Lessons Learned from the HSE Cyber Attack
Lessons Learned from
the HSE Cyber Attack
02/03/2022
TLP: WHITE, ID# 202202031300
Agenda
2
• Background on the HSE Cyber Attack
• Threat Profile for Conti Ransomware
• HC3 Observations for Conti Ransomware
• Timeline of the Incident
• Key Findings
• General Takeaways for Healthcare Organizations
Non-Technical: Managerial, strategic and highlevel (general audience)
Technical: Tactical / IOCs; requiring in-depth
knowledge (sysadmins, IRT)
Slides Key:
3
• The Health Service Executive (HSE) of Ireland is the
country’s publicly funded healthcare system under the Irish
Department of Health, consisting of 54 public hospitals
directly under HSE authority, and voluntary hospitals which
utilize national IT infrastructure.
• On May 14, 2021, HSE suffered a major ransomware
cyberattack that caused all its IT systems nationwide to be
shut down.
• It became the most significant cyberattack on an Irish state
agency, as well as the largest known attack against a health
service computer system in history, occurring during the
COVID
-19 pandemic.
• It took four months to completely recover from the attack,
with HSE sustaining numerous impacts to healthcare
delivery during this timeframe (discussed in the next slide).
• Conti ransomware was responsible for the incident. • On December 3, 2021, HSE published an Independent Post
Incident Review consisting of a 157
-page redacted report,
which is the foundation of this brief.
• Full report of the Conti Cyber Attack on the HSE:
https://www.hse.ie/eng/services/publications/conti
-cyber
- attack-on-the-hse-full-report.pdf
Background on the HSE Cyber Attack
4
• Hospital staff were forced to revert to pen and
paper
• 80% of the HSE IT environment was encrypted,
severely disrupting healthcare services
throughout the country
• Prevented access to diagnostics and medical
records
• Exposed the private information of thousands
who received the COVID
-19 vaccine
• National vaccination program was not affected • Exfiltrated 700 GB of unencrypted data including
protected health information (PHI)
• Specialists tracked stolen HSE data to a
commercial server in the U.S.
• Lawsuits from patients over interrupted patient
care
• Large financial cost to respond to the incident • And more…
High Profile Impacts of the HSE Cyber Attack
5
Malware
• First Surfaced: December 2019
• Suspected Predecessor(s): Ryuk
• Malware Capabilities: Ransomware written in C/C++ that mainly encrypts local files
• Targeted Systems: All versions of Windows known to be affected
• Associated Malware/Tools: TrickBot, IcedID, Cobalt Strike, BazarLoader, Zloader, Rclone, LaZagne, Sidoh, etc.
• Infection Vectors: Spear phishing; Remote Desktop Protocol (RDP); phone calls; fake software; other malware; common vulnerabilities in external assets (i.e., Log4j)
Group
• Origin: Eastern Europe, Russian Federation
• Industry Names: Wizard Spider
• Associated Actors: UNC1878, TEMP.MixMaster, Grim Spider, UNC2633, UNC2727
• Forum Presence: Public and Private Forums
• Targeted Countries: United States, France, Germany, Canada, UK, Italy, Australia, Spain, Netherlands
• Targeted Industries: Manufacturing, construction, retail, legal, financial, technology, automotive, hospitality, transportation, energy, healthcare
• Status: Conti became the first professional-grade, sophisticated ransomware group to weaponize Log4j2 with a full attack chain in December 2021
• Classification: Highly-sophisticated, financially-motivated cybercriminal ransomware-as-a- service (RaaS) program; human-operated
• Threat to HPH Sector: Elevated Risk
Cyber Threat Profile: Conti Ransomware
6
• HC3 tracked at least 40
ransomware incidents involving
Conti ransomware in 2021
• Targeted countries within the
healthcare industry included
Australia, Colombia, France,
Germany, India, Italy,
Netherlands, the United Kingdom,
and the United States
• HPH entities in at least 20 U.S.
states experienced Conti
ransomware incidents or
appeared on the Conti
ransomware extortion blog
• Sub-industries within healthcare
impacted included Biotechnology,
Health or Medical Clinic,
Healthcare Industry Services,
Home Health Care Services,
Hospice or Elderly Care, Hospital,
Pharmaceutical Industry, and
Public Health entities
Historical Conti Ransomware Incidents in the HPH Sector Worldwide (2021)
Biotechnology
5%
Health or Medical
Clinic
32%
Healthcare Industry
Services
29%
Home Healthcare or
Elderly Care
Services
10%
Hospital
5%
Pharmaceutical
Industry
14%
Public Health
5%
Industry Breakdown: Conti Ransomware Incidents (2021)
7
Pre-Infection Timeline: March 18 – May 14, 2021
Source: HSE/PwC
8
Post-Infection Timeline: May 14 – September 21, 2021
Source: HSE/PwC
9
• The HSE did not have a single responsible owner for cybersecurity, at senior executive or management
level at the time of the incident.
