Ireland’s Health System Under Attack

By Nadir Izrael, Co-founder and CTO

After operations had been halted at manufacturers like Molson Coors and critical infrastructure was shut down on the Colonial Pipeline, it’s now Ireland’s Health Service Executive (HSE) that is reporting a ‘significant ransomware attack’ on their core systems. The cybercrime war is escalating quickly.

Healthcare systems globally have been targets for cyberattack since the beginning of the pandemic last year with incidents doubling in 2020 alone. In this case, HSE has had national and local systems impacted, with clerical staff having to revert (where possible) to paper-based systems. In some cases, hospitals have warned of significant disruption. In the middle of a pandemic, this is the last thing a hospital eco-system needs. The central patient booking, and administrative system is core to how a hospital operates.

HSE chief executive Paul Reid said officials were working with republics police force the ‘Garda Síochána’, the Defence Forces and third party cyber security experts to respond to the attack. Garda Síochána said the HSE was the lead agency in dealing with the attack but it was liasing with the health body and the National Cyber Security Centre.

At this stage it’s unclear if critical equipment in intensive care units and other ‘isolated’ infrastructure in hospitals have been affected by the attack, but the events can be very distressing for instance, with cancer care, where patients await results or experience delays in treatment adding to the anxiety they already face. 

This ransomware attack on the HSE was preventable. Legacy patient and admin systems that are not adequately secure are prone to attacks by bad actors. This has been commonplace in a range of healthcare networks and eco-systems. This attack may now mean that parts of the Republic of  Irelands’ (RoI) health care network will be off-line for many weeks. As an incident response team will now need to investigate the attack, where the system entry points were and how to remove the risk exposure from the hospital network.

Risk Management Needs to Pivot

Attacks like these showcase the fragile interdepencies that exist between applications used to support the process of care delivery as well as ancillary functions like lab, pharmacy, registration and billing. We have also seen business processes such as payroll affected in these types of attacks as well. This highlights the need to have a risk management function that takes into account clinical workflows in addition to data security as part of the information security strategy. A key element of that is to design appropriate security architectures whose efficacy of protection is the same when applied to older legacy systems as well as when applied to current cloud-based health IT applications. Our blog on risk management illustrates how to manage this balance and offers recommendations on how appropriate risk scoring can be used to improve resilience from attacks like this one on HSE.

Resiliency as a Function of Continuity of Operations

Securing the patient journey through the healthcare ecosystem especially with the evolving threat landscape requires deep understanding of devices that are, not only essential to care, but are also ancillary to the operations of the organization. This is a critical step to assure data security as well as identify potential threat vectors that may be exploited to gain access and establish persistence in an environment. This data can then be used to improve contingency planning by factoring in nuances of clinical workflows, interdepartmental processes and data collaboration needed as part of the care delivery process. We outline steps healthcare organizations can take to manage this effort while implementing evidence-based practices that improve resiliency as well as reducing the attack surface.

Patient Data Confidentiality

Hospital systems face the challenge of not only securing devices and services, but also to ensure patient safety and data confidentiality. People will be worried about what data has been compromised. In the US, most personal data regulations are packaged in the Health Insurance Portability and Accountability Act (HIPAA). Throughout Europe, any data that is related to a person’s physical or mental health is considered personal and protected data under GDPR. As we have seen with the Vastaamo breach at the end of last year, bad actors won’t hesitate to release sensitive data to the public – in this case even threatening individual patients to pay a bitcoin ransom.

Post incident questions will need to be asked about why the HSE was so vulnerable to this attack. Cybersecurity, cyber-risk and ensuring your medical devices are not compromised is top of mind for all healthcare providers. In this case the HSE had not adequately secured its core-systems, and this has left the entire nation’s healthcare network exposed to bad actors and criminal gangs like the aforementioned gang DarkSide.

Armis for Healthcare

At Armis, we are committed to helping our healthcare customers realize the vision where information security is an organic extension of the clinical risk management process. While the attack at HSE is still being investigated, here are some common healthcare security approaches where the Armis platform can make the difference: 

Network segmentation
Many healthcare organizations are using some form of network segmentation to isolate critical equipment from other IT, OT, IoT and medical systems. But for network segmentation to succeed, what is needed is complete visibility to all devices on the network and their security posture, along with the ability to apply automated enforcement of network segmentation based on policy. 

Armis is purpose-built to discover, identify, and profile every device in your environment and is ideal for medical device security initiatives. We discover devices with a passive, agentless approach, so there is nothing to install on devices, and no risk to disrupting a critical device (infusion pump, heart monitor, MRI machine, etc.)

Equally important, we not only identify and classify medical devices, but we track their behavior over time, so we have context of what a device is, how it should be behaving, and if it is behaving suspiciously or maliciously.

With complete visibility of all devices on the network, as well as full context about their behavior & security posture, the Armis platform can apply automated enforcement of network segmentation based on policy.

Vulnerability Management
Defining a relative risk score and priorities within a healthcare environment needs to extend beyond the traditional IT workflows and architectures, as healthcare environments include devices ranging from 30 year old lab monitoring equipment all the way to the latest imaging hardware. 

The Armis platform allows a smooth transition away from the legacy approach by adding vulnerability management innovations that take into account: network behavior, baselined device behavioral telemetry, communication methodology and others. Our whitepaper Vaccinating Vulnerabilities for Medical Devices offers a deeper view on how organizations can avoid pitfalls of traditional vulnerability management processes as they innovate their Health IT practices for the future.

If you’d like to see a short demo of how the Armis platform can help you address your Medical Device Security, please click here.