Irish Health IT remain shut down following ‘significant ransomware attack’

Health IT services in the Republic of Ireland have remained switched off following a “significant ransomware attack”.

The Health Service Executive, which provides public health and social care services to everyone living in Ireland, tweeted on 14 May to say it had shut down all of its IT systems as a “precaution” and to “protect” health systems from the attack.

On May 16, EHealth Ireland tweeted an update to say “HSE IT Teams are working to map out what systems can be brought back online in a safe way”.

Update: HSE IT Teams are working to map out what systems can be brought back online in a safe way. Progress is being made on the foundational HSE IT infrastructure. This will take time. Please continue to leave all your systems switched off until further notice @HSELive

— Technology and Transformation HSE (@eHealthIreland) May 16, 2021

HSE have confirmed that vaccinations would not be affected and would go ahead “as planned” while another confirmed that Ireland’s National Ambulance Service is operating as normal. It has also told staff not to turn on their work PC or laptop.

There is a significant ransomware attack on the HSE IT systems. We have taken the precaution of shutting down all our our IT systems in order to protect them from this attack and to allow us fully assess the situation with our own security partners.

— HSE Ireland (@HSELive) May 14, 2021

An update, published by the Irish National Cyber Security Centre (NCSC) on May 16, said it was first “made aware of potential suspicious activity” on Ireland’s Department of Health (DoH) network on May 13.

“Preliminary investigations indicated suspected presence of cobalt strike Beacon, which is a remote access tool,” the update adds.

“Cobalt strike is often used by malicious actors in order to move laterally within an environment prior to execution of a ransomware payload.”

The update adds that at 7am on 14 May “the NCSC was made aware of a significant incident affecting HSE systems” and “initial reports indicated a human-operated ‘Conti’ ransomware attack that had severely disabled a number of systems”.

NHS Digital defines Conti as a “an advanced ransomware tool that uses a unique encryption routine to identify and encrypt files incredibly quickly” and can affect all types of Microsoft Window versions.

Also on May 14, “malicious cyber activity” detected on Ireland’s DoH network, however “due to a combination of anti-virus software and the deployment of tools during the investigation process an attempt to execute ransomware was detected and stopped”.

This led to HSE making the decision to shut down all its IT systems as a precaution.

“There are serious impacts to health operations and some non-emergency procedures are being postponed as hospitals implement their business continuity plans,” NCSC’s update adds.

HSE has set up a page which provides updates to services and appointments including Covid-19 vaccination appointments.

“Most healthcare appointments will go ahead as planned but x-ray appointments are severely affected,” the page states.