• There was no dedicated committee that provided direction and oversight of cybersecurity and the activities
required to reduce the HSE's cyber risk exposure.
• There were known weaknesses and gaps in key cybersecurity controls.
• The lack of a cybersecurity forum in the HSE hindered the discussion and documentation of granular cyber
risks, as well as the abilities to identify and deliver mitigating controls.
• The HSE did not have a centralized cybersecurity function that managed cybersecurity risk and controls.
• It was a known issue that the teams with cybersecurity responsibilities were under-resourced.
Key Findings: Ransomware Attack Preparedness
10
• The HSE’s technology has grown organically and is
consequently overly complex, increasing the
vulnerability of the HSE to cyber attacks.
• The HSE had a large and unclear security boundary that
encompassed many of the organizations connected to
the National Healthcare Network (NHN).
• The HSE’s effective security boundary did not align with
its ability to mandate cybersecurity controls.
• There was no effective security monitoring capability that
was able to detect, investigate and respond to security
alerts across the HSE's IT environment.
• The antivirus tool was over-relied upon to detect and
prevent threats on endpoints.
• The IT environment had high-risk gaps relating to 25 out
of 28 of the cybersecurity controls that are most effective
at detecting and preventing human-operated
ransomware attacks.
• The HSE did not have a documented cyber incident
response plan and had not performed typical preparatory
activities, such as exercising the technical response.
Key Findings: Ransomware Attack Preparedness (cont.)
11
• The cyber attack was not actively identified nor contained prior to
the ransomware execution, despite the attacker performing noisy
and ‘unstealthy’ actions.
• The HSE’s antivirus identified a tool commonly used by
ransomware groups (Cobalt Strike) on six servers on May 7, 2021
(and several more servers in the following days) but these alerts
were not appropriately actioned.
• Two voluntary hospitals identified suspicious activity prior to the
execution of ransomware, but a HSE centralized response was
not initiated.
• Two organizations successfully acted on detections of the
attacker, preventing the deployment of ransomware within their
estates.
• The HSE, with the help of third parties, mobilized a response to
the ransomware attack and overcame many of the significant
challenges the ransomware attack presented, drawing on their
experience responding to crises including COVID-19.
• The HSE was reliant on third parties in the early weeks of the
incident to provide structure to the response activities.
• Time was lost during the response due to a lack of pre-planning
for high impact technology events.
Key Findings: Ransomware Attack Response
12
• The HSE spent a significant amount of time during the response
gathering information about applications, as this information was not
recorded and up-to-date in a central or offline application register.
• There was a heavy reliance on specific individuals during the
response. This likely contributed to a recovery timeline that was
longer than could have been achieved.
• The response initially prioritized the recovery of foundational
systems, and applications on the operators of essential services list,
before advancing to an approach that focused on clinical risks and
the recovery of end-to-end clinical services.
• There was a lack of clearly defined and delineated decision-making
authority between the HSE, hospitals and Community Healthcare
Organizations (CHO) in the case of a health service-wide crisis.
• The OCIO was not able to provide or source (through third party
burst capacity) the scale of the IT support required by hospitals and
CHOs during the extended response to restore applications, systems
and services at pace.
• The HSE had limited to no ability to investigate the attack using its
own tooling.
• The HSE’s Incident Response provider identified evidence of how
the attacker was able to gain unauthorized access to the HSE’s IT
environment, as well as the attacker’s subsequent activities.
Key Findings: Ransomware Attack Response (cont.)
13
• The impact of the ransomware on the IT
environment was reported by the HSE’s
management to lead to 80% encryption.
• The impact of the ransomware attack on
communications was severe, as the HSE almost
exclusively used on-premise email systems
(including Exchange) that were encrypted, and
therefore unavailable, during the attack.
• The HSE took action to contain the ransomware
attack by powering down systems and
disconnecting the NHN from the internet.
• It is unclear how much data would have been lost if
a decryption key had not become available.
