Opinion: What Happens if The HSE Cyber Attack Data is Leaked?
The following article was written by Jenny Darmody .
This piece originally appeared in Silicon republic and the views expressed are not necessarily those of EMS but rather that of SR.
Data stolen from the HSE cyberattack could be leaked online from today (24 May). Here’s what you need to know.
The Irish Government said there is a “real risk” that patient data stolen from the recent cyberattack on the Irish Health Service Executive (HSE) will be abused by cybercriminals.
The attack involved malware known as Conti, which is designed to be operated by hackers themselves rather than an automated process.
Conti is known as ‘double-extortion’ ransomware, meaning that as well as holding access to systems to ransom, the malware might also steal information stored on the system. Hackers can then threaten to release this information online if a payment is not made.
The Government said work to identify the extent of any data taken is ongoing. “The theft and disclosure of medical data would be a particularly despicable crime because it involves sensitive, personal information. Any public release of this data would be illegal,” the statement said.
Last week, the Financial Times reported that hackers had started leaking personal data online and have reportedly demanded an almost $20m ransom for the stolen data.
While the Government have repeatedly stated that no ransom would be paid, the cybercriminals had given a deadline of today (24 May) before they would start leaking data online.
Why does leaked health data matter?
While some may already be concerned about their private medical history being leaked online, others may question what use the data is or why it could be so dangerous in the hands of cybercriminals.
Speaking to Jenny Darmody, IT security expert Brian Honan said the biggest concern is that the data could fall into the hands of other criminals who can use the data to target individuals.
“This could be either for scams relating to their health data or using the data from the HSE breach with data from other breaches to create a fuller profile of individuals, therefore making scam emails or calls much more convincing to the potential victims,” he said. “There is also the heightened risk that this additional information could lead to identity theft.”
The targeting of health data has been an upward trend for cybercriminals for a number of years now. According to the HIPAA Journal, more than 3,700 data breaches of 500 or more records have been reported to the US Department of Health and Human Services between 2009 and 2020.
“Those breaches have resulted in the loss, theft, exposure, or impermissible disclosure of 268,189,693 healthcare records”, the report said, which equates to almost 82pc of the US population.
Additionally, a 2019 report from cybersecurity company Carbon Black found that personal health data is three times more valuable to hackers than credit card information.
This is because our health data is hard coded within us and can never change. Additionally, not only can it be used to appear more convincing in scam emails or in identity theft, Honan said it can also be used to blackmail individuals who may be getting or had treatment for an embarrassing ailment.
What should people do to stay safe?
With the heightened risk of identity theft and scams, Honan said people should be very wary about unsolicited contact from anyone claiming to be from healthcare providers looking for additional information, financial details, requests for payments offers of refunds for treatments.
“If you receive any such approaches, you should contact the health provider directly on contact details you know to be true, not those in the email or message your received, and if the approaches have been fraudulent to contact An Garda Siochana.”
The Government said it urges anyone who has reason to suspect they are victims of the cyberattack to make a report to their local Garda station or through the 24-hour Garda confidential line on 1800 666 111.
What about the decryption tool?
While the Irish Government and HSE is braced for the potential leaking of data, work to restore the HSE’s IT systems is ongoing.
Last Thursday (20 May) a decryption tool believed to be from the cybercriminals who carried out the attack was made available.
A statement from the HSE yesterday said a “structured and controlled deployment” of the decryption tool is ongoing.
“Progress continues to be made in some hospitals on restoring IT systems and some sites (at a local site level only) now have access to radiology, laboratories and their patient administration systems. But this is uneven across the country and levels of disruption this week are expected to be similar to those of last week.”
Honan said there could be several reasons why the cybercriminals released the tool despite alleged plans to release the stolen data.
“My own opinion is that they realised the HSE was not going to pay the ransom and were focusing on recovering the systems manually. This meant the criminals knew they had no leverage anymore with the HSE on the encrypted data and releasing the decryption key would put the focus on the extortion threat regarding the public release of the data,” he said.
“By releasing the decryption key, the criminals may also hope the HSE would be better able to identify what data the criminals stole and therefore strengthen their case for getting paid not to release that data.”