When healthcare becomes sick: Recovering from ransomware

Abstract

This teaching case describes the ransomware attack on Ireland’s national health provider, the Health Service Executive (HSE), and how it recovered. The attack disrupted critical healthcare services across more than 50 hospitals and, in retrospect, highlighted significant cybersecurity vulnerabilities. The case provides an in-depth analysis of the events leading up to the attack, the immediate organizational and technical impacts, and the subsequent response and recovery efforts. It explores issues such as incident response, risk management, business continuity, and the broader implications for public health organizations. It provides insights into the complexities of managing cyber threats in a healthcare context and the importance of robust cybersecurity preparedness. This case is designed for both undergraduate and postgraduate students in courses related to information security, cybersecurity management, and information systems. Students will be encouraged to evaluate the HSE’s preparedness, response strategies, and long-term recovery plans, and to develop recommendations for enhancing cybersecurity resilience in similar organizations.

Keywords

Cybersecurity healthcare ransomware case study

Introduction

Due to the increasing number and severity of cyberattacks, health systems have become top targets for cyber threats. In May 2021, the Health Service Executive (HSE) in Ireland, the body responsible for delivering public health and social care services, experienced a Conti cyberattack (PricewaterhouseCoopers (PwC), 2021; Health Service Executive National Quality & Patient Safety Directorate & Office of the Chief Clinical Officer, 2022), leading to widespread disruption of healthcare services (Health Service Executive National Quality & Patient Safety Directorate & Office of the Chief Clinical Officer, 2022). Despite having various cybersecurity measures in place, the HSE’s systems were compromised, highlighting the continuing evolving nature of cyber threats and the need for robust security practices that keep pace.

Ireland has a public healthcare system involving centralized and peripheral technological systems spanning numerous dispersed hospitals, each offering general healthcare services to the public, in addition to specializations in particular hospitals for services such as cancer care, heart problems, pediatrics, and rehabilitation. The set of hospitals is overseen by a centralized governance and provision structure, the HSE, funded by the Irish Government through sovereign tax-based income. Operationally, the HSE comprises over 130,000 staff, spread across its 54 hospitals, and its overall purpose is to run the Irish public health services (see https://www.hse.ie). More detail on the HSE is provided in the following section.

With cyber threats manifesting as both increasingly sophisticated and frequent, cybersecurity has fast become a major priority for all organizations and is especially important within the healthcare sector due to the sensitivity of personal data and the critical nature of the services provided. The integrity, security, reliability, and availability of not only information systems and underlying data but also internet-connected medical devices and other critical infrastructure in healthcare all form part of a web of technologies, systems, and usage patterns inherent in healthcare provision. Security of data, access, and systems should ensure the confidentiality of patient information, the continuous delivery of services, and the proper functioning of life-saving technologies, ultimately safeguarding the safety and well-being of patients whose lives depend on them.

This teaching case delves into the events leading up to the attack, the immediate and broader impacts on HSE’s operations, and the response and recovery efforts that followed. It provides an opportunity to explore key topics such as incident response, risk management, business continuity, and the importance of a strong cybersecurity posture.

Background

A brief history of Ireland’s health service provision

Ireland’s Health Service Executive (HSE) was established on January 1, 2005, following the enactment of its 2004 Health Act. This landmark legislation represented a major reform of the country’s healthcare system, aimed at improving the efficiency, effectiveness, and accessibility of public health and personal social services.

The primary goal in creating the HSE was to establish a single, national body responsible for the provision of a comprehensive range of health and social care services throughout the republic of Ireland, a country with a population of five million, and whose closest geographical neighbor is the United Kingdom (UK). This involved the consolidation of 11 regional health boards, which had previously been responsible for healthcare delivery at the local level. In addition to the health boards, the HSE also absorbed a range of other health agencies and services, including the National Disease Surveillance Centre, the Health Promotion Unit, and the National Drug Strategy Team.

The integration of these diverse entities into a single organization was a complex undertaking that required significant planning and coordination. The HSE worked to ensure a smooth transition of services and minimize disruption for patients and healthcare professionals. The organization also implemented a range of measures to promote collaboration and communication among its various divisions and departments.

The HSE’s centralized structure allowed for the development of national policies and strategies in areas such as healthcare planning, service delivery, and quality improvement. It also facilitated the sharing of resources and expertise across different regions of the country. Further, the HSE played a key role in coordinating Ireland’s response to public health emergencies, such as the 2009 H1N1 influenza pandemic.