• Without the decryption key, it is unknown how long
it would have taken to recover systems from
backups, but it would have likely taken
considerably longer.
• The HSE missed opportunities for efficiencies in
the recovery of systems and applications due to a
lack of preparedness.
Key Findings: Ransomware Attack Impact and Recovery
14
Governance and cybersecurity leadership
1. Understanding of technology dependency and
governance of technology risk
2. Cybersecurity strategy and leadership
3. Ransomware-specific assessment
4. Effective cybersecurity monitoring and response
5. Testing of cybersecurity capability through
simulated attacks
Preparedness to respond and recover
1. Cybersecurity-specific incident response and
crisis management plans
2. Business continuity planning and IT disaster
recovery planning for a ransomware scenario
3. Retained incident and crisis support
General Takeaways for Healthcare Organizations
Reference Materials
16
• Abrams, Lawrence. 2021. Conti ransomware gives HSE Ireland free decryptor, still selling data. May 20.
Accessed January 26, 2022. https://www.bleepingcomputer.com/news/security/conti-ransomware-giveshse-ireland-free-decryptor-still-selling-data/.
• —. 2021. Irish High Court issues injunction to prevent HSE data leak. May 20. Accessed January 26, 2022.
https://www.bleepingcomputer.com/news/security/irish-high-court-issues-injunction-to-prevent-hse-dataleak/.
• Aodha, Gráinne Ní. 2021. HSE shuts down IT systems after 'major' ransomware attack, vaccination rollout
not affected. May 14. Accessed January 26, 2022. https://www.msn.com/en-ie/news/other/hse-shuts-downit-systems-after-major-ransomware-attack-vaccination-rollout-not-affected/ar-BB1gIETg
• BBC News. 2021. Cyber attack 'most significant on Irish state'. May 14. Accessed January 26, 2022.
https://www.bbc.com/news/world-europe-57111615.
• Bowers, Sean O'Rioran and Shauna. 2021. Cancer patient to sue Cork's Mercy Hospital over cyber hack .
July 15. Accessed January 26, 2022. https://www.irishexaminer.com/news/munster/arid-40337252.html.
• BreakingNews.ie. 2021. Cork hospital had help from Defence Forces after HSE cyberattack. October 7.
Accessed January 26, 202. https://www.breakingnews.ie/ireland/cork-hospital-had-help-from-defenceforces-after-hse-cyberattack-1155416.html.
• Ciara O'Brien, Simon Carswell. 2021. Coombe hospital services ‘continuing as normal’ after cyberattack.
December 16. Accessed January 26, 2022. https://www.irishtimes.com/business/technology/coombehospital-services-continuing-as-normal-after-cyberattack-1.4756968.
• CISA. 2021. Alert (AA21-265A) - Conti Ransomware. September 22. Accessed January 26, 2022.
https://www.cisa.gov/uscert/ncas/alerts/aa21-265a.
References
17
• Coble, Sarah. 2021. HSE Missed Cyber-Attack’s Warning Signs. December 10. Accessed January 26,
2022. https://www.infosecurity-magazine.com/news/hse-missed-cyberattacks-warning/.
• Colgan, Laura. 18. Cybercrime group known as 'Wizard Spider' hackers behind Ireland HSE ransomware
attack. May 2021. Accessed January 26, 2022. https://www.irishmirror.ie/news/irish-news/crime/cybercrimegroup-known-wizard-spider-24128295.
• Corera, Gordon. 2021. Irish health cyber-attack could have been even worse, report says. December 10.
Accessed January 26, 2022. https://www.bbc.com/news/technology-59612917.
• Corfield, Gareth. 2021. Irish Health Service ransomware attack happened after one staffer opened
malware-ridden email. December 10. Accessed January 26, 2022.
https://www.theregister.com/2021/12/10/ireland_health_conti_ransomware_attack_report/.
• Daly, Ailbhe. 2021. Private information of thousands who received Covid vaccine exposed in HSE blunder.
February 25. Accessed January 26, 2022. https://www.irishmirror.ie/news/irish-news/health-news/privateinformation-thousands-who-received-23566568.
• Davis, Jessica. 2021. Ransomware post-mortem: Ireland HSE cyberattack, recovery dogged by missteps.
December 14. Accessed January 26, 2022. https://www.scmagazine.com/analysis/backup-andrecovery/ransomware-post-mortem-ireland-hse-cyberattack-recovery-dogged-by-missteps.
