How a simple ransomware attack paralyzed a health service giant.

Ireland’s national health service was wholly unprepared for the ransomware attack that crippled its services in May and remains vulnerable to a second strike. This is according to a government-commissioned analysis published last week.

The independent report into the cyber-attack on Ireland’s health service also found the consequences could have been even worse than they were.

The ransomware attack locked staff out of their computer systems and “severely” disrupted healthcare in the country.

Ransomware almost paralysed Ireland’s Health Service Executive (HSE) after a single user opened a malicious file attached to a phishing email, the report cited.

But the report also said it would have been worse if the attack had destroyed data or Covid-19 vaccination systems or hit specific medical devices.

It added the attack had “a far greater” impact than initially expected.

Ireland’s National Cyber Security Centre (INCSC) named the ultimate payload as Conti v3; a 32-bit executable that encrypts all within its grasp. The attackers triggered the attack two months after gaining initial access.

Two months after gaining access, Conti hit the big red button: a large part of Ireland’s health service lost its IT systems as responders struggled to contain the ransomware infection.

The report, by PricewaterhouseCoopers (PWC), commissioned by the healthcare executive, found that systems remain vulnerable to even more serious attacks in the future.

The Irish technology systems were “frail” and the organization missed several opportunities to spot warning signs, cyber-security experts found.

HSE workers had to return to pen and paper

The HSE is Ireland’s largest employer with 130,000 staff and contractors, 54 hospitals and 1,200 networked locations. The organization received warnings of suspicious activity from two hospitals and its own antivirus software provider in the days running up to the May 14 attack but took no action, the report said.

All computer systems were switched off. Doctors, nurses and other workers lost access to systems for patient information, clinical care and laboratories.

Emails went down, and staff had to turn to pen and paper.

Workers had to hand write and manually enter lab test data – leading to greater risks of mistakes.

The attack disrupted thousands of people’s healthcare. For example, GP received a phone call from a consultant surgeon questioning the location of a patient due for surgery. But that person had already had the operation, the report said.

The attackers demanded payment to restore access to the computer systems, and it took the service four months to fully recover.