HSE’s remit

The HSE has sole responsibility across Ireland for overseeing public health and social services. Its mission focuses on safe, compassionate, and effective care. Guided by values of care, compassion, trust, and learning, the HSE ensures evidence-based care, respectful interactions, transparency, and ongoing improvement (Health Service Executive (HSE), 2024b), while using resources efficiently. The HSE delivers health and social care services through its National Service Delivery Divisions, which include Acute Hospitals, Social Care, Mental Health, Primary Care, Health and Wellbeing, and the National Ambulance Service (Citizens Information, 2024). Acute hospitals are grouped into categories (Hospital Groups), streamlining resources and care across inpatient, emergency, maternity, outpatient, and diagnostic services (PricewaterhouseCoopers (PwC), 2021; Health Service Executive (HSE), 2024a). According to the HSE’s Accountability Framework, the Chief Executive of each Hospital Group reports to the National Director for Acute Services and is responsible for the planning and performance of their Hospital Group. Further, its Social Care Division aids those with illness or disability to live independently, either directly or through funded agencies. Mental Health services are provided through inpatient centers and community teams, including child and adolescent mental health, adult mental health, and specialized services like the National Forensic Mental Health Service. Primary Care addresses most healthcare needs outside hospitals, primarily through GPs and community healthcare services. Community healthcare services are delivered through nine geographically organized Community Healthcare Organizations (CHOs). These CHOs operate independently but offer services on behalf of the HSE. They manage their own IT teams and infrastructure while also leveraging the national IT framework (PricewaterhouseCoopers (PwC), 2021). Finally, the Health and Wellbeing Division focuses on public health initiatives, health protection, child health services, national screening programs, health promotion, environmental health, and emergency management (Citizens Information, 2024). As such, the HSE’s span is national, exhaustive and extensive, and is largely a distributed entity composed of its constituent Hospital Groups and other medically specific units, geographically dispersed and locally managed.

While the HSE’s establishment brought about significant changes to Ireland’s healthcare system, it has also faced various challenges over the years. These challenges have included financial constraints, workforce shortages, the need to balance competing demands for resources, and increasing demand for services due to an aging population and rising chronic disease rates. Indeed, through 2020 and 2021 COVID-19 posed additional hurdles, and the UK’s 2016 decision to depart from the EU (Brexit) injected further operational difficulties from 2020 onwards in efforts to coordinate health provision with Ireland’s neighbor. Despite challenges, the HSE has remained committed to its mission of providing high-quality, accessible healthcare services to the people of Ireland and has made significant progress in areas such as cancer care, mental health services, and the integration of primary and community care. The HSE continues to play a central role in the Irish healthcare system, providing a wide range of services, including hospital care, GP services, mental health services, disability services, and health promotion programs.

Challenges preceding a 2021 cyberattack

In 2021, the HSE faced significant challenges due to COVID-19, requiring swift action to manage the public health crisis. Ireland’s National Service Plan 2021 focused on maintaining essential healthcare services and implemented comprehensive response measures, including testing, contact tracing, and vaccination programs (Health Service Executive (HSE), 2021). Additionally, because Ireland has a contiguous land-border with the United Kingdom, and much of its supply chain and medical standards align, Ireland’s HSE was navigating many complexities associated with Brexit, focusing on ensuring service continuity, managing cross-border healthcare, addressing workforce issues, and securing medicine supplies while maintaining GDPR compliance (Health Service Executive (HSE), 2021). The HSE was also prioritizing eHealth and Health Information Systems as critical enablers for healthcare reform. Significant funding facilitated new initiatives, including an integrated IT system for COVID-19 vaccination management and expanding the Integrated Information Service (IIS) to enhance data-driven decision-making (Health Service Executive (HSE), 2021). Further, through 2020 and 2021, the Irish Government, like many worldwide, had suffered massive drops in incoming taxation due to COVID lockdowns, restricted industrial activity, and the reactive necessities of the COVID pandemic in its throes: “normal” strategic planning was on pause across many areas, and in particular, funds and effort were channeled into pandemic-necessary activities. Issues such as cybersecurity, IT modernization, or related non-essential investment were at a minimum, slowed, or deprioritized across the peak of pandemic lockdowns. The cyberattack arrived in the middle of this flux.

HSE’s IT infrastructure

Similar to healthcare providers worldwide, the HSE depends significantly on its IT infrastructure to provide comprehensive healthcare services. This system supports various functions, such as managing patient records, administrative tasks, clinical care, and communication networks. In healthcare, data can be very sensitive, containing patient records, medical assessments, prognoses, and diagnoses, in addition to comprehensive identity-related data.

The Office of the Chief Information Officer (OoCIO) manages this extensive decentralized IT, which includes over 4500 servers, 70,000 end-user devices, and around 1000 applications, with a team of about 350 IT professionals. Across Ireland, the HSE operates a wide network of over 4000 locations, 54 acute hospitals, and numerous community healthcare organizations, all of which heavily rely on technology to deliver seamless care. This extensive infrastructure is crucial for effectively delivering health and social services to over 130,000 staff members engaged in various healthcare activities. A central component of this infrastructure is the National Healthcare Network (NHN), which provides connectivity and facilitates the delivery of essential health services. Although the NHN simplifies access for staff, its “flat” network design increases the risk of cyberattacks, as hackers can move freely within the network once access is gained. This design makes the system vulnerable to attacks not only within the HSE but also from other connected organizations. The HSE’s IT environment includes many outdated systems, with nearly one-third of servers being old or on extended support. Additionally, over 30,000 unsupported Windows 7 workstations contribute to a low cybersecurity maturity rating. Notably, the HSE lacked a Chief Information Security Officer (CISO) and a Security Operations Centre, both essential for effective cybersecurity management.

Warning signals

Across the narrow Irish Sea that separates Ireland from mainland UK, there were warning flashes. Hackers were brazenly attacking even socially critical services such as healthcare and hospitals. A 2017 ransomware attack on the UK’s National Health Service (NHS) that attacked PCs running Windows turned into a significant cyber incident that caused widespread disruption to healthcare services across that country. The 2017 NHS cyberattack was caused by a ransomware strain called WannaCry, a more virulent version of Eternal Blue, a malware once developed by the US NSA (National Security Agency) to thwart rogue actors. This malicious software exploited a vulnerability in older Microsoft Windows operating systems, encrypting files and demanding a ransom for their release.