• Gallagher, Conor. 2021. Garda specialists tracked stolen HSE data to commercial server in US. December
22. Accessed January 26, 2022. https://www.irishtimes.com/news/crime-and-law/garda-specialists-trackedstolen-hse-data-to-commercial-server-in-us-1.4761457.
• Gatlan, Sergiu. 2021. Conti ransomware also targeted Ireland's Department of Health. May 17. Accessed
January 26, 2022. https://www.bleepingcomputer.com/news/security/conti-ransomware-also-targetedirelands-department-of-health/.
References
18
• McCurry, Pat Flanagan and Cate. 2021. Fears data leak from HSE hack has begun as reports of fraud calls
begin to circulate. May 24. Accessed January 26, 2022. https://www.irishmirror.ie/news/irish-news/fearsdata-leak-hse-hack-24176617.
• McGee, Marianne Kolbasuk. 2021. Report Dissects Conti Ransomware Attack on Ireland's HSE. December
10. Accessed January 26, 2022. https://www.govinfosecurity.com/report-dissects-conti-ransomware-attackon-irelands-hse-a-18102.
• McNamee, Michael Sheils. 2021. HSE cyber-attack: Irish health service still recovering months after hack.
September 5. Accessed January 26, 2022. https://www.bbc.com/news/world-europe-58413448.
• McQuinn, Cormac. 2021. Cyberthreat healthcare alert came months before HSE hit by hackers. December
27. Accessed January 26, 2022. https://www.irishtimes.com/news/politics/cyberthreat-healthcare-alertcame-months-before-hse-hit-by-hackers-1.4762997.
• O'Regan, Eilish. 2021. HSE failed to respond to alerts of malicious activity before crippling cyber attack,
report reveals. December 10. Accessed January 26, 2022. https://www.independent.ie/irishnews/health/hse-failed-to-respond-to-alerts-of-malicious-activity-before-crippling-cyber-attack-reportreveals-41137550.html.
• —. 2021. HSE given stolen data, including medical records, taken by criminals during cyber attack in May.
December 20. Accessed January 26, 2022. https://www.independent.ie/irish-news/news/hse-given-stolendata-including-medical-records-taken-by-criminals-during-cyber-attack-in-may-41167881.html.
• PwC. 2021. Conti Cyber Attack on the HSE. December 03. Accessed January 26, 2022.
https://www.hse.ie/eng/services/publications/conti-cyber-attack-on-the-hse-full-report.pdf.
• RTE. 2021. HSE still 'very compromised' following cyber attack. May 26. Accessed May 26, 2022.
https://www.rte.ie/news/health/2021/0526/1223933-hse-cyber-attack-latest/.
References
? Questions
20
Questions
Upcoming Briefs
• EMR in Healthcare (2/17)
• Healthcare Cybersecurity: 2021 Year-in-Review (3/3)
• As-a-Service Model of Cybercrime (3/17)
Requests for Information
Need information on a specific cybersecurity
topic? Send your request for information
(RFI) to [email protected].
Product Evaluations
Recipients of this and other Healthcare Sector
Cybersecurity Coordination Center (HC3) Threat
Intelligence products are highly encouraged to provide
feedback. If you wish to provide feedback, please
complete the HC3 Customer Feedback Survey.
Disclaimer
These recommendations are advisory and are
not to be considered as Federal directives or
standards. Representatives should review and
apply the guidance based on their own
requirements and discretion. HHS does not
endorse any specific person, entity, product,
service, or enterprise.
21
About Us
HC3 works with private and public sector partners to improve cybersecurity
throughout the Healthcare and Public Health (HPH) Sector
Sector & Victim Notifications White Papers
Direct communications to victims or
potential victims of compromises,
vulnerable equipment or PII/PHI theft,
as well as general notifications to the
HPH about current impacting threats
via the HHS OIG.
Document that provides in-depth
information on a cybersecurity topic to
increase comprehensive situational
awareness and provide risk
recommendations to a wide audience.
Threat Briefings & Webinar
Briefing presentations that provide
actionable information on health sector
cybersecurity threats and mitigations.
Analysts present current cybersecurity
topics, engage in discussions with
participants on current threats, and
highlight best practices and mitigation
tactics.
Need information on a specific cybersecurity topic, or want to join our Listserv? Send your request for information (RFI) to
[email protected],or visit us at www.HHS.Gov/HC3.
