About ten days ago Ireland’s healthcare system was forced to shut down its computers due to a ransomware attack. Ireland’s health minister said the attack was having a severe impact on the health and social services.
In today’s healthcare world, having doctors and hospitals run without computers means no patient charts and a very labor intensive process to take care of emergencies. Many healthcare visits get cancelled.
BBC is reporting that there were actually two separate attacks. Because they have to figure out how deep the hackers burrowed into the network, it will take a while to recover. That will also depend on how good their backups are and how well they have planned for a situation like this. It also depends on how quickly they were able to contain it so that maybe, not every computer was infected.
The system has some 2,000 software applications to rebuild and as of a couple of days ago, some appointments are still being cancelled.
Unlike the Colonial Pipeline company or CNA insurance, Ireland says they are not paying the hackers. That might be an indication that after Not Petya, they started taking security more seriously and have better disaster recovery and business continuity plans.
Just to understand, this is the only safe way to recover from an attack – they are having experts build a completely new, separate network and rebuilding systems on that network. That is a huge amount of work. Some of these systems have been in use since the 1980s, so likely their security model is a bit old.
Could this happen in the U.S.?
Well, probably not, but maybe.
One thing that is different between the U.S. healthcare system and the healthcare system in Ireland is that in Ireland there is basically one healthcare system for the entire country. In the U.S. there are probably millions of separate healthcare systems – from individual doctors, to clinics, to private hospitals to public ones. Each one uses their own healthcare system.
BUT, there are common weaknesses. Many medical facilities have outsourced their systems to one of a few big providers. While these providers likely spend a lot of effort trying to protect their systems, they are a common weakness.
Going back to 2015, Epic, one of those shared health records systems, said that their software contained the records on 54% of Americans and 2.5% of patients worldwide. While they have a lot of competitors and even Epic doesn’t house all of those records in one system, that would be the one place to attack if you wanted to maximize the harm. Likely both Epic and the feds realize this.
So could an attack like what we saw in Ireland happen in the U.S.? It seems that is definitely possible. Hundreds of hospitals in the U.S. have already been hit by ransomware attacks and likely thousands of other medical practices have too – just more quietly.
Unfortunately, this is likely to get worse before it gets better.
What can help is getting better prepared. That is what, likely, allowed Ireland to flip hackers the bird.
It is also, likely, what forced CNA insurance to pay a $40 million ransom. Ransom demands are getting higher, so assume that whatever people paid last year is obsolete this year.
Are you prepared? Or you hoping that you are lucky? Luck is not a strategy.