.

Medical records are some of the most valuable personal data for hackers, said to raise up to 10 times more than credit card information on the black market.

Trends

The ransomware attack on the HSE has parallels to the WannaCry ransomware attack that hit the UK’s NHS in 2017. That attack impacted around one-third of the UK’s NHS trusts, around 8% of GP clinics and led to the cancellation of around 19,000 hospital appointments. The NHS was criticised for using outdated and unpatched software and incurred an estimated £92 million in costs. Apparently and luckily, no patient personal data was compromised.

The HSE attack also shows a worrying trend of attacks on critical services generally, following the high-profile ransomware attack on Colonial Pipeline in the United States last week, which resulted in the shutdown of a pipeline supplying fuel to the US East Coast. That caused oil prices to rise, panic-buying and a state of emergency called in Florida. Despite Colonial reportedly paying the ransom of $5 million, it is understood that the restoration of its systems took significant time.

The HSE attack is also a demonstration of the growing trend of “ransomware as a service”: it is believed that DarkSide, an Eastern European group, developed the ransomware tools used and the attack was carried out by an affiliate.

The healthcare sector has remained a target for cybercriminals and repeated warnings have been given following the NHS attack. The National Cyber Security Centre issued an urgent alert to the sector in May last year, following a further increase in attacks apparently relating to information gathering on Covid-19. It remains to be seen how robust the HSE’s cyber security was in this instance and whether lessons have been learned. Either way this will be a matter of concern to all users of the system, to insurers and to all entities. Vigilance in IT security has never been more important.

Download PDF