Products
Contact
www.HHS.GOV/HC3 [email protected]
the HSE Cyber Attack
02/03/2022
TLP: WHITE, ID# 202202031300
Agenda
2
• Background on the HSE Cyber Attack
• Threat Profile for Conti Ransomware
• HC3 Observations for Conti Ransomware
• Timeline of the Incident
• Key Findings
• General Takeaways for Healthcare Organizations
Non-Technical: Managerial, strategic and highlevel (general audience)
Technical: Tactical / IOCs; requiring in-depth
knowledge (sysadmins, IRT)
Slides Key:
3
• The Health Service Executive (HSE) of Ireland is the
country’s publicly funded healthcare system under the Irish
Department of Health, consisting of 54 public hospitals
directly under HSE authority, and voluntary hospitals which
utilize national IT infrastructure.
• On May 14, 2021, HSE suffered a major ransomware
cyberattack that caused all its IT systems nationwide to be
shut down.
• It became the most significant cyberattack on an Irish state
agency, as well as the largest known attack against a health
service computer system in history, occurring during the
COVID
-19 pandemic.
• It took four months to completely recover from the attack,
with HSE sustaining numerous impacts to healthcare
delivery during this timeframe (discussed in the next slide).
• Conti ransomware was responsible for the incident. • On December 3, 2021, HSE published an Independent Post
Incident Review consisting of a 157
-page redacted report,
which is the foundation of this brief.
• Full report of the Conti Cyber Attack on the HSE:
https://www.hse.ie/eng/services/publications/conti
-cyber
- attack-on-the-hse-full-report.pdf
Background on the HSE Cyber Attack
4
• Hospital staff were forced to revert to pen and
paper
• 80% of the HSE IT environment was encrypted,
severely disrupting healthcare services
throughout the country
• Prevented access to diagnostics and medical
records
• Exposed the private information of thousands
who received the COVID
-19 vaccine
• National vaccination program was not affected • Exfiltrated 700 GB of unencrypted data including
protected health information (PHI)
• Specialists tracked stolen HSE data to a
commercial server in the U.S.
• Lawsuits from patients over interrupted patient
care
• Large financial cost to respond to the incident • And more…
High Profile Impacts of the HSE Cyber Attack
5
Malware
• First Surfaced: December 2019
• Suspected Predecessor(s): Ryuk
• Malware Capabilities: Ransomware written in C/C++ that mainly encrypts local files
• Targeted Systems: All versions of Windows known to be affected
• Associated Malware/Tools: TrickBot, IcedID, Cobalt Strike, BazarLoader, Zloader, Rclone, LaZagne, Sidoh, etc.
• Infection Vectors: Spear phishing; Remote Desktop Protocol (RDP); phone calls; fake software; other malware; common vulnerabilities in external assets (i.e., Log4j)
Group
• Origin: Eastern Europe, Russian Federation
• Industry Names: Wizard Spider
• Associated Actors: UNC1878, TEMP.MixMaster, Grim Spider, UNC2633, UNC2727
• Forum Presence: Public and Private Forums
• Targeted Countries: United States, France, Germany, Canada, UK, Italy, Australia, Spain, Netherlands
• Targeted Industries: Manufacturing, construction, retail, legal, financial, technology, automotive, hospitality, transportation, energy, healthcare
• Status: Conti became the first professional-grade, sophisticated ransomware group to weaponize Log4j2 with a full attack chain in December 2021
• Classification: Highly-sophisticated, financially-motivated cybercriminal ransomware-as-a- service (RaaS) program; human-operated
• Threat to HPH Sector: Elevated Risk
Cyber Threat Profile: Conti Ransomware
6
• HC3 tracked at least 40
ransomware incidents involving
Conti ransomware in 2021
• Targeted countries within the
healthcare industry included
Australia, Colombia, France,
Germany, India, Italy,
Netherlands, the United Kingdom,
and the United States
• HPH entities in at least 20 U.S.
states experienced Conti
ransomware incidents or
appeared on the Conti
ransomware extortion blog
• Sub-industries within healthcare
impacted included Biotechnology,
Health or Medical Clinic,
Healthcare Industry Services,
Home Health Care Services,
Hospice or Elderly Care, Hospital,
Pharmaceutical Industry, and
Public Health entities
Historical Conti Ransomware Incidents in the HPH Sector Worldwide (2021)
Biotechnology
5%
Health or Medical
Clinic
32%
Healthcare Industry
Services
29%
Home Healthcare or
Elderly Care
Services
10%
Hospital
5%
Pharmaceutical
Industry
14%
Public Health
5%
Industry Breakdown: Conti Ransomware Incidents (2021)
7
Pre-Infection Timeline: March 18 – May 14, 2021
Source: HSE/PwC
8
Post-Infection Timeline: May 14 – September 21, 2021
Source: HSE/PwC
9
• The HSE did not have a single responsible owner for cybersecurity, at senior executive or management
level at the time of the incident.
