Developments in Cyber Security in the Irish Healthcare Sector Since the May 2021 Cyber-Attack

By Ken Sheehan, Smarttech247

Introduction

In May 2021, a ransomware group carried out a double extortion attack on the HSE – data was stolen, and files encrypted, that caused a catastrophic impact on the HSE’s ability to function. The multi-faceted response which included the HSE and private sector partners, the National Cyber Security Centre and the Defence Forces was impressive, and certainly re-enforced the idea that cyber is a team sport – and it’s important to understand what the other players are doing.

The initial tactical response was mirrored by a strategic response. It’s important to remember that the Colonial Pipeline attack also happened in May 2021, and this disrupted the delivery of Gasoline to the East Coast US States. June 2021 saw a flurry of diplomatic activity:

  • The G7 made a statement regarding ransomware, urging Russia to ‘hold to account those within its borders who conduct ransomware attacks, abuse virtual currency to launder ransoms, and other cybercrimes’.
  • An EU–US summit pledged to foster ‘responsible behaviour in cyberspace’.
  • NATO agreed to a new cybersecurity strategy that will bolster its collective defence in the case of a ‘cyber-attack of significance’ on a member.
  • The US and Russian presidents announced ‘cyber consultations’ after a summit in Geneva.

What has changed since then?

In the almost three years since the attack – what has changed? I think there have been three significant shifts – changes to defenders, changes to the threat, and changes to the environment as a result of digital transformation programmes.

Changes to Defenders

Looking at the changes to defences, and the EU has responded in the best way it knows how – regulation.

  • NIS2 will regulate essential services including healthcare so they have to take appropriate security measures and notify relevant national authorities of serious incidents.
  • The Cyber Resilience Act will impose standards on software and hardware sold within the EU. The EU’s Cyber Security Act, first put into force in 2019, continued to be strengthened.

There has also been a Government led change. The NCSC in Ireland has grown from 25 staff in 2021, to 62 at the end of last year. Capital funding for ICT and digital health has grown from €60 million in 2018 to €155 million in 2024.

Changes to the Threat

The threat has changed. The last three years have seen some really worrying milestones. The costs of a data breach in the healthcare industry continue to rise. In 2023, the average cost reached $10.93 million. The frequency is also increasing, with one report noting a 60% increase in phishing attacks between 2022 and 2023, with healthcare being the primary target of these attempts.

The impact caused by attacks continued to grow. In June 2023 the St. Margaret’s Hospital in the US became the first healthcare institution to permanently cease operations due in part to the fallout of a ransomware attack. A study released in October 2023 on the impact of ransomware on US healthcare facilities noted an increase in mortality rates for patients who were already admitted at the time of attack.

In February 2024, 100 Romanian hospitals were impacted by a ransomware attack. At least 21 hospitals had files encrypted, and others took their networks offline in response to the attack. A ransom of $180,000 was demanded from hospitals. The attacks appear to be centred on the Hipocrate Information System (HIS). The Romanian National Cybersecurity Directorate worked with the impacted hospitals, and it appears that no ransom was paid.

And obviously it’s not just hospitals that are at risk. Following data breaches in two third party healthcare payment services, almost half of French citizens had their data exposes. The names, dates of birth, social security numbers and insurance information of 33 million people were exposed.

Hacktivist groups have become much more active since the beginning of 2023 targeting the healthcare sector. In particular, the Anonymous Sudan and Killnet threat actors have increased their activities. These activities have been linked to geo-political issues, and cyber attacks have become the weapon of first resort for states.

Changes to the Environment

Technology is evolving faster than ever, and the promise of using it to support better health outcomes, more efficiently will be a significant focus for the HSE over the next decade. The Digital Health Strategic Framework (2024-2030) will be released shortly, this will include a roadmap for investment in digital health, and the delivery of digital patient records. How this evolving technology will be delivered safely will be the focus for IT security professionals for the next decade.

New technologies like the Internet of Things, offer the potential to transform patient monitoring. The IoT healthcare market is projected to reach a valuation of $289 billion by 2028. Other leap forward like Artificial Intelligence could assist in decision augmentation in medical diagnostics before too long. The potential for these two technologies to interact is incredibly exciting. However, as the complexity increases, so do vulnerabilities. The risk of a slight misconfiguration is real, and the potential damage that could be done by a threat actor is worrying.

Who is responsible for making this better?

Who is responsible to secure our digital safety? I think overall digital security requires a whole of society approach, not just a whole of Government approach. The potential for ground-breaking improvements in patient outcomes incredible. There will be more devices, more complexity, more opportunities for threat actors to cause disruption, there will be more reasons for them to cause that disruption. We all have a part to play, and we have seen how the EU and State agencies have reacted to the 2021 attack. Tech companies have an obligation to innovate safely, and services and products must be resilient. It’s also critical that decisions makers within the healthcare system understand the risks, and sufficiently prioritise mitigation measures.