The healthcare sector has fallen victim to ransomware attacks for a number of years. In this article, we consider the implications for healthcare and other public sector organisations which themselves utilise interrelated IT systems.
Healthcare is an established target for ransomware
The National Audit Office (NAO) reported that in 2014, the Cabinet Office and Department of Health & Social Care wrote to National Health Service England (NHS) trusts to instruct them that it was essential they had “robust plans” to migrate away from old software, such as Windows XP by April 2015. In March and April 2017, NHS Digital further issued critical alerts warning them to patch their systems to prevent WannaCry ransomware.
On 12 May 2017, cyber attackers deployed WannaCry ransomware in respect of approximately 230,000 computers across more than 150 countries, with the biggest impact being experienced by the NHS. The NAO reported that the attack led to disruption in at least 80 out of 236 NHS trusts – with 34 infected and locked out of devices (of which 25 were acute trusts), and 46 not infected but reporting disruption. A further 603 primary care and other NHS organisations were infected by WannaCry ransomware, including 595 out of 7,454 of GP practices. The NHS estimated that approximately 19,000 appointments were cancelled.
The NAO concluded that all organisations could have addressed the vulnerability of any unpatched, or unsupported Windows operating systems and taken action to manage their firewalls to prevent infection by WannaCry ransomware.
However, it is inconclusive to what extent this omission was attributable to budgetary restrictions, the inability to replace systems which are essential to operate specialised software, or simple intransigence.
In 2018, 51% of 582 IT security professionals in the Pwnie Express survey concluded that the healthcare sector was the least prepared of the critical infrastructure industries for ransomware attacks and other types of cyberattacks. 85% of respondents predicted that a cyberattack on critical infrastructure would occur in the following 5 years.
In May 2021, CheckPoint Software Technologies Ltd reported that the number of organisations impacted by ransomware globally more than doubled in the first half of 2021 compared with 2020, and that the healthcare sector was the most targeted sector since the beginning of April 2021 with an average of 109 attacks attempts per organisation every week as compared to the next highest level of 59 attacks which were attributable to the utilities’ sector.
Conti ransomware and Ireland’s Health Service Executive (HSE)
On 14 May 2021, cyber attackers suspected to belong to the Russian ‘Wizard Spider’ crime group, targeted Ireland’s publicly funded healthcare system, the HSE. The cyber attackers successfully deployed Conti, also known as ‘double-extortion’, ransomware to prevent access to systems and personal data, as well as to steal and threaten to disclose personal data online, unless the HSE paid a $20m ransom by 24 May 2021. The Irish Government have consistently refused to pay the ransom in respect of the HSE cyber-attack.
A separate attack on the Irish Department of Health also on 14 May 2021 was unsuccessful. The ‘Wizard Spider’ group is also reported to have conducted a successful attack on Fat Face during April 2021 for a $20m ransom.
On 20 May 2021, the cyber attackers unexpectedly posted a decryption tool online for the HSE in an attempt to pressurise the HSE into paying the ransom by shifting focus from system access to the threat of disclosure, stating that: “We are providing the decryption tool for your network for free. But you should understand that we will sell or publish a lot of private data if you will not connect us and try to resolve the situation.”
The HSE obtained an injunction from the High Court of Ireland prohibiting the cyber attackers from publishing, selling, or sharing the data; in practice, the impact of this injunction is more relevant to legitimate online platforms where the cyber attackers may seek to disclose the personal data, such as on social media platforms, for example.
The American FBI also issued an alert regarding at least 16 Conti ransomware attacks targeting US healthcare and first responder networks.
On 28 May 2021, the HSE confirmed that the cyber attackers had disclosed personal data relating to approximately 520 patients on the dark web and that notification of this personal data breach to the Irish Data Protection Commission and patients were underway.
On 2 June 2021, the HSE reported that: “. . . many health services are continuing to operate essential and urgent services, without access to critical IT systems or with limited access to these systems” and that: “ . . . 80,000 HSE devices . . . are being assessed.” The HSE further anticipated that: “It will take a number of weeks to safely restore the 2,000 IT systems.” The HSE is working with An Garda Síochána in respect of the criminal investigation.
Following the incident, The White House issued a memo on “What We Urge You To Do To Protect Against The Threat of Ransomware”, to highlight the global spate of ransomware attacks and the US Government’s recommended best practices.
Impact on patients
Apart from the disruption to their healthcare services and the personal impact on their health that may entail, patients may also suffer or fall victim to anxiety, blackmail, distress and fraud. For example, receiving phone calls from blackmailers threatening to further disclose their personal data, as in an equivalent case in Finland in October 2020, or fraudsters purporting to be from the HSE, health insurance companies etc., in order to extract financial details or payments from them.
The Irish Minister for Health Stephen Donnelly has also expressed concerns in regard to a potential influx of compensation claims from patients under the GDPR.
In light of the above, public sector organisations should consider:
- ensuring that they have an effective data protection governance programme to manage the people, processes and technologies necessary for the appropriate handling of personal data;
- ensuring that cybersecurity is recognised as a corporate priority, to obtain appropriate management buy-in and resources;
- keep up-to-date with relevant guidance, in particular cybersecurity alerts from the relevant authorities, including parent departments;
- identifying the vulnerabilities which may arise from utilising interrelated IT systems and software, via a risk assessment;
- implementing appropriate organisational and technical controls, as per our previous recommendations; and
- ensuring that a robust data breach response plan is in place to respond, contain and mitigate any breach of personal data.
Trilateral’s Data Governance and Cyber Risk Team has significant experience supporting organisations in implementing appropriate security measures in respect of personal data, specifically across public and private organisations in the healthcare sector. We offer a range of data governance services, including compliance support. Our support services will help your organisation to protect patient records and maintain trust. Please feel free to contact our advisors, who would be more than happy to help.