The impact on the UK’s NHS was significant, with major disruption to hospitals and GP surgeries, with thousands of appointments and operations canceled or delayed. Emergency patients had to be diverted to other hospitals, and some critical care services were affected. Around the same time, China had reported similar attacks on some of its hospitals.

The attack costs the NHS an estimated GBP £92 million due to lost output and IT recovery costs, and the incident damaged the NHS’s reputation and raised concerns about its cybersecurity preparedness.

The NHS and other UK agencies rushed to contain the damage. NHS and cybersecurity experts worked quickly to contain the attack and prevent it from spreading further, as a massive recovery effort was launched to restore systems and services, with the assistance of international partners and a thorough investigation by the National Cyber Security Centre (NCSC) and other law enforcement agencies. The NHS subsequently implemented a series of measures to strengthen its cybersecurity defenses, including improved patching processes and staff training.

The 2017 WannaCry attack served as a wake-up call for the NHS and other organizations worldwide. It highlighted the need for robust cybersecurity measures, proactive threat detection, and incident response planning. The incident also underscored the importance of international collaboration in combating cyber threats.

In Ireland, the HSE reported that it would take precautionary measures based on the occurrence in the UK, strengthening its cyber-preparedness: measures included notification to staff not to open suspicious emails and removal of external access to the HSE’s networks (The Irish Times, 2017).

Attack!

Prologue … May 2021: How an email started it all

The HSE cyberattack on 14 May 2021 marked one of the most devastating ransomware attacks on a healthcare system in history (Health Service Executive National Quality & Patient Safety Directorate & Office of the Chief Clinical Officer, 2022). However, the root of this incident stretched back several months, highlighting a series of missed warnings and ignored phishing attempts. The initial successful breach occurred on 18 March 2021, when an HSE staff member, on a workstation later referred to as “Patient Zero” (the term refers to the staff member’s workstation as the first to be infected, perhaps a somewhat confusing term considering hospitals too have patients), opened a malicious Microsoft Excel attachment from a phishing email. This event, whilst pivotal, was preceded by a series of phishing attempts targeted at the HSE, starting as early as November 2020 (PricewaterhouseCoopers (PwC), 2021; Coughlan Helen, 2022; Leo Camacho, 2022).

Despite the frequent phishing emails, the HSE’s defences failed to prevent the malware infection. Between 14 December 2020 and 9 February 2021, the user of “Patient Zero” was targeted with similar phishing emails on four occasions, yet no successful infection was detected until 18 March. The attackers, identified as UNC2633, managed to bypass initial defences, allowing the malware to establish a foothold in the HSE’s IT environment. The failure to recognize and mitigate these early phishing attempts sets the stage for the catastrophic breach that followed (PricewaterhouseCoopers (PwC), 2021).

Phishing remains one of the most effective techniques for cyber attackers due to its reliance on human error. The emails often impersonate trusted figures or institutions, urging recipients to open attachments or click on links that appear legitimate (Datta and Acton, 2023). In this case, the attackers’ persistence paid off when the malicious Excel document was opened, initiating the malware infection.

The initial breach and persistence mechanisms

By 18 March, 2021, Conti malware had successfully infected the initial workstation, “Patient Zero.” By March 23, the attackers had established a persistence mechanism on the compromised workstation, ensuring ongoing access even if the system was rebooted or powered down. In the subsequent weeks, the attackers stayed relatively low-profile, gathering information and progressively compromising more systems within the HSE. On March 31, the HSE’s antivirus software identified the execution of known malicious tools Cobalt Strike and Mimikatz on “Patient Zero” (Leo, 2022). However, since the antivirus software was in monitor mode, it did not block the malicious activity, allowing the attackers to proceed with minimal obstruction. For attackers, persistence mechanisms are crucial as they maintain access to the compromised network despite any interruptions. By installing backdoors and other tools, the attackers reinforced their foothold in the HSE’s IT infrastructure, preparing for further exploitation.

Escalation and widespread compromise

From 1 April to 6 May, 2021, the attackers operated with minimal detection, exploiting the HSE’s IT environment’s vulnerabilities. The HSE’s Incident Response provider later discovered that the attackers had compromised 180 systems and highly privileged accounts across eight constituent hospitals and 19 domains. Their activities included deploying backdoors, performing domain reconnaissance, and compromising additional systems. By May 7 the attackers escalated their activities, installing additional malware and using highly privileged accounts to move laterally within the network. Over the next few days, the number of compromised systems increased rapidly, with the attackers gaining access to several more hospitals.

On May 11 the malware had continued to move laterally, compromising a computer in a hospital using an unpatched vulnerability. The hospital computer’s antivirus detected and removed the malware. On May 12 the malware was found in yet another hospital, browsing folders, creating archives, and accessing file-sharing sites across many more hospitals. The HSE’s cybersecurity provider alerted the Security Operations team, who confirmed server scans. On May 13, the attacker’s activities were further identified within the HSE, with unhandled threats reported on at least 16 systems since May 7. The Security Operations team instructed the Server team to restart the affected servers. By mid-May, the tentacles of the malware spread had become all too apparent.

