Threat Watch

Irish healthcare shuts down IT systems after ransomware attack

Ireland’s publicly-funded healthcare system, Health Service Executive (HSE), has shut down all IT systems due to a ransomware attack. Even though most hospital appointments are not affected, some hospitals have suffered service disruptions, including the Rotunda Maternity Hospital and the Cork University Hospital where some appointments have been canceled. HSE stated that emergency and ambulatory services are still operating in a normal capacity. HSE also noted that the attackers have yet to make a ransom demand. This could be because the added pressure on ransomware gangs following the US government reaction to the Colonial Pipeline attack, or it could be due to rejection by other cybercrime groups of any ransomware operation that targets hospitals. It is also possible that the ransomware group has left a demand message somewhere but has just failed to connect with the healthcare system administrators. Binary Defense analyst will continue to monitor the situation for updates.

ANALYST NOTES

To combat ransomware, organizations must take a wholistic view of security controls, awareness, monitoring and response. Organizations must ensure employees are properly trained on best security practices. Employees must understand how ransomware gangs gain initial access into a company. Cyber threat actors often target email accounts because access to a victim’s email account allows them to reset passwords to many other online systems easily. Passwords alone are not enough to protect sensitive information, especially if employees choose the same or similar passwords for multiple sites—criminals and government backed hackers alike often use lists of passwords leaked from other websites when they attempt to guess passwords for email accounts or remote access accounts. Threat actors can leverage stolen medical records to impersonate legitimate patients to commit various forms of fraud, including submitting fraudulent claims to health insurers without authorization. This could not only affect healthcare coverage, but also compromise safety if there’s misinformation on file that is needed for medical treatment. Anyone who may have been a victim of a medical data breach should get confirmation from their provider to find out exactly what information was stolen. Change and strengthen any online logins and implement multi-factor authentication. Asking the insurance provider for copies of claims and carefully reviewing explanation of benefits notices can reveal if a patient’s identity has been used fraudulently. This might show if inaccurate health and medical information is present in the patient’s records. Lastly, financial and credit accounts should be monitored closely, because sometimes medical insurance information is used to commit other forms of financial fraud. Placing a credit freeze on file with the credit bureaus and notifying banks or other financial institutions is helpful to prevent fraud when identity theft is suspected.

Source: https://www.bleepingcomputer.com/news/security/irish-healthcare-shuts-down-it-systems-after-ransomware-attack/