The latest roundtable discussion from Security on Screen analyses last week’s cyberattack on Ireland’s health system – as much as ransom payments should be avoided, how long can we delay vital services to resume?
Over a week ago, the Republic of Ireland’s health service became the victim of a ransomware cyberattack and unfortunately, there is still no sign of a resolution any time soon.
With a substantial amount of computers shutting down to allow specialists to track down the malware, this has meant hospitals having to return to pen and paper usage to keep records. This is now causing various problems for doctors, consultants and dentists who cannot access previous scans stored on computers for comparison to see whether a patient may have deteriorated, which is obviously an worrying time for patients – especially those who have cancer and other serious ailments.
Routine non-emergency operations, including colonoscopies, have been cancelled in many hospitals which will only add to waiting and missed diagnoses, increasing patients’ worries. One maternity hospital cancelled outpatient visits, unless women were 36 weeks pregnant or later.
Government ministers have consistently repeated that no ransom will be paid to the hackers for the return of patients’ information despite some such details appearing on the dark web. However, several patients have called radio phone-in programmes to say a ransom should be paid to allow normal services to resume and even some IT specialists suspect money may have to be paid eventually.
At this point, it is too early to say whether any patient whose private details end up published on the internet will sue the health service for negligence and a breach of privacy. In the meantime, the HSE has reportedly secured a High Court order preventing hackers, or any individual or business, from sharing, processing, or selling the information.
Commenting on these recent updates, George Daglas, Chief Operations Officer, Obrela Security Industries says: “The healthcare sector is facing a new reality. Since the pandemic, cybercriminals have preyed on the most vulnerable of organisations in a bid to extort and exploit them, with healthcare facilities being no exception.
“Hospitals have been a prime target for criminal groups as these organisations hold a multitude of sensitive and highly valuable data such as patients names, dates of birth, and home addresses. Once a healthcare organisation is breached a ransomware group is then able to access the organisation’s data and threaten to leak it if a ransom is not paid.
“Ransomware attacks are a favoured methods among threat actors due to their high return of investment, with 10% of breaches utilising ransomware this year. Ransomware is a particularly vicious threat because it is a double-extortion. Attackers are able to leak an organisations data, which also holds the organisation at ransom, putting the organisations and their customers, or in this case patients, in a very dangerous position.
“As the attackers have access to such sensitive data the organisations are desperate to get their data back, so often they feel like they have no choice but to pay a ransom. However, this is the worst thing to do as it will only fuel the industry.”
Robert Golladay, an EMEA and APAC Director at Illusive adds: “Unfortunately, these ransomware attacks are a way for groups like DarkSide, who were behind the Colonial Pipeline attack, to make some easy money that can be reinvested in more tools and resources. The only way organisations can hope to stay ahead of this trend is to shift the paradigm of ransomware defence from a passive to an active one.
“Endpoint Detection and Response (EDR), patching, user education, and backing up regularly are still paramount, but we need to take security one step further by actively seeking out lateral movement and chasing attackers’ movements within the network before it’s too late. Attackers’ creativity and resources require an equally creative, proactive and imaginative set of tactics.”
Above anything, this attack has highlighted the vulnerability of the Ireland’s health service because of its continued use of an outdated Windows system. Dean Ferrando, Systems Engineering Manager (EMEA) at Tripwire adds: “Remember, ransomware doesn’t just suddenly appear on systems. It has to get there through exploited vulnerabilities, phishing, or other means.
“While we tend to focus on the ransomware itself, the best way to avoid becoming a victim is to prevent the infection in the first place. And the best way to prevent ransomware infections is to address the infection vectors by hardening systems, patching vulnerabilities, ensuring systems are configured securely, and preventing phishing. Also, security training for all personnel is a critical element of any cyber defence strategy.”
IT experts have said the attack was an accident waiting to happen because of a failure to invest sufficiently in cyber security. Others suggest that the Health Service Executive (HSE), the official name for the Republic of Ireland’s health service, could face up to €1m (£860,700) in fines for inadequate data protection under General Data Protection Regulation (GDPR) rules.
“This shows how defence in depth deficiencies are becoming a threat to public safety,” comments Martin Jartelius, CSO at Outpost24. “Hospitals are a great target for an attacker as they are frequently set up without a defence-in-depth mindset. The fact that critical services were affected is extremely concerning and it is likely that a privileged account has been compromised – the entry point is almost always via a user. You just hope that everyone impacted remains healthy and safe.”
The government is currently setting up a helpline for those who are approached and told their health details are going to be published online. However, the underfunding of the HSE IT security system is going to come with a heavy price and now the worry is that other public services may also be vulnerable to similar ransomware cyber attacks.
Daglas suggests: “When facing a ransomware attack organisations should enlist the help of experts who can advise on the best action to take and this will largely depend on the data that has been stolen and the ransom demand. The best way to limit the damages of ransomware attacks all comes down to preparation and having a strong resilience plan in place. This will allow organisations to rehearse their mitigation efforts and know exactly how to respond when they get attacked and the amount of loss they are likely to face – leaving no unwanted surprises.”
Patrick Hunter, Sales Engineering Director at One Identity also says: “Train all of your staff to be on the lookout, even to the point of paranoia! A hacker only needs one point of entry, so make that initial point difficult for them to find. Public sector organisations are never as well funded as the private sector and I suspect that plays a part too, with basic security tools either out of date or missing.
“You can then stop the spread of damage to other, more critical users and systems, by using multi-factor authentication (MFA) at a minimum for remote access. Administrative and privileged passwords can be locked away in a secure password vault and then only retrieved using workflows and more MFA. These are relatively inexpensive technologies that give the best impact. The nirvana of ‘Zero Trust’ for privileged accounts is always a goal but be pragmatic along the way.”