Despite these alarming signs, the HSE’s defences remained largely ineffective in containing the breach, and restarting servers gained little. After securing initial access, the malware had moved cautiously, avoiding detection while gradually expanding its malicious control over the network. The use of highly privileged accounts allowed them to escalate their privileges and gain deeper access to critical systems, and shared network drives and folders provided ripe avenues for lateral movement from hospital to hospital, and across the Hospital Groups. By this time, the malware had pervaded the HSE, but other than reproducing, mapping the HSE network, and planting malicious files and executables, the malware had yet to reveal its true purpose.

The day of the attack: 14 May 2021

On 14 May, 2021, the attackers executed the malware, Conti ransomware, marking the peak of the attack on the HSE’s IT environment. The attack began around 01:00 a.m., encrypting thousands of systems. By 02:50 a.m., the HSE’s national service desk started receiving outage reports from various hospitals. The widespread encryption of servers and workstations soon became clear, severely disrupting healthcare services.

By 04:41 a.m., the HSE detected malicious encryption on several servers in its data center and initiated its Critical Incident Process. At 05:10 a.m., a critical incident call was convened with network and infrastructure experts, leading to the decision to disconnect all internal and external connections to contain the threat. This action, though necessary, severely hampered the HSE’s communication capabilities, necessitating the use of analogue phones and fax machines. By 06:00 a.m., the CEO had informed the HSE Board of the incident, and by 07:00 a.m., the incident was reported by RTÉ News (Ireland’s largest media group), bringing it to public attention. Shortly afterward, the CEO notified the Executive Management Team and the National Crisis Management Team (NCMT).

Nature of the attack

The HSE attack used Conti ransomware, a sophisticated malware developed by the cybercriminal group Wizard Spider (Conor, 2021; Stockley, 2021), and offered as Ransomware-as-a-Service (RaaS) model to whomever is willing to buy it, as “trusted affiliates” of that cybercriminal group. Wizard Spider, in operation since about 2016, is financially motivated and offers its Conti malware on a fee basis. Prior to the HSE attack, it had a history of successful cyberattacks on a multitude of organizations, including hospitals, and had expertise in a variety of attack methods, approaches, and vectors. Spider Wizard’s “accomplishments” would be convincing to potential “affiliates” considering buying their Conti malware, as the malware package encompassed functionality such as effective lateral movement through infected computer networks using batch scripts to transfer ransomware from machine to machine, establishing persistence through hacking system registries, using macros to execute PowerShell scripts to move laterally, creating administrator accounts and escalating user privileges on infected computers, data archiving and secure exfiltration to untraceable remote servers, and far more. These were the very activities and traits highly valued when intending to attack a healthcare provider.

Two “trusted affiliate” groups were involved in the HSE attack, leveraging the Conti malware: the first group, UNC2633, handled the initial breach and reconnaissance; and the second group, UNC2727, was responsible for deploying the ransomware. This division is not unusual in high-profile attacks, with one team gaining access and the other maximizing impact through ransomware deployment and extortion (PricewaterhouseCoopers (PwC), 2021).

In such attacks, attackers often exploit human and process vulnerabilities to gain initial access. This typically involves sending targeted phishing emails to lure victims into revealing their login credentials or clicking on malicious links. Once these credentials are obtained, attackers can easily penetrate multiple systems by exploiting default usernames and passwords that are often left unchanged by users (Datta and Acton, 2023).

Noted for its rapid encryption capabilities, leveraging multiple CPU threads simultaneously, the Conti ransomware uses tools like the Windows Restart Manager to shut down applications and encrypt files, enhancing its disruptive potential. Typically, this ransomware is manually deployed within compromised networks using tools such as RDP, PsExec, Mimikatz, and Cobalt Strike, allowing attackers to move laterally and execute the ransomware on all active endpoints. As mentioned earlier, in the case of the HSE, the initial breach on 18 March, 2021 occurred through a phishing email containing a malware-infected Excel file, and on 31 March, 2021, the HSE’s antivirus software detected the execution of Cobalt Strike and Mimikatz on the “Patient Zero” workstation. In retrospect, some of the hallmarks of the Conti ransomware, which perhaps, could have heralded what was to come later in May as a full-fledged ransomware “lockdown.”

The coordinated efforts of UNC2633 and UNC2727 highlight the complexity and sophistication of the attack. There were two core dangers: first, the encryption of care-critical servers, databases, and user accounts across the entire HSE network; second, the possible exfiltration of data and the possibility that sensitive data could be offered for sale or repurposed on the dark web. The attackers, using the Conti ransomware functionality, not only encrypted files but also exfiltrated data, threatening to leak these data, adding a layer of pressure to pay a ransom (Conor, 2021; PricewaterhouseCoopers (PwC), 2021; Stockley, 2021).

Response and recovery

In the immediate hours and days after the execution of the ransomware, the HSE called in several third-party cybersecurity experts and organizations, such as the National Cyber Security Centre (NCSC), Garda National Cyber Crime Bureau, Interpol, and various Incident Response teams. Despite the extensive damage, the Irish Government and HSE chose not to pay the ransom, following a policy against negotiating with cybercriminals to prevent funding further illegal activities (PricewaterhouseCoopers (PwC), 2021; Leo, 2022). Efforts throughout the day were focused on containing the breach and starting the recovery process. By 4:30 p.m., the HSE’s Incident Response team began deploying endpoint security monitoring software to gain insights into the compromised systems and start a forensic investigation. This initiated a lengthy and challenging recovery journey.