• There was no dedicated committee that provided direction and oversight of cybersecurity and the activities
required to reduce the HSE's cyber risk exposure.
• There were known weaknesses and gaps in key cybersecurity controls.
• The lack of a cybersecurity forum in the HSE hindered the discussion and documentation of granular cyber
risks, as well as the abilities to identify and deliver mitigating controls.
• The HSE did not have a centralized cybersecurity function that managed cybersecurity risk and controls.
• It was a known issue that the teams with cybersecurity responsibilities were under-resourced.
Key Findings: Ransomware Attack Preparedness
10
• The HSE’s technology has grown organically and is
consequently overly complex, increasing the
vulnerability of the HSE to cyber attacks.
• The HSE had a large and unclear security boundary that
encompassed many of the organizations connected to
the National Healthcare Network (NHN).
• The HSE’s effective security boundary did not align with
its ability to mandate cybersecurity controls.
• There was no effective security monitoring capability that
was able to detect, investigate and respond to security
alerts across the HSE's IT environment.
• The antivirus tool was over-relied upon to detect and
prevent threats on endpoints.
• The IT environment had high-risk gaps relating to 25 out
of 28 of the cybersecurity controls that are most effective
at detecting and preventing human-operated
ransomware attacks.
• The HSE did not have a documented cyber incident
response plan and had not performed typical preparatory
activities, such as exercising the technical response.
Key Findings: Ransomware Attack Preparedness (cont.)
11
• The cyber attack was not actively identified nor contained prior to
the ransomware execution, despite the attacker performing noisy
and ‘unstealthy’ actions.
• The HSE’s antivirus identified a tool commonly used by
ransomware groups (Cobalt Strike) on six servers on May 7, 2021
(and several more servers in the following days) but these alerts
were not appropriately actioned.
• Two voluntary hospitals identified suspicious activity prior to the
execution of ransomware, but a HSE centralized response was
not initiated.
• Two organizations successfully acted on detections of the
attacker, preventing the deployment of ransomware within their
estates.
• The HSE, with the help of third parties, mobilized a response to
the ransomware attack and overcame many of the significant
challenges the ransomware attack presented, drawing on their
experience responding to crises including COVID-19.
• The HSE was reliant on third parties in the early weeks of the
incident to provide structure to the response activities.
• Time was lost during the response due to a lack of pre-planning
for high impact technology events.
Key Findings: Ransomware Attack Response
12
• The HSE spent a significant amount of time during the response
gathering information about applications, as this information was not
recorded and up-to-date in a central or offline application register.
• There was a heavy reliance on specific individuals during the
response. This likely contributed to a recovery timeline that was
longer than could have been achieved.
• The response initially prioritized the recovery of foundational
systems, and applications on the operators of essential services list,
before advancing to an approach that focused on clinical risks and
the recovery of end-to-end clinical services.
• There was a lack of clearly defined and delineated decision-making
authority between the HSE, hospitals and Community Healthcare
Organizations (CHO) in the case of a health service-wide crisis.
• The OCIO was not able to provide or source (through third party
burst capacity) the scale of the IT support required by hospitals and
CHOs during the extended response to restore applications, systems
and services at pace.
• The HSE had limited to no ability to investigate the attack using its
own tooling.
• The HSE’s Incident Response provider identified evidence of how
the attacker was able to gain unauthorized access to the HSE’s IT
environment, as well as the attacker’s subsequent activities.
Key Findings: Ransomware Attack Response (cont.)
13
• The impact of the ransomware on the IT
environment was reported by the HSE’s
management to lead to 80% encryption.
• The impact of the ransomware attack on
communications was severe, as the HSE almost
exclusively used on-premise email systems
(including Exchange) that were encrypted, and
therefore unavailable, during the attack.
• The HSE took action to contain the ransomware
attack by powering down systems and
disconnecting the NHN from the internet.
• It is unclear how much data would have been lost if
a decryption key had not become available.
