In the early morning of May 14th this year, security staff attached to the National Cyber Security Centre in Ireland noticed suspicious activity within IT networks connected to the country's Health Service Executive, the HSE. Hours later, IT systems in dozens of hospitals, clinics, and health providers -- all serving the country's population of nearly five million people -- had been shut down with what turned out to be a devastating Conti ransomware attack.
As the HSE attack shows, while no organization is immune from ransomware, some sectors are more exposed and create more devastating consequences than others. Unfortunately, as a result of ransomware threats that are growing at hundreds of percent annually, European healthcare has never been more at risk. The Health Service Executive attack is a case in point and is already being called the state's most significant ransomware attack.
A Sign of the Times for Healthcare Organizations
The HSE attack compromised at least 80,000 endpoints and shut down non-urgent operations across Ireland, forcing hospitals to revert to the pen and paper operational models last seen in the mid-1990s. The attack, which is still being remediated, also compromised medical data belonging to millions of people living in Ireland, some of which is already finding its way onto the dark web.
Shockingly, the Health Service Executive attack is only the latest in a series of similar incidents which have paralyzed healthcare institutions across Europe. In February, two French hospitals were effectively shut down after a similar cyber attack, forcing patients to be transferred elsewhere. Late last year, a prolonged ransomware attack on Vastaamo, a private Finnish psychiatric care network, resulted in a massive exposure of patient health records — causing incredible stress for impacted patients who were faced with personalized ransom demands.
The impact of this threat environment is that ransomware attacks are real, terrifying, and increasingly frequent. Behind them are inherent and evolving weaknesses in European healthcare cybersecurity brought on by increased digitization across operations.
Digitization Drives Higher Ransomware Risk
As shown by the recent HSE and Vastaamo attacks, threat actors aren’t limiting their attacks to individual institutions or clinics. Instead, private and public networks are now in their crosshairs too. This fact was recently highlighted by German cyber defense chief Arne Schoenbohm, who warned about his own country's vulnerability to similar attacks.
Previously, the success of attacks such as the WannaCry ransomware attack, which struck the U.K.’s National Health Service in 2017, was based on their ability to exploit particular vulnerabilities. However, changing threat actor tactics have made organizations vulnerable from a multitude of angles.
Like the Conti ransomware group responsible for the HSE attack, threat actor gangs increasingly leverage human-operated ransomware techniques and tactics. As a result, cybercriminals going after the “big game” that health groups represent can take a highly flexible approach to their targets. Depending on what they can access, attackers can move from malicious email links and infected attachments to stolen remote desktop credentials.
With fileless malware increasingly capable of avoiding defenses, attackers can now dwell longer within networks, moving rapidly from low-value endpoints and propagating attacks far beyond initial infection points. From a threat actor's perspective, this ability makes every endpoint a valuable resource but greatly complicates security for organizations like health services with vast numbers of vulnerable endpoints.
COVID-19 Makes Healthcare Cyber Defences Weaker than Ever
While inherent vulnerabilities within healthcare networks are no surprise, recent events put them into focus. Aside from highlighting insufficient frontline staffing and bed provision, pandemic-led digitization has also shed light on archaic and ineffective cybersecurity procedures still used within the healthcare sector.
IT systems have often been neglected within stretched health services and are frequently the last area to receive sufficient funding or undergo modernization. In the NHS, for example, the average age of a PC is at least seven years. At the same time, in many healthcare services, connected devices often run on outdated operating systems or easily exploitable software like Internet Explorer.
However, healthcare systems have also been made more vulnerable because of the COVID-19 pandemic itself. As large numbers of non-clinical employees, including IT staff and administrators, have transitioned to remote working, overall network security has decreased dramatically. At the same time, rapid digitization within hospitals and patient care, alongside increased reliance on digital communication such as email, has grown the frequency and success rate of phishing attempts.
Staffing levels for cybersecurity are also a constant struggle for health services at every level. For example, prior to the Health Service Executive attack, the post of National Cyber Security Centre director for Ireland had remained vacant for over a year, prompting an immediate call to raise the salary for the role by several times.
Defense Means Breaking the Status Quo Around Healthcare Cybersecurity
Across Europe, the COVID-19 pandemic has provided an impetus to rebuild national healthcare provision from the ground up — an effort that is also pushing digitization to the forefront. However, as seen by the spate of attacks rocking European healthcare, doing so safely also means prioritizing cybersecurity and building defense in depth.
This cycle of threat and reaction is not new. Following the 2017 WannaCry attack, the NHS invested heavily in creating a more secure system of backups. However, with more at stake now, responding to the threat ransomware poses to European health means doing more than just making remediation faster. Aside from preparing to mitigate attacks, healthcare services should work proactively to prevent them from happening in the first place.
Actively stopping threat actors by training staff to avoid phishing attacks and ensuring network access is limited is key to doing this. Security solutions also have a role to play. However, with most malware delivered filelessly and bypassing traditional antivirus solutions, no single layer of solution will ever provide real protection. Instead, a lightweight deterministic security toolkit consisting of Morphisec and OS native Windows Defender antivirus is needed.
The only secure future for European healthcare is the one where proactive cyber defense can be combined with effective security solutions. The alternative is too horrific to imagine.