Post-attack coordination

An extensive and coordinated response was essential to minimize damage and restore services. The attack had crippled the Irish healthcare system, disrupting crucial IT infrastructure and patient services. Paul Reid, CEO of the HSE, in a media briefing described the attack as “stomach churning,” highlighting its significant impact on the healthcare system and the pressing need for an immediate response (Nicole and Adam, 2021).

One day after the attack, on 15 May, 2021 HSE senior management took over a third-party office to centralize their response and recovery efforts. They established initial workstreams for efficient incident handling. The HSE’s Data Protection Officer notified the Data Protection Commission about the breach, and support was provided to hospitals to assess the compromise. Clean Microsoft 365 mailboxes were issued to senior leadership for secure communication, and a dedicated mailbox was set up to manage ransomware-related issues (PricewaterhouseCoopers (PwC), 2021; Leo, 2022). Between May 17 and 21, incident management meetings commenced involving all key responders. The Office of the Chief Information Officer (OoCIO) established a twice-daily meeting routine. These meetings aimed to facilitate information sharing and implement new processes towards recovery (PricewaterhouseCoopers (PwC), 2021; Leo, 2022). These included the following (State Claims Agency, n.d.; PricewaterhouseCoopers (PwC), 2021; Leo, 2022):

• Identifying and reprioritizing priority applications based on clinical needs,

• recovering the Active Directory (AD) domain,

• distributing clean laptops to selected persons to use emails for crisis communications,

• monitoring patient information leaks online,

• establishing a Legal and Data workstream to support data protection investigation,

• confirming Clinical Indemnity Scheme coverage for healthcare professionals, and

• implementing health monitoring and staff rotas to address staff burnout.

Communication and negotiation with hackers

The attackers initially contacted the HSE with a ransom note on infected systems, directing them to a Tor-based contact page. Introducing themselves as “businessmen,” they demanded €19,999,000 (Conor, 2021; Nicole and Adam, 2021) and threatened to publish or sell the stolen data if the ransom was not paid. The HSE refused to negotiate or pay the ransom, focusing instead on alternative recovery methods. On 20 May, 2021, less than 1 week after the malware execution, the attackers surprisingly provided a decryption key without requesting payment. After verifying its authenticity, the HSE’s Incident Response team began decrypting all locked computers. Despite this, the ransom demand remained, focusing on threats to release patient information (Abrams, 2021a, 2021b, Conor, 2021; PricewaterhouseCoopers (PwC), 2021; Leo, 2022). On the same day, the High Court of Ireland issued an injunction to prevent the attackers from publishing, selling, or sharing any of the stolen data (Horgan-Jones and Wall, 2022).

Epilogue … recovery efforts

The decryption tool significantly accelerated the restoration of affected systems, enabling the HSE to resume operations more efficiently. The recovery phase officially began on 22 May, 2021, focusing on decrypting systems, cleansing workstations, restoring systems, and recovering applications.

Within the first month, nearly half of the servers were decrypted, along with the restoration of many Acute, Community Services, and business applications. By 2 months, almost all servers and a majority of applications were restored. By the end of the third month, all servers and most applications were fully operational. By 21 September, 2021, the HSE had recovered 100% of all servers, and 1075 out of 1087 applications, thanks to the coordinated efforts of staff, IT teams, cybersecurity experts, the government, and various external organizations (Helen, 2022).

The fate of the exfiltrated data remained elusive. Media attention had turned elsewhere, now that the HSE seemed to be back up and running. No ransom was paid.

Key issues

Governance and organizational issues

Leadership

The HSE’s cybersecurity was critically undermined by the absence of a senior cybersecurity leader, a dedicated committee, and a centralized function to manage risks and conduct monitoring (Bhosale et al., 2021). This lack of leadership resulted in limited scenario planning, unclear risk understanding, and the absence of a comprehensive cybersecurity strategy and plan. Additionally, during the incident, a senior cybersecurity specialist was working on COVID-19 vaccination security, highlighting resource insufficiencies for critical cybersecurity activities. Resources were elsewhere, with primacy of attention on COVID-19 and ensuring operational efficacies. The crisis revealed gaps in decision-making authority between the HSE, hospitals, and CHOs. During the immediacy of the malware execution, the OoCIO instructed everyone to power down systems and wait for further instructions without considering the unique situations of individual hospitals. Moreover, the HSE’s lack of a unified plan for clinical and services continuity led to inconsistent and ineffective responses, with unclear roles and fragmented capabilities. During the attack, the lack of clear decision-making authority and a strategic Crisis Management Plan led to reactive decision-making and initial confusion (PricewaterhouseCoopers (PwC), 2021).

Policy

The HSE faced significant policy shortcomings in several areas. These included the absence of a dedicated cybersecurity forum which limited the discussion and documentation of cyber risks, delaying the implementation of essential controls and not prioritizing cyber risks properly (PricewaterhouseCoopers (PwC), 2021; Horgan-Jones and Wall, 2022). Additionally, the HSE lacked comprehensive policies for crisis management training and service continuity exercises. Although emergency exercises for scenarios like extreme weather and infectious diseases were conducted occasionally, there was no unified policy to ensure consistent training for all personnel. Advanced training programs for such cases existed in certain regions, but these were not widespread. Policies did not mandate strategic-level exercises for the National Crisis Management Team, nor were there provisions for multi-team crisis simulations to address critical infrastructure failures. Local entities carried out emergency exercises, but these were not standardized or aligned with best practices (PricewaterhouseCoopers (PwC), 2021). Further, although the HSE had policies for reviewing incidents and learning from them, these were not consistently followed. For example, lessons from major events like COVID-19 were not fully applied.