• Without the decryption key, it is unknown how long
it would have taken to recover systems from
backups, but it would have likely taken
considerably longer.
• The HSE missed opportunities for efficiencies in
the recovery of systems and applications due to a
lack of preparedness.
Key Findings: Ransomware Attack Impact and Recovery
14
Governance and cybersecurity leadership
1. Understanding of technology dependency and
governance of technology risk
2. Cybersecurity strategy and leadership
3. Ransomware-specific assessment
4. Effective cybersecurity monitoring and response
5. Testing of cybersecurity capability through
simulated attacks
Preparedness to respond and recover
1. Cybersecurity-specific incident response and
crisis management plans
2. Business continuity planning and IT disaster
recovery planning for a ransomware scenario
3. Retained incident and crisis support
General Takeaways for Healthcare Organizations
Reference Materials
16
• Abrams, Lawrence. 2021. Conti ransomware gives HSE Ireland free decryptor, still selling data. May 20.
Accessed January 26, 2022. https://www.bleepingcomputer.com/news/security/conti-ransomware-giveshse-ireland-free-decryptor-still-selling-data/.
• —. 2021. Irish High Court issues injunction to prevent HSE data leak. May 20. Accessed January 26, 2022.
https://www.bleepingcomputer.com/news/security/irish-high-court-issues-injunction-to-prevent-hse-dataleak/.
• Aodha, Gráinne Ní. 2021. HSE shuts down IT systems after 'major' ransomware attack, vaccination rollout
not affected. May 14. Accessed January 26, 2022. https://www.msn.com/en-ie/news/other/hse-shuts-downit-systems-after-major-ransomware-attack-vaccination-rollout-not-affected/ar-BB1gIETg
• BBC News. 2021. Cyber attack 'most significant on Irish state'. May 14. Accessed January 26, 2022.
https://www.bbc.com/news/world-europe-57111615.
• Bowers, Sean O'Rioran and Shauna. 2021. Cancer patient to sue Cork's Mercy Hospital over cyber hack .
July 15. Accessed January 26, 2022. https://www.irishexaminer.com/news/munster/arid-40337252.html.
• BreakingNews.ie. 2021. Cork hospital had help from Defence Forces after HSE cyberattack. October 7.
Accessed January 26, 202. https://www.breakingnews.ie/ireland/cork-hospital-had-help-from-defenceforces-after-hse-cyberattack-1155416.html.
• Ciara O'Brien, Simon Carswell. 2021. Coombe hospital services ‘continuing as normal’ after cyberattack.
December 16. Accessed January 26, 2022. https://www.irishtimes.com/business/technology/coombehospital-services-continuing-as-normal-after-cyberattack-1.4756968.
• CISA. 2021. Alert (AA21-265A) - Conti Ransomware. September 22. Accessed January 26, 2022.
https://www.cisa.gov/uscert/ncas/alerts/aa21-265a.
References
17
• Coble, Sarah. 2021. HSE Missed Cyber-Attack’s Warning Signs. December 10. Accessed January 26,
2022. https://www.infosecurity-magazine.com/news/hse-missed-cyberattacks-warning/.
• Colgan, Laura. 18. Cybercrime group known as 'Wizard Spider' hackers behind Ireland HSE ransomware
attack. May 2021. Accessed January 26, 2022. https://www.irishmirror.ie/news/irish-news/crime/cybercrimegroup-known-wizard-spider-24128295.
• Corera, Gordon. 2021. Irish health cyber-attack could have been even worse, report says. December 10.
Accessed January 26, 2022. https://www.bbc.com/news/technology-59612917.
• Corfield, Gareth. 2021. Irish Health Service ransomware attack happened after one staffer opened
malware-ridden email. December 10. Accessed January 26, 2022.
https://www.theregister.com/2021/12/10/ireland_health_conti_ransomware_attack_report/.
• Daly, Ailbhe. 2021. Private information of thousands who received Covid vaccine exposed in HSE blunder.
February 25. Accessed January 26, 2022. https://www.irishmirror.ie/news/irish-news/health-news/privateinformation-thousands-who-received-23566568.
• Davis, Jessica. 2021. Ransomware post-mortem: Ireland HSE cyberattack, recovery dogged by missteps.
December 14. Accessed January 26, 2022. https://www.scmagazine.com/analysis/backup-andrecovery/ransomware-post-mortem-ireland-hse-cyberattack-recovery-dogged-by-missteps.
