Irish healthcare system struggling to recover from cyberattack

Ireland’s healthcare system struggled Tuesday to restore computers and treat patients, four days after it shut down its entire information technology system in response to a ransomware attack.

Thousands of diagnostic appointments, cancer treatment clinics and surgeries have been canceled or delayed since Friday’s cyberattack. Authorities said hundreds of people were assigned to get crippled systems back online, but it could be weeks before the public health service will return to normal.

Prime Minister Micheál Martin said the attack was a “heinous” one that targeted patients and “the Irish public.” Colm Henry, chief clinical officer of Ireland’s publicly funded healthcare system, the Health Service Executive, said the intrusion was having “a profound impact on our ability to deliver care,” and the disruptions would undoubtedly “mount in the coming days and weeks.”

More than 2,000 patient-facing IT systems were affected, and 80,000 devices were linked to such systems throughout the health service, Henry told Irish broadcaster RTE. Authorities are prioritizing the recovery of systems involved in patient diagnostics, such as radiology, radiotherapy and maternity and newborn services.

“That’s what our experts are focusing on this week, with external help, to ensure those services are not reliant on manual exchange of information,” he said.

Ransomware attacks are typically carried out by criminal hackers who scramble data, paralyzing victims’ networks, and demand a large payment to decrypt the information. Irish officials say a ransom was demanded, but they will not pay it.

Conti, a Russian-speaking ransomware group, was demanding $20 million, according to the ransom negotiation page on its darknet site, viewed by the Associated Press. The gang threatened Monday to “start publishing and selling your private information very soon” if it did not receive the money.

“The government will not be paying any money,” Justice Minister Heather Humphreys told RTE. “We will not be blackmailed.”

The Irish Assn. for Emergency Medicine urged people not to turn up at hospital emergency rooms unless they have a genuinely urgent need. The association said electronic ordering of blood tests, X-rays and scans was unavailable, and clinicians had no access to previous X-rays or scan results. Many hospital telephone systems were not working because they are carried on computer networks, it added. The attack has also shut down the system used to pay healthcare workers.

Patients have expressed frustration at the attack, describing it as another torment thrown into the already difficult struggle accessing healthcare during the COVID-19 pandemic.

Eimear Cregg, 38, a primary-school teacher who is receiving treatment for breast cancer, had her radiation therapy briefly postponed while doctors sought to restore her records so they could treat her properly.

“This is a very cruel thing to do to vulnerable people,” Cregg told the Associated Press. “We’re fighting every day as it is, and this was just another curveball that wasn’t needed.”

The Health Service Executive said in a statement late Monday that there were “serious concerns about the implications for patient care arising from the very limited access to diagnostics, lab services and historical patient records.”

The health service said it was working to assess and restore its computer systems.

The Ireland attack comes as ransomware gangs persist in identifying “big game” targets in search of lucrative payouts and data that can help them identify new victims — and even determine the amount of cyber-insurance coverage they carry.

Operations of four Asian affiliates of the Paris-based insurance company AXA — in Thailand, Malaysia, Hong Kong and the Philippines — were hit in recent days by ransomware attacks. The attackers claimed to have stolen 3 terabytes of data, including medical records, customer IDs and privileged communications with hospitals and doctors. The hackers threatened to leak documents within 10 days if AXA does not pay an unspecified ransom.

AXA said this month that it would stop writing cyber-insurance policies in France that reimburse customers for extortion payments made to ransomware criminals, saying the practice encourages such attacks.

In a new case, ransomware took down IT systems across five hospitals south of Auckland, New Zealand, forcing staff to cancel some elective surgeries and preventing doctors from accessing clinical records, authorities said.

Ransomware attacks have surged in the past year, though there may be a dip following the worst attack to date on U.S. critical infrastructure. A nearly weeklong shutdown of the Colonial Pipeline, which supplies the East Coast with 45% of its petroleum products, led President Biden to vow retaliation.

That prompted the moderator of one of the most popular darknet criminal forums, XSS, to disavow ransomware syndicates and to ban them from recruiting and conducting other business on the forum. But experts say it’s typical for criminals to lay low when scrutiny from law enforcement becomes acute.

Ransomware reached epidemic levels last year as the criminals, who enjoy safe harbor in former Soviet states, increasingly turned to “double extortion,” stealing sensitive data before activating the encryption software that paralyzes networks — and threatening to dump it online if they don’t get paid.