In May 2021, a Conti ransomware attack crippled Ireland’s Health Service Executive (HSE). And unfortunately, the country’s public hospital system is still feeling the effects.
The costs of cyberattacks—shut down services, angry patients, and extraordinary monetary costs—are detrimental to healthcare industries worldwide.
For healthcare covered entities, keeping protected health information (PHI) safe is a crucial part of patient care. For those in the U.S. under the HIPAA Act, strong cybersecurity measures, such as HIPAA compliant email, are essential.
Conti ransomware is a known ransomware-as-a-service that exploits weaknesses in Microsoft products. A U.S. joint advisory notes that the threat actors probably pay users a wage rather than a percentage of the proceeds.
RELATED: What is a nation-state threat actor?
The Conti developers claimed responsibility for at least 16 cyberattacks within the U.S. Its cyberattacks internationally have risen to more than 1,000.
What happened to HSE in 2021?
In 2021, HSE discovered a large-scale ransomware attack that shut down its healthcare IT systems nationwide. The cybercriminals (Russian-based Wizard Spider) used Conti ransomware within a malicious Microsoft Excel file attached to a phishing email.
The attack led to several immediate problems for HSE’s hospitals:
- EHR (electronic health record) downtime
- Staff reverting to pen and paper records
- Appointment cancellations
- 80% of HSE data encrypted
- 700 GB of unencrypted PHI exfiltrated
The hackers provided a decryption tool for free but threatened to publish the information publicly if they didn’t receive the $20 million bitcoin ransom. HSE refused to pay and the threat group exposed PHI, including COVID-19 vaccination information.
Recovery from the above problems took months but does not represent the end of HSE’s issues.
Ransomware recovery is long and costly
According to ransomware experts, ransomware recovery is a lengthy, complex process with huge expenses from lost time to lost opportunities. To add to this are exorbitant monetary costs:
- Ransom (if paid)
- Recovery and decryption fees
- Cybersecurity additions and alterations
- Governmental fines
RELATED: What is a HIPAA violation?
For example, Scripps Health took weeks to get its system back online and suffered $112.7 million in lost revenue.
At the moment, HSE’s costs have reached €43 million for IT changes, cyber/strategic partner support, and vendor support.
HSE forecasts that expenses could reach as high as €100 million but of course, there are also the costs to patient care. Lawsuits from patients are pending.
While the costs of Ireland’s cyberattack seem high, the numbers show that HSE is serious about improving its cybersecurity.
Avoid the costs and headaches
We recently summarized a Health Sector Cybersecurity Coordinate Center (HC3) brief urging U.S. healthcare organizations to learn from Ireland’s cyberattack. According to HC3, the problems boil down to missing leadership and up-to-date plans that focus on before, during, and after an attack.
HC3 further stated that HSE over-relied on its antivirus software, which is why it added helpful cybersecurity safeguards:
- Employee training
- Strong access controls (e.g., password security)
- Offline backup
- Patched/updated systems and devices
- Encryption at rest and in transit
And of course, strong email security to block phishing emails from ever making it into an inbox.
Ensure HIPAA compliant email with Paubox Email Suite Plus
Paubox Email Suite Plus provides needed email security and strong HIPAA compliant email. Our HITRUST CSF certified solution encrypts all outbound email, which can be sent directly from an existing email platform (e.g., Microsoft 365 or Google Workspace).
No extra passwords, portals, or logins are necessary.
And it blocks incoming phishing messages and other email threats from even reaching an inbox. Our Zero Trust Email feature requires an additional piece of evidence and keeps malware from being delivered.
The costs of a cyberattack, especially a ransomware attack, can add up and be astronomical. It’s best to avoid having to deal with this by utilizing solid cybersecurity measures before a threat group causes complications.