• Gallagher, Conor. 2021. Garda specialists tracked stolen HSE data to commercial server in US. December
22. Accessed January 26, 2022. https://www.irishtimes.com/news/crime-and-law/garda-specialists-trackedstolen-hse-data-to-commercial-server-in-us-1.4761457.
• Gatlan, Sergiu. 2021. Conti ransomware also targeted Ireland's Department of Health. May 17. Accessed
January 26, 2022. https://www.bleepingcomputer.com/news/security/conti-ransomware-also-targetedirelands-department-of-health/.
References
18
• McCurry, Pat Flanagan and Cate. 2021. Fears data leak from HSE hack has begun as reports of fraud calls
begin to circulate. May 24. Accessed January 26, 2022. https://www.irishmirror.ie/news/irish-news/fearsdata-leak-hse-hack-24176617.
• McGee, Marianne Kolbasuk. 2021. Report Dissects Conti Ransomware Attack on Ireland's HSE. December
10. Accessed January 26, 2022. https://www.govinfosecurity.com/report-dissects-conti-ransomware-attackon-irelands-hse-a-18102.
• McNamee, Michael Sheils. 2021. HSE cyber-attack: Irish health service still recovering months after hack.
September 5. Accessed January 26, 2022. https://www.bbc.com/news/world-europe-58413448.
• McQuinn, Cormac. 2021. Cyberthreat healthcare alert came months before HSE hit by hackers. December
27. Accessed January 26, 2022. https://www.irishtimes.com/news/politics/cyberthreat-healthcare-alertcame-months-before-hse-hit-by-hackers-1.4762997.
• O'Regan, Eilish. 2021. HSE failed to respond to alerts of malicious activity before crippling cyber attack,
report reveals. December 10. Accessed January 26, 2022. https://www.independent.ie/irishnews/health/hse-failed-to-respond-to-alerts-of-malicious-activity-before-crippling-cyber-attack-reportreveals-41137550.html.
• —. 2021. HSE given stolen data, including medical records, taken by criminals during cyber attack in May.
December 20. Accessed January 26, 2022. https://www.independent.ie/irish-news/news/hse-given-stolendata-including-medical-records-taken-by-criminals-during-cyber-attack-in-may-41167881.html.
• PwC. 2021. Conti Cyber Attack on the HSE. December 03. Accessed January 26, 2022.
https://www.hse.ie/eng/services/publications/conti-cyber-attack-on-the-hse-full-report.pdf.
• RTE. 2021. HSE still 'very compromised' following cyber attack. May 26. Accessed May 26, 2022.
https://www.rte.ie/news/health/2021/0526/1223933-hse-cyber-attack-latest/.
References
? Questions
20
Questions
Upcoming Briefs
• EMR in Healthcare (2/17)
• Healthcare Cybersecurity: 2021 Year-in-Review (3/3)
• As-a-Service Model of Cybercrime (3/17)
Requests for Information
Need information on a specific cybersecurity
topic? Send your request for information
(RFI) to [email protected].
Product Evaluations
Recipients of this and other Healthcare Sector
Cybersecurity Coordination Center (HC3) Threat
Intelligence products are highly encouraged to provide
feedback. If you wish to provide feedback, please
complete the HC3 Customer Feedback Survey.
Disclaimer
These recommendations are advisory and are
not to be considered as Federal directives or
standards. Representatives should review and
apply the guidance based on their own
requirements and discretion. HHS does not
endorse any specific person, entity, product,
service, or enterprise.
21
About Us
HC3 works with private and public sector partners to improve cybersecurity
throughout the Healthcare and Public Health (HPH) Sector
Sector & Victim Notifications White Papers
Direct communications to victims or
potential victims of compromises,
vulnerable equipment or PII/PHI theft,
as well as general notifications to the
HPH about current impacting threats
via the HHS OIG.
Document that provides in-depth
information on a cybersecurity topic to
increase comprehensive situational
awareness and provide risk
recommendations to a wide audience.
Threat Briefings & Webinar
Briefing presentations that provide
actionable information on health sector
cybersecurity threats and mitigations.
Analysts present current cybersecurity
topics, engage in discussions with
participants on current threats, and
highlight best practices and mitigation
tactics.
Need information on a specific cybersecurity topic, or want to join our Listserv? Send your request for information (RFI) to
[email protected],or visit us at www.HHS.Gov/HC3.
Products
Contact
www.HHS.GOV/HC3 [email protected]
