Ireland's health service has pulled the plug on its IT system after suffering what it described as a "significant ransomware attack on the HSE [Ireland's Health Services] IT systems" early on Friday.
"We apologise for inconvenience caused to patients and to the public and will give further information as it becomes available. Vaccinations not effected are going ahead as planned."
The attack came the day after Ireland's leading healthcare executives were speaking at the HealthTech Ireland Annual Conference on innovation, digital health, and issues like how to "streamline the process of bringing innovative products and services to market rapidly".
"The National Ambulance Service are operating as per normal with no impact on emergency ambulance call handling and dispatch nationally," HSE added.
The incident will inevitably conjure up memories of the 2017 WannaCry attack that affected 80 out of 236 hospital trusts across England, along with 595 out of 7,454 GP practices.
Yet the HSE appears to have acted fast. Equipment within hospitals was based on local infrastructure and not affected, Paul Reid, chief executive of the HSE told RTÉ’s Morning Ireland radio programme.
A system for radiological imaging has been impacted that is used by many of the country's hospitals, the Irish Times reported, however.
Reid said the attack was a “significant” and “human operated” attack, but added "there has been no ransom demand at this stage. The key thing is to contain the issue,” he said.
The UK's NCSC emphasises that "up-to-date backups are the most effective way of recovering from a ransomware attack."
Organisations should do the following.
- "Make regular backups of your most important files check, check that you know how to restore files from the backup, and regularly test that it is working as expected.
- Ensure that backups are kept in a different location (ideally offsite), from your network and systems, or in a cloud service designed for this purpose, as ransomware actively targets backups.
- Make multiple copies of files using different backup solutions: "You shouldn't rely on having two copies on a single removable drive, nor should you rely on multiple copies in a single cloud service."
- Make sure that the devices containing your backup (such as external hard drives and USB sticks) are not permanently connected to your network. Attackers will target connected backup devices and solutions.
- You should ensure that your cloud service protects previous versions of the backup from being immediately deleted and allows you to restore to them. This will prevent both your live and backup data becoming inaccessible - cloud services often automatically synchronise immediately after your files have been replaced with encrypted copies.
- Ensure that backups are only connected to known clean devices before starting recovery.
- Scan backups for malware before you restore files. Ransomware may have infiltrated your network over a period of time, and replicated to backups before being discovered.
- Regularly patch products used for backup, so attackers cannot exploit any known vulnerabilities."
Ideally, backup accounts and solutions should be protected using Privileged Access Workstations (PAW) and hardware firewalls to enforce IP allow listing. MFA should be enabled, and the MFA method should not be installed on the same device that is used for the administration of backups, the NCSC advises.
Attribution for the attack was not immediately available.
Most cybercrime organisations now appear to operate under a Ransomware-as-a-Service (RaaS) model. Many have suggested that they will not attack healthcare organisations, but networks of affiliates and customers may have no such qualms.