In the past few weeks, cyber criminals attacked a number of health organisations in Ireland in what is described as the ‘most significant cybercrime attack on the Irish State’. In the midst of a pandemic, the stakes are both high and consequential – the Irish Health Service must continue to respond to health emergencies and also ensure that the covid-19 vaccination programme remains interrupted.
With the attack forcing the Irish Health Service Executive (HSE) and the Department of Health (DoH) to temporarily shut down its IT systems to protect itself and to safeguard the sensitive data it holds, our experts from 8fold Governance and Leo CybSec assess the facts and offer some helpful guidance on what you can do to protect your organisation from ransomware attacks.
What is a ransomware attack?
Any type of computer malware that threatens to delete your files unless you pay a ransom are known as ‘ransomware’. In most cases, this type of malware finds its way into your network or systems by exploiting a security hole in vulnerable software – or by tricking somebody into installing it.
What we know: The Facts
- In the early hours of 14th May, cyber criminal gangs attempted to encrypt and lock away health and care data from the Irish Health Service Executive, demanding a financial ransom for it to be returned.
- The National Cyber Security Centre (NCSC) said the HSE became aware of a significant ransomware attack on some of its systems in the early hours of Friday morning (14th May). The NCSC was informed of the issue and immediately activated its crisis response plan. As a precaution, the Health Service Executive (HSE) closed down its IT systems to further protect itself while the incident was investigated.
- The day after (15th May), the Department of Health saw signs of a similar attack on its own IT system and also made the decision to shut it down as a precaution.
- Later, a ransom note purporting to come from the criminal gang cyber attacking both the HSE and Department of Health was published in the US media. This threatens the release of detailed patient information unless a ransom of $20 million is paid.
- Bleeping Computer – an information security and technology news publication, offering free computer help via its forum, suggests the ransom note was obtained from a cyber security researcher and claims the attackers have been inside the HSE system for two weeks encrypting and downloading a significant dataset relating to HSE’s activities and also about its patients.
- The Minister for Public Procurement and eGovernment, Mr Symth, said: “What they’re attempting to do is to encrypt and lock away our data, and then to try to ransom it back to us for money.” However, Taoiseach (Irish PM) Micheál Martin confirmed that the ransom will not be paid.
- The investigations into both incidents are ongoing. In a statement on Sunday (16th May), the NCSC said the cyber-attacks “are believed to be part of the same campaign” and that “there are serious impacts to health operations and some non-emergency procedures are being postponed as hospitals implement their business continuity plans”.
- Whilst good progress was being made to restore IT systems, the Chief Executive of the HSE suggested there is a “high risk” the criminals behind the cyberattack attack will fulfill their threat to release patient details.
- The following hospitals in the Republic of Ireland reported disruptions to their services:
- Dublin’s Rotunda Hospital was forced to cancel outpatients visits due to the “critical emergency”, unless women are 36 weeks pregnant or later.
- The National Maternity Hospital in Dublin stated there would be “significant disruption” to its services on Friday “due to a major IT issue”.St Columcille’s Hospital in Dublin stated that some virtual appointments and any matters relating to electronic records were postponed.
- Children’s Health Ireland (CHI) at Crumlin Hospital told people there were delays and all virtual and online appointments were cancelled.
- The UL Hospitals Group, which consists of six hospital sites in the midwest, confirmed that “long delays are expected” for patients attending its services.
The impact on people, data and security systems
Patients and hospitals
With IT systems shut down, hospitals made difficult decisions to cancel outpatient appointments, elective surgeries and advised patients to expect long delays, further compounding the issues they were already facing as a result of the pandemic. No access to urgent medical information to inform care and treatments has also undoubtedly increased risk to patients that need care at this time, with further assessments about the risk to their private and confidential data still to be confirmed.
Information governance and data
Cyber attacks which impact on personal data (such as healthcare records) are classed as data breaches under the General Data Protection Regulation (GDPR) and the UK’s Data Protection Act. The law seeks to incentivise organisations to take proactive actions to protect the ‘integrity and confidentiality’ of personal data, to reduce the likelihood of data breaches occurring, and to reduce the potential impact or severity of any data breach which might occur. The ‘security principle’ requires personal data to be:
‘Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures’
This means that you must have appropriate security in place to prevent the personal data you hold being accidentally or deliberately compromised.
