THE HSE HAS shut down its IT systems after it became aware of a “significant ransomware attack”.
The HSE chief executive Paul Reid has called it a “major incident” for the health service.
The HSE was made aware of the attack during the night and it is currently being contained by shutting down all national and local IT systems in order to protect them.
Let’s take a look at the type of attack this seems to be, and what it means for the HSE.
‘Targeted form of attack’
Ransomware is a type of malicious software that encrypts files on a computer system. Attackers demand a ransom from the victim to restore their access to the data after payment is issued.
The systems were hit by a Conti ransomware attack, the Chief Operations Officer of the HSE Anne O’Connor confirmed today.
Barry O’Sullivan, professor at the School of Computer Science at University College Cork, compared this type of attack to a bank robbery, saying there is a lot of preparation before it’s made known that the attack is happening.
“All ransomware attacks are forms of extortion. Basically, people effectively steal your data while leaving it on your machine and don’t let you access it again until you pay a ransom,” he told The Journal.
“Conti attacks are a very targeted form of attack usually undertaken by human beings. These people know what they’re doing, they know what data they’re attacking.”
Attackers enter into a computer system and study how it works, before compromising anything they can and announcing their attack to the victim.
O’Sullivan said servers can become compromised “in all sorts of ways” through weak passwords, phishing scans or weak Wi-Fi servers.
“One of these guys gets on to an important machine, and from there they basically try to penetrate the network in different ways,” he said.
These folks have been probably on the network for quite some time. They understand the structure of the network.
“When you’re faced with a ransomware attack your data is no longer under your control. You’re faced with a choice of – do you pay these people in the hope they release it, or do you not?”
He said all ransomware attacks are a “form of extortion”, and a Conti attack is no different.
“The people who lock this data will also threaten to release it either publicly or sell it,” he said.
Security sources have said that the most likely suspects for the attack are criminals who are ‘state actors’.
“This is an almost daily occurrence and the HSE were targeted this time. In terms of cyber security the most difficult thing is that these hackers are state backed and are most likely from North Korea, Russia or China,” a cyber security source said.
Some hospitals have cancelled all non-urgent appointments today following the cyber attack.
The Covid-19 vaccination programme has not been affected, and people should attend those appointments as normal.
However, the GP and Close Contact referral system is currently down after the cyber attack.
GPs are to advise patients to attend walk-in testing centres with priority given to symptomatic and close contacts at these centres.
Valuable information
O’Sullivan said that “health services are very vulnerable to these kinds of things” because there is “massive pressure” to retrieve the sensitive information.
He said the kind of important medical details contained in the HSE files is highly valuable and sensitive information.
O’Sullivan said these attacks have become “extremely sophisticated” and “difficult to detect”.
“It’s important to recognise the fact that the HSE has been attacked in this way should not be seen as some sort of fundamental weakness in the HSE infrastructure,” he said.
He added that with remote working, people are connecting to their work accounts over “all sorts of insecure Wi-Fi” networks and it is “very, very easy to compromise a computer”.
“Cyber attacks of any kind are wrong. When you’re going after medical data from health services, this is really the lowest of the low,” he said.
“Apart from the devastating impact it has on health services, people will be worried about what data could be published. Personal data, family histories, PPS numbers, health insurance details, all sorts of things.”
He said the attackers generally threaten to release the information on dark web “dump sites”.
“In Conti attacks you have to assume that everything has been compromised and all of your systems have been listened to.”
“These attacks often happen when there are reduced defences, so it’s not surprising it happened during the night,” he said, on the timing of when the HSE became aware of the cyber attack.
He said it gives the HSE limited time to respond on a Friday, but it creates “an additional level of urgency” ahead of the weekend.
He said attacks like this can also often happen on Bank Holiday Fridays.
“Even if the HSE knew yesterday that they would be attacked, a lot of the work and damage has already been done,” O’Sullivan said.
In terms of the ransom, it is usually requested to be paid in cryptocurrency such as Bitcoin as it is “really difficult, if not impossible” for gardaí to trace.
The National Cyber Security Centre, an inter-agency body which involves among other experts the Defence Forces and the gardaí, will be the lead agency on identifying who launched the attack.
Former Communications Minister Denis Naughten told The Journal that attacks like these are a “huge issue that we must keep on top of”.
He has discussed this topic in the past, especially under his remit as minister when he said he focused on resourcing the National Cyber Security Centre.
He added that this continues to be an area that needs “significant investment right across our public service”.
Other systems attacked in the past
Last October, it emerged that the then-CEO of Finnish company Vastaamo had covered up a data breach that exposed the confidential treatment records of tens of thousands of psychotherapy patients.
Many patients reported receiving emails with a demand for €200 in bitcoin to prevent the contents of their discussions with therapists being made public.
In 2017, the United States and Britain blamed North Korea for a ransomware attack that infected some 300,000 computers in 150 countries.
The ‘WannaCry’ attack in May 2017 hit one-third of hospitals in Britain, as well as Spanish telecoms company Telefonica and US logistics company FedEx among others.
Data on infected computers was encrypted and users faced a ransom demand to unlock their devices.
A total of 80 of 236 NHS trusts across England suffered disruption, because they were either infected by the ransomware or had turned off their devices or systems as a precaution. The ransomware infected another 603 NHS organisations including 595 GP practices.
The health service was forced to cancel almost 20,000 hospital appointments and operations as a result and five A&E departments had to divert patients to other units.
This attack was described as “relatively unsophisticated” in that it locked devices but did not seek to alter or steal data.
This week, British Foreign Minister Dominic Raab called for a global effort to counter online threats as he slammed countries including Russia, China, Iran and North Korea over cyberattacks.
Authoritarian states “are the industrial-scale vandals of the 21st century”, he said in a speech.
- Additional reporting by Niall O’Connor, Christina Finn and AFP.
To embed this post, copy the code below on your site
have your say