Finally, there was no documented HSE Crisis Communications Plan in place, which led to fragmented communication across hospitals and CHOs. Due to this, during the attack, the team mostly relied on their past experience rather than formal policies.

People, technical, and IT infrastructure issues

Behaviors, security controls, and monitoring

A post-event investigation by external consultants PricewaterhouseCoopers [2] into the HSE cyberattack revealed significant security weaknesses within its IT environment. Certain user accounts had excessive access and control, posing security risks. The incidents and timelines leading up to the attack highlighted a lack of effective security monitoring capabilities to detect, investigate, and respond to alerts. Repeated phishing attempts started as early as November 2020, yet the HSE’s defences failed to prevent malware infections. The HSE IT infrastructure lacked modern tools to detect and prevent ransomware and did not have trained security analysts to monitor antivirus alerts and respond to potential threats. This gap in capabilities set the stage for the attack. Moreover, the HSE over-relied on antivirus software, which was improperly configured to block malicious activity on servers and was not monitored 24/7. This overreliance became evident when known malicious tools like Cobalt Strike were detected but not adequately addressed. The attack, which began when the user of the “Patient Zero” workstation opened a malicious document in March, escalated until the ransomware executed mid-May, 2021 (PricewaterhouseCoopers (PwC), 2021).

User behavior, the spark to the flame to many cyberattacks, initiated the HSE attack: a phishing attempt was successful, and a malicious file was downloaded. Clearly a people issue, such behaviors tend to be based on inadequate training or knowledge of acceptable use of IT systems, tracing upwards to poor policies, poor implementation of policy, or inadequate leadership knowledge of management.

Despite many clear warnings, the HSE did not activate its third-party critical incident response service. This failure was not only due to IT infrastructure but also the lack of cybersecurity expertise and inadequate response procedures and policies, as highlighted earlier.

IT infrastructure and complexity

Commonplace in large organizations that have evolved over time, and especially prevalent in nationally funded Government services such as healthcare provision, education, and other services, technological systems are upgraded piecemeal as budgets ebb and flow, and structures such as the HSE become collections of IT artefacts of various vintage, security controls, with varying levels of adherence to evolving security policies. The HSE’s technology had developed in a fragmented manner, resulting in a very complex and vulnerable systemic mix. The presence of many old systems meant that they lacked the latest security updates, making them easier targets for attackers (Bhosale et al., 2021; Stergiopoulos et al., 2020). Additionally, having multiple on-premise email systems complicated the security environment and made it harder for the HSE to implement consistent security measures across the whole system.

The HSE network’s “flat” design and lack of segmentation, along with mutual trust relationships between many Active Directory domains, compounded these vulnerabilities (Horgan-Jones and Wall, 2022). The flat network design increased the chance of attack, allowing attackers who gained access to one part of the network to move laterally across the entire network relatively easily. The lack of segmentation meant that different types of traffic were not separated, making it easier for attackers to navigate and access multiple areas of the network without encountering additional security barriers.

Moreover, mutual trust relationships between many Active Directory domains meant that once an attacker compromised one domain, they could exploit these trust relationships to access resources in other trusted domains, thereby spreading the attack more broadly. Outside the arrangement of hospitals, hospital groups and their computers, servers, and local networks, this setup resulted in numerous other organizations connected to the NHN falling within the HSE’s security perimeter, making the HSE’s security boundary extensive and poorly defined. This increased the risk of cyberattacks targeting the HSE from other connected organizations and vice versa by allowing an open supply chain architecture.

Operational and crisis management issues

Incident response and recovery

The HSE had several issues in response and recovery during the cyberattack (Stergiopoulos et al., 2020; PricewaterhouseCoopers (PwC), 2021). They faced significant challenges due to a lack of a documented cyber incident response plan and absence of practice exercises, which led to a slow and disorganized response (Bhosale et al., 2021). One major issue was the mishandling of the initial investigation into suspicious activity on 13 May, 2021. The HSE incorrectly concluded the threat was from a particular hospital rather than an external source. Consequently, they did not seek timely external help, which affected their ability to properly investigate and respond to the attack (PricewaterhouseCoopers (PwC), 2021).

The HSE’s reliance on third party organizations further delayed internal coordination. Additionally, the recovery effort was slowed by the absence of comprehensive application prioritization. Inadequate pre-planning and the lack of centralized information about applications caused inefficiencies, as the HSE had to create and update lists of applications, their owners, and recovery priorities during the crisis. Finally, dependence on specific individuals during the response led to delays and bottlenecks. Key IT staff had extensive responsibilities, limited resources, and lacked standardized documentation, which reduced the HSE’s response effectiveness.

