Three healthcare institutions in Canada, Ireland and New Zealand are in the midst of security incidents this week, highlighting the perilous cybersecurity landscape within some of the world's most important organizations.
Ireland's Department of Health was attacked twice in the last week, eventually shutting down their entire IT system after a ransomware attack last Thursday. The same group also hit the Health Service Executive with a ransomware attack. Chief Operations Officer of the Health Service Executive Anne O'Connor told The Journal that the office had been hit by the Conti ransomware.
According to RTÉ and the BBC, dozens of outpatient services were cancelled, a vaccine portal for Covid-19 was shut down and the country has spent days trying to bring its healthcare IT system back online. Irish Foreign Minister Simon Coveney called it a "very serious attack" while Irish Minister of State Ossian Smyth said it was "possibly the most significant cybercrime attack on the Irish State."
The leaders of the Irish government met on Monday and said the National Cyber Security Centre had brought in Europol, private sector cybersecurity experts and hundreds of others to help solve the ransomware attack.
The Journal reported that 85,000 computers were turned off once the attack was noticed and that cybersecurity teams are going through all 2,000 different IT systems one by one
"Those who carried it out have no concern for the severe impact on patients needing care or for the privacy of those whose private information has been stolen. These ransomware attacks are despicable crimes, most especially when they target critical health infrastructure and sensitive patient data," the government statement said.
"The significant disruption to health services is to be condemned, especially at this time. Any public release by the criminals behind this attack of any stolen patient data is equally and utterly contemptible. There is a risk that the medical and other data of patients will be abused."
Emergency services are still operating in the country but are now busy because of the IT outage. Many radiology appointments are cancelled, according to a government statement, and there are now delays in COVID-19 test result reporting as well as delays with issuing birth, death or marriage certificates. Pediatric services, maternity services, and outpatient appointments in certain hospitals have all been affected by the attack, according to The Journal.
Dublin's Rotunda Hospital, The National Maternity Hospital, St Columcille's Hospital, Children's Health Ireland (CHI) at Crumlin Hospital, The UL Hospitals Group have all reported varying levels of IT outages.
Health Minister Stephen Donnelly added this week that the HSE payment system was downed by the attack and that the 146,000 people working in the healthcare industry will face issues with full payment.
On Thursday, the Financial Times reported that the people behind the ransomware attack were demanding $20 million to restore the system and had already started leaking private information about patients online. Irish Prime Minister Micheál Martin previously told the BBC that the government would not pay the ransom.
New Zealand is facing a similar issue, with IT services for their healthcare system reporting a cybersecurity incident that completely knocked out the entire system. Clinical services at hospitals in Waikato, Thames, Tokoroa, Te Kuiti and Taumarunui have all been affected by the attack. Even the landline phone services are down, and the government has said some outpatient appointments may need to be cancelled. More than 30 elective surgeries were cancelled in recent days due to the outage.
In addition to the attacks on the Irish and New Zealand healthcare systems, Canadian insurer Guard.me, one of the world's largest insurance carriers, is still dealing with a downed website following "suspicious activity was directed at the guard.me website." The site is still down, with a lengthy message explaining that they took down their website as a cautionary measure.
Guard.me provides students who study abroad with health coverage internationally and the company has already sent out a letter to students informing them of the attack, according to Bleeping Computer.
The letter admits that the "suspicious activity" they caught was actually someone gaining access to a database that contained the dates of birth, genders, phone numbers, email addresses, mailing addresses, passwords of students.
Cybersecurity expert Mathieu Gorge, CEO of Ireland-based VigiTrust, said ransomware gangs and other cybercriminals have proven repeatedly through attacks on healthcare systems during the pandemic that they have little regard for human life or privacy.
"What's most worrying about this is that it has established a trend that you can attack critical infrastructure anywhere and everywhere," Gorge said. "And these aren't necessarily sophisticated attacks by nation-states; they are relatively low-skill attacks with huge consequences exploiting attack surfaces which frankly should be better protected."
Saryu Nayyar, CEO of cybersecurity company Gurucul, said ransomware gangs have now perfected the art of monetizing every aspect of an attack. On top of the ransoms they make from attacks, medical records, she said, hold highly sensitive personal data that can be used to socially engineer money from fragile patients who are not cyber savvy like the elderly, not to mention the obvious identity theft.
"The fact that the Irish government will not give in to the attacker's demands is a sign that they are confident they have backups to sufficiently restore their systems and data. But the cybercriminals will likely publicize their stash of sensitive patient health data just because they can and they're evil," Nayyar added.
"Usually, the ransom price is determined by the amount of cybersecurity insurance the victim organization has. Perhaps the Irish government doesn't have cybersecurity insurance, but in this case it doesn't matter since Conti is known to operate on the basis of 'double extortion' attacks, so the data would be made public anyway."
Zerto vice president of product marketing Caroline Seymour noted that even when organizations have backups or recovery systems, they can be days or weeks old, leading to inevitable gaps and data loss that can be highly disruptive as well as add significantly to the overall recovery cost.
Many other experts noted that the rush to digitize hospital services across the world has left almost every country vulnerable to ransomware operators eager to hold critical arms of governments hostage.
With the millions of dollars being made through ransomware, the gangs behind them have become more methodical and are now run like businesses with scalable campaigns, according to Hank Schless, senior manager at Lookout.
"Historically, it was far more likely that attackers would try to brute force their way into the infrastructure and exploit any weak points in its defenses," Schless explained.
"Every day, hundreds if not thousands of users connect to corporate infrastructure from unmanaged devices and networks. They also expect to have seamless access to a mix of on-premises and cloud-based services in order to get their jobs done. Since this all takes place outside the safety of the traditional perimeter, it could open countless backdoors into your infrastructure."