The Republic of Ireland’s Department of Health administers the country’s public healthcare system called Health Service Executive (HSE). The HSE has 54 public hospitals under its authority.
On March 18th, 2021, an HSE computer was infected with malware from a phishing attack. The associated Conti ransomware was activated on May 14th, 2021; at one point, encryption rendered 80% of the data on HSE computers inaccessible. It was the most significant attack on an Irish state agency and the largest known attack against health service IT infrastructure in history: 2,800 servers and 3,500 workstations across 15 domains. It took four months to recover from the attack—in the middle of the COVID-19 pandemic.
A post-incident report was released in December 2021, which pointed out several security deficiencies in the HSE. One was that the HSE did not have a documented incident response plan. Therefore, it did not have a truly coordinated response to such cybersecurity incidents. Among the many recommendations were to:
- Appoint a CISO for the HSE
- Establish a policy for resilience for HSE IT
- Establish strategy, structure, governance, oversight, and assurance for IT resilience
- Briefly comment on the threat to leak victims’ sensitive information—what preventive methods would stop this threat?
- The document mentions seven recommendations from Sophos security researchers to protect networks against Conti ransomware. The last one was to have an effective incident response plan. Knowing some of the details of the attack, list the five (5) “best practice” procedures you would add to an incident response to contain this particular malware.
- What are the three (3) most important controls that could prevent an attack like this in the future?