Crisis coordination and communication

The HSE encountered several significant issues related to crisis coordination and communication during the cyberattack, which severely impacted their response and recovery efforts. First, the lack of integration between management and clinical services continuity within an operational resilience program left the HSE vulnerable to the cyberattack. Siloed work streams prevented a unified strategy against cyber threats, leading to inadequate planning and preparedness (PricewaterhouseCoopers (PwC), 2021). Consequently, identified risks did not translate into improved response capabilities, increasing the organization’s vulnerability. Second, a major problem was that the notification process for staff and stakeholders was ad hoc and lacked formal procedures. This led to inconsistent and incomplete communication during the incident, slowing the timely dissemination of crucial information.

Third, there was a lack of oversight and structure in coordinating and integrating third-party support. This caused inefficiencies such as duplicated data gathering and miscommunication, which diverted attention from crucial response efforts and complicated the effective use of external resources. Fourth, the initial impact assessment was limited due to the lack of an HSE-wide severity matrix, leading to unclear criteria and delays in understanding the incident’s full scope. This complicated the strategic response and delayed critical decision-making.

Finally, at first, the response was driven by technology priorities rather than the core HSE value of patient care. Adopting this value-driven approach earlier may have improved recovery efficiency and reduced the impact on patient care.

Conclusion

The HSE is a large, distributed organization. It was targeted. The cyberattack was successful, in that it penetrated the entire network, locked users out of their systems, and exfiltrated patient data. The attackers failed to receive a ransom, and volunteered a decryption key so that a nation could access its healthcare. The HSE recovered its servers and most of its applications. However, the exfiltrated data remain lost to the dark web. Post-event investigations identified shortcomings in preparedness, proactivity, and reactive stance and action spanning people, processes, and technology. It also identified weaknesses in governance, in particular, leadership capability to deal with a cyberattack, and inadequate policy formulation, testing, and implementation. Further issues related to the reactive capability once attacked, with specific weaknesses in communication and crisis coordination across such a large and distributed organization.

This teaching case excludes a discourse on the post-recovery recommendations for changes to governance, behaviors, IT, processes, and communication, leaving it open to the reader to posit such proposals or future actions that may strengthen the HSE’s cybersecurity posture for the future, or apply to other healthcare organizations globally. A selection of discussion items is included. For a thorough exposition of recommended HSE cybersecurity changes pursuant to an independent consultancy-led appraisal, see [2]: recommendations for changes to be better positioned for the future spanned immediate, medium-, and longer-term actions, involving embedding cybersecurity into strategy and operational behaviors. A future review may shed light on the efficacy of the degree of changes implemented.

One lingering issue is why the attackers readily and quickly provided a decryption solution to the HSE: were they being benevolent and having an ethical moment to facilitate healthcare provision to citizens, pre-empting a negative public backlash that would get global headlines, or were they realizing that receiving a ransom to decrypt servers was increasingly unlikely? Secondly, whether the attackers had any immediate plans for the exfiltrated data, and whether they considered these data as the valuable haul.

Role-based discussion questions

The initial breach

Assume you are part of the HSE Executive Management Team. What are the immediate steps to contain the breach? How will you communicate with hospital patients, staff, Government, and the public? How might you identify the critical services needing immediate attention?

Crisis management

Assume you are part of an external cybersecurity consultancy engaged to help the HSE. What practices can you recommend for crisis communication? What advice do you have for managing public relations and interacting with the Irish Government’s Minister for Health?

Post-event recovery

Assume you are part of an Incident Response Team (IRT). What steps are being taken by the IRT to recover systems fully? How will you strengthen cybersecurity defenses? Are the suggested changes likely to succeed?

Case-based discussion questions

Q1. What were the primary weaknesses in the HSE’s cybersecurity posture that contributed to the success of the ransomware attack? What did they learn from the 2017 attack in the UK?

Q2. How did the lack of a formal incident response plan impact the HSE’s ability to manage the ransomware attack effectively?

Q3. In what ways did communication failures exacerbate the crisis?

Q4. How can healthcare organizations like the HSE improve their cybersecurity posture to prevent future attacks?

Q5. What might the HSE have done in the absence of a decryption key?

Footnotes

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Statements and Declarations

There are no competing interests, financial or otherwise, that are directly or indirectly related to this work submitted for publication.

Funding

The author(s) received no financial support for the research, authorship, and/or publication of this article.

ORCID iDs

Mona Isazad Mashinchi

Pratim Milton Datta

Author biographies

Mona Isazad Mashinchi is a Lecturer in Business Information Systems at the University of Galway, Ireland. She works in Healthcare Information Systems, aiming to enhance person-centered care and drive the movement towards digital health. Her work focuses on developing frameworks for improved decision-making, emphasizing patient needs, and ensuring the ethical and responsible design and integration of decision support systems. By enhancing the adoption and acceptance of digital solutions through proper design and integration, she contributes to the effective and safe application of technology in healthcare settings.

Thomas Acton is a Professor in Business Information Systems at the University of Galway, Ireland. From 2015 through 2020, he was Head of School (Dean) of Business & Economics. Previously he was Vice Dean for Teaching & Learning, and Head of the discipline of Business Information Systems. He has served as associate editor on a number of journals, including the European Journal of Information Systems and the Journal of Theoretical and Applied E-Commerce Research. Prior to joining the university, he worked in the software sector.

Pratim Milton Datta is Professor of Cybersecurity and Digital Transformation at the Ambassador Crawford College of Business and Economics at Kent State University, USA, and a Senior Research Associate at the University of Johannesburg, South Africa. Pratim previously served as the PhD Director and the AACSB Assurance of Learning Lead for the College. Pratim has over 50 journal publications. Prior to academia, Pratim worked in Global IT consulting.