Depending on the severity of any data breach, it may need to be reported to the relevant supervisory authority (in the UK the ICO) and could lead to regulatory action in the form of fines, and potentially to compensation claims from any affected individuals which have seen a rise in recent years. Data breaches are also extremely damaging to an organisation’s reputation which can prove to be even more costly.
This latest cyber attack on the Irish HSE is reminiscent of the WannaCry cyber attack which affected the UK’s NHS in May 2017. Amyas Morse, Head of the National Audit Office said of that attack:
“The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients. It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”
The National Cyber Security Centre (NCSC) have since developed the Cyber Essentials Scheme to help businesses get to grips with the fundamentals of good cyber security:
“Cyber attacks come in many shapes and sizes, but the vast majority are very basic in nature, carried out by relatively unskilled individuals. They’re the digital equivalent of a thief trying your front door to see if it’s unlocked. [The Cyber Essentials Scheme] is designed to prevent these attacks.”
Cyber Essentials and Cyber Essential Plus
8foldGovernance offers both Cyber Essentials and Cyber Essentials Plus services to assist organisations in taking the first steps on their cybersecurity journey and obtaining certification to give customers the assurance they need. For those seeking to work with the NHS in the UK, Cyber Essentials is increasingly becoming a requirement for suppliers and also forms the basis of the NHS Data Security and Protection Toolkit (DSPT) which has been a requirement of NHS suppliers for a number of years. DSPT compliance is another area in which 8foldGovernance can provide support.
Giannis Kostakis, Co-Founder at Leo CybSec, said: “With remote working being the new normal over the last year, cyberattacks have increased exponentially. Today, as the healthcare industry continues to offer life-critical services while working to improve treatment with new technologies, we have seen cyber criminals put more effort and focus on exploiting vulnerabilities in this sector. Everyday we see more attacks of every kind, but the headline for 2020-2021 is ransom attacks, which were up 150% over the previous year.”
How to prevent ransomware attacks
Cyber criminals prey on unprotected IT systems and they are finding more and more ways to attack data, online systems and services, often without victims realising until it’s too late. They extort money from victims by encrypting or stealing data and displaying an on-screen alert. The restoration of computer systems for the Irish HSE will likely take many weeks. It also will require a complete rebuild of its computer network which could take several months, in addition to the extra cost anticipated for all the remediation activities. But, the good news is, there are ways to prevent these attacks from happening:
- Backup your data: Make sure you have a recovery system in place so a ransomware infection can’t destroy your data. It is recommended to create two back-up copies; one to be stored in the cloud and one to be stored locally e.g. on portable hard drives.
- Use of robust antivirus software: Antivirus software can be critical to protect your system from ransomware. Good antivirus software can either prevent a ransomware infection or help you remove the malware from your system before it starts spreading.
- Keep your software up to day and apply regular Patches: When your operating system (OS) or applications release a new version, make sure you have a process to install it. Using an automatic update option is always recommended when available.
- Educate your employees how to look out for, and understand malicious attacks: Phishing emails today are on the rise in order to deliver, directly or indirectly, some form of ransomware.
- Monitor for abnormal activity: If you see unusual activity or discover a rogue or unknown process on your machine, disconnect it immediately from the internet or other network connections. This will prevent the infection from spreading across your network and reaching out to other systems and devices.
Other ways to protect yourself
- Implement an effective Information Security Strategy
- Build a strong Cyber Security Team
- Conduct regular penetration testing (pentesting) on your network, systems and devices
- Collaborate with industry experts and Government bodies
- Always follow latest guidelines and best practice
- Run regular Crisis Management and Disaster Recovery Plans
- Do not pay the ransom! There are no guarantees that cyber criminals will give your data back.
Don’t become a victim, enlist some support!
Whilst many people accept that protecting their systems and data is important, it’s one of those things that we often put off, thinking, ‘I’ll do it tomorrow’. But, you wouldn’t leave your car unlocked with all your valuables inside, so why do we do this every day with data in our IT systems? Cyber criminals seek out vulnerable victims and are ready to attack at any time. But, protecting yourself doesn’t have to be difficult. Our leading team of cyber security experts can support your business model and help you to build a strong cyber security strategy. We will:
- Build a successful cyber security programme based on your needs
- Identify potential gaps and help you apply latest security practices
- Assess the security levels of your systems
- Prepare playbooks and run crisis simulation activities
- Train your employees and build a security awareness culture.
For more information or advice on how you can protect yourself from cyber attacks, please get in touch.