The Health Sector Cybersecurity Coordinate Center (HC3) released a brief urging U.S. healthcare organizations to learn from Ireland’s 2021 cyberattack. In May 2021, Ireland’s Health Service Executive (HSE) became a victim of Conti ransomware.
Subsequent reports demonstrate why this data breach was problematic. Cyberattackers have long since gone after the healthcare industry as a lucrative target. Especially for groups, like Conti, that encrypt sensitive information then hold it for ransom.
For healthcare covered entities, keeping protected health information (PHI) safe is a crucial part of patient care. And under the HIPAA Act, strong cybersecurity measures, such as HIPAA compliant email, are fundamental.
What happened in Ireland?
On May 14, 2021, HSE discovered a large-scale ransomware attack that shut down healthcare IT systems nationwide. The breach impacted HSE’s 54 public hospitals along with other facilities within the HSE network.
The threat actors used Conti ransomware, a known ransomware-as-a-service. Conti exploits weaknesses in Microsoft products; attackers then demand a ransom for encrypted files. Conti’s developers, based in Russia, were probably responsible for the Ryuk ransomware variant. The group regularly targets healthcare.
RELATED: What is a nation-state threat actor?
In this instance, an employee opened a malicious Microsoft Excel file attached to a phishing email. The attack led to several problems for HSE’s hospitals:
- EHR (electronic health record) downtime
- Staff reverting to pen and paper records
- Appointment cancellations
- 80% of HSE data encrypted
- 700 GB of unencrypted PHI exfiltrated
- Exposed PHI (including COVID-19 vaccination information)
HSE executed its Critical Incident Process, switching off IT systems and preventing further access. Unfortunately, recovery took four months and cost hundreds of millions of dollars; lawsuits from patients are pending.
The HC3 brief
HC3 used HSE’s December 2021 Independent Post Incident Review to create its brief, outlining the details of the incident, the recovery process, and what lessons to learn.
RELATED: The costs of ransomware attacks
The brief reveals how unprepared HSE was and explores what Ireland’s health systems got wrong before and after the attack. For one thing, there was no one responsible for cybersecurity at HSE. No one to provide strong direction or oversight. To add to this, while an incident process plan existed, preplanning lacked details about avoiding an attack and recovering.
Furthermore, there were known cybersecurity gaps and vulnerabilities throughout HSE’s IT systems. Such gaps include access and perimeter controls as well as general communication.
HC3 adds that HSE did not actively identify nor contain the ransomware “despite the attacker performing noisy and ‘unstealthy’ actions.” When under-resourced, critical institutions can easily be infiltrated by ransomware groups such as Conti.
Translating Ireland’s lessons: preparation
Given these issues, HC3 spent a significant portion of its brief on takeaways. HC3 believes that the HSE incident could help U.S. healthcare organizations learn what not to do. Especially given the fact that Conti began attacking U.S. covered entities in 2020. HC3 tracked 40 ransomware incidents to Conti in 2021 alone.
Knowing how to protect a healthcare organization and patients’ PHI is vital to successful patient care. First, a strong leadership strategy must be in place. This includes a designated cyber team with clear levels of responsibility.
Moreover, leadership should also include an oversight committee to ensure continuous auditing and updating of the current system. Second, organizations must establish several plans that focus on before, during, and after an attack. These include:
- Business continuity plan – process to discover, avoid, and mitigate risks
- Response plan – what to do if a breach occurs
- Disaster recovery plan – what to do after a breach
Well thought-out strategies, along with up-to-date policies and procedures, help organizations know what to do. And of course, what cybersecurity features stop a breach from entering their systems.
Translating Ireland’s lessons: cybersecurity
HSE over-relied on its antivirus software. But antivirus software (or really any cybersecurity feature) is not enough on its own. For cybersecurity to be strong, it must be layered and able to protect all of an organization’s threat vectors.
Cybersecurity must be grounded in a risk-based approach, which is why a HIPAA risk assessment is a useful starting place. A risk assessment helps covered entities figure out the most effective and most appropriate administrative, physical, and technical safeguards needed to protect IT systems as well as maintain HIPAA compliance.
Besides antivirus software, other helpful safeguards include:
- Employee training
- Strong access controls (e.g., password security)
- Offline backup
- Patched/updated systems and devices
- Encryption at rest and in transit
And of course, strong email security to block phishing emails from ever making it into an inbox.
Email Security with Paubox Email Suite Plus
Paubox Email Suite Plus provides needed email security and strong HIPAA compliant email. Our HITRUST CSF certified solution encrypts all outbound email, which can be sent directly from an existing email platform (e.g., Microsoft 365 or Google Workspace). No extra passwords, portals, or logins necessary.
And absolutely crucial, it blocks incoming phishing messages and other email threats from even reaching an inbox. Paubox Email Suite Plus comes with our patented ExecProtect, built to block display name spoofing, a common phishing tactic.
While our Zero Trust Email feature, requiring an additional piece of evidence, keeps the malware from even being delivered to an inbox. HSE’s breach could have been less damaging if it had proper protections in place from the beginning. Learn from these issues and defend your organization and your patients today, starting with strong email security.