References

Abrams

(2021a) Conti ransomware gives HSE Ireland free decryptor, still selling data, Bleeping Computer. Available at: https://www.bleepingcomputer.com/news/security/conti-ransomware-gives-hse-ireland-free-decryptor-still-selling-data/(accessed 17 July 2024).

Abrams

(2021b) Irish High Court issues injunction to prevent HSE data leak. Bleeping Computer, Available at: https://www.bleepingcomputer.com/news/security/irish-high-court-issues-injunction-to-prevent-hse-data-leak/ (accessed 17 July 2024).

Bhosale

Nenova

Iliev

(2021) A study of cyber attacks: in the healthcare sector 2021 6th Junior Conference on Lighting, Lighting 2021 - Proceedings. Institute of Electrical and Electronics Engineers Inc. DOI: 10.1109/Lighting49406.2021.9598947.

Citizens Information (2024) Health service executive, citizens information. Available at: https://www.citizensinformation.ie/en/health/health-system/health-service-executive/#:∼:text=Startingin2024%2CtheHSE,intothesenewhealthregions (accessed 19 July 2024).

Conor

(2021) A slick operation- the tools used by the HSE hackers. Available at: https://www.rte.ie/news/primetime/2021/0525/1223914-hse-cyber-attack-hackers-conti/.

Datta

Acton

(2023) From disruption to ransomware: lessons from hackers. Journal of Information Technology Teaching Cases 13(2): 182–192. DOI: 10.1177/20438869221110246.

Health Service Executive (HSE) (2021) HSE national service plan 2021. Available at: https://www.hse.ie/eng/services/publications/serviceplans/national-service-plan-2021.pdf (accessed 16 July 2024).

Health Service Executive (HSE) (2024a) Acute hospitals division- hospital groups. Available at: https://www.hse.ie/eng/about/who/acute-hospitals-division/hospital-groups/ (accessed 19 July 2024).

Health Service Executive (HSE) (2024b) HSE mission, vision and values, Health Service Executive (HSE). Available at: https://about.hse.ie/our-work/hse-mission-vision-and-values/ (accessed 19 July 2024).

10.

Helen

(2022) After the cyber attack is over, eHealth & disruptive technologies. Available at: https://www.ehealthireland.ie/news-media/news/2022/after-the-cyber-attack-is-over/.

11.

Horgan-Jones

Wall

(2022) ‘HSE Cyberattack_ More than 100,000 People Whose Personal Data Stolen to Be Contacted – the Irish Times, Dublin, Ireland: The Irish Times. Available at: https://www.irishtimes.com/health/2022/11/07/over-100000-people-whose-personal-data-stolen-in-hse-cyberattack-to-be-contacted/ (accessed 19 July 2024).

12.

HSE Quality and Patient Safety Directorate (2022) A Mixed Methods Analysis of the Effectiveness of the Patient Safety Risk Mitigation Strategies Following a Healthcare ICT Failure. Dublin, Ireland: HSE Quality and Patient Safety Directorate.

13.

Lally

(2021) Wizard Spider profile: suspected gang behind HSE attack is part of world’s first cyber-cartel. Irish Times, Available at: https://www.irishtimes.com/news/crime-and-law/wizard-spider-profile-suspected-gang-behind-hse-attack-is-part-of-world-s-first-cyber-cartel-1.4568806 (accessed 17 July 2024).

14.

Leo

(2022) Case study_ HSE Conti ransomware - cybrisc. Available at: https://cybrisc.com/resource/case-study-hse-conti-ransomware.html (accessed 16 July 2024).

15.

Nicole

Adam

(2021) Irish hospitals hit by cyberattacks, forcing an I.T. Shutdown. The New York Times, Available at: https://www.nytimes.com/2021/05/20/technology/ransomware-attack-ireland-hospitals.html (accessed 17 July 2024).

16.

PricewaterhouseCoopers (PwC) (2021) Conti cyber attack on the HSE: independent post incident review. Available at: https://www.hse.ie/eng/services/publications/conti-cyber-attack-on-the-hse-full-report.pdf (accessed 15 July 2024).

17.

State Claims Agency (n.d.) Clinical indemnity scheme-your questions answered. Available at: https://www.hse.ie/eng/services/list/3/acutehospitals/hospitals/ulh/nchd/clinical-indemnity-scheme-qa-brochure.pdf (accessed 17 July 2024).

18.

Stergiopoulos

Gritzalis

Limnaios

(2020) Cyber-attacks on the oil gas sector: a survey on incident assessment and attack patterns. IEEE Access. New Jersey: Institute of Electrical and Electronics Engineers Inc., 128440–128475. Available at: DOI: 10.1109/ACCESS.2020.3007960.

19.

Stockley

(2021) Threat spotlight: Conti, the ransomware used in the HSE healthcare attack. ThreatDown by Malwarebytes. Available at: https://www.threatdown.com/blog/threat-spotlight-conti-the-ransomware-used-in-the-hse-healthcare-attack/.

20.

The Irish Times (2017) ‘HSE acts after Britain’s health service hit in global cyber attacks – the Irish Times. Available at: https://www.irishtimes.com/news/world/uk/hse-acts-after-britain-s-health-service-hit-in-global-cyber-attacks-1.3081183 (accessed 2 August 2024).