Getty Images

Cyberattack Updates: Alaska Health Dept, Scripps' Recovery, Ireland HSE

As ransomware continues to disrupt the healthcare sector on a global level, a number of providers are facing ongoing outages, while a vendor is creating a decryptor for Ireland HSE.

In the last week, an FBI alert and a Check Point repott reiterated what many in the healthcare sector have known for some time: Ransomware threat actors are consistently targeting and successfully exploiting providers and causing ongoing outages from a range of cyberattacks.

Check Point data shows healthcare remains the key target for ransomware hacking groups, with a steady rise in attacks across a host of global sectors. Specifically, the FBI recently warned that the nefarious Conti group has healthcare in its crosshairs, with 16 victims in the last year.

Alaska DHSS Website Attack

In the last month, several providers have been driven into EHR downtime procedures and some are continuing to face outgoing outages and disruptions to patient care. The latest victim appears to be a malware attack on the Alaska Department of Health and Social Services.

On May 17, a malware attack hit the DHSS website, and the IT team took it offline to investigate. Other sites were also taken offline during the incident, including the public website, Behavioral Health and Substance Abuse Management System, the background check system, the system for schools to report vaccine data, vital statistics system, and a host of others.

Fortunately, the state’s COVID-19 vaccine appointment scheduling and data dashboards remain online as they’re hosted by outside sources.

Officials said they’re continuing to investigate the incident with support of law enforcement and relevant authorities. For now, it’s unclear if the attack is related to any other recent security incidents, or just how long the sites will remain offline.

“I am grateful to our Information Technology staff for the long hours they have already put in to work through this cyberattack and for everyone at DHSS who is making sure our programs and services have not been halted,” said Commissioner Adam Crum, in a statement.

“Unfortunately, this type of malicious attack is part of the cost of conducting any kind of business online as there are constant threats from people worldwide trying to infiltrate IT systems,” he added. “I want to assure Alaskans that our department is doing everything possible to get our website back up and running safely and to understand the scope of the attack, its impacts, and how to prevent this from happening in the future.”

Scripps Health Makes Progress on Recovery

As of at least May 21, Scripps Health has brought some of its systems back online after a ransomware attack. Its website has been down during the duration of the attack and is  back online, including some details into the cyberattack.

As previously reported, the attack hit late on Saturday night or early Sunday morning on May 1, causing network outages and EHR downtime at some clinics and two out of four hospitals.

In the days following the attack, some previously scheduled appointments were rescheduled and all four hospitals were placed on emergency care diversion for stroke and heart attack patients, as well as those facing heart attacks. Clinicians leveraged paper records for patient visits, as telemetry was affected at most sites during the attack.

The update shows Scripps is continuing to see delays and care disruptions with its radiology and imaging departments.

“We are working closely with our network partner, Imaging Healthcare Specialists to support imaging appointments for patients for any cancelled exams, or with any new imaging needs,” officials explained. “IHS is owned by Scripps Health, and was unaffected by the network outage.”

Scripps also previously partnered with Quest Diagnostics and LabCorp to support its laboratory services, while the team continues to restore its systems. Officials continue to stress that all patients should come in for needed care, as the care team is relying on previously established backup processes.

The update shows all emergency departments , urgent care sites, HealthExpress, clinics, and hospitals remain open and accepting patients. Those patients whose appointments were cancelled will be contacted at a later date to reschedule.

Further, the update shows that Scripps has been working with outside consultants throughout the investigation and recovery efforts. 

“The investigation into the scope of the incident, including whether data was potentially affected, remains ongoing. Depending on the investigation’s findings, we will be sure to provide notifications to affected individuals in accordance with all applicable laws,” officials concluded.

Ireland HSE Attack

In the week following the initial attack on Ireland Health Service Executive, the Conti ransomware threat actors offered to provide a decryptor to unlock its systems. However, HSE officials said the tool was flawed and raised several concerns, according to local news outlet Irish Times.

Instead, the HSE will use a decryption tool provided by the the security firm Emsisoft, which may reduce the time it will take to recover the impacted systems. The tool will extract the decryptor provided by Conti actors and place it into a package tailored to the entity by Emsisoft.

The health system has also received support from Ireland’s Faculty of Radiologists, which offered examination workstations for the country’s radiology departments in light of the continued outages.

The HSE, the health system for the entire country, has been steadily working to recover its systems after a significant ransomware attack caused major IT issues across the Ireland East Hospital Group.

Patients were told to expect delays and to check with the provider before visiting care sites, as they’re extremely busy. Those without serious symptoms were asked to consider their care options before heading to emergency care services, in light of the delays and outages.

The HSE has been readily transparent with updates on the attack. The latest insights show radiotherapy, outpatient, endoscopy, elective, and day surgery appointments remain canceled at some hospital sites.,

Patients are also being asked to check ahead of their appointments in light of continued cancelations to appointments at multiple care sites and hospitals. The health system has also cancelled appointments for blood tests and outpatient radiology.

The health system has also warned that scammers are contacting patients, pretending to be HSE representatives to obtain banking information. Another report showed that Conti, in true form, allegedly stole the data from the HSE ahead of deploying the ransomware.

“It is taking us longer to manage your care because many systems we use, including emails, are not working. Thank you for your support, patience and understanding,” officials wrote on May 24.

New Zealand Hospitals

Several New Zealand hospitals are continuing to operate under EHR downtime procedures, following last week’s ransomware attack. Officials say the computer system remains down and many elective surgeries are being canceled, according to local news outlet NZME.

In fact, the cyberattack has forced the hospitals to rebuild the IT system. Fortunately, officials estimate that just 20 percent of surgeries were canceled. The decision was based on how much lab or radiology services would be required to complete the operation.

The cancellations and care disruptions are expected to continue throughout the week.

As noted, the ransomware attack was launched last weekend and caused phone lines and computers to crash across the country. All clinical and IT systems were impacted, except the email systems. Patient notes are also inaccessible, and providers are unable to send X-ray images between departments.

All providers are using pen and paper for patient visits, while patients are being urged not to visit the emergency departments unless it’s a life-threatening condition. Those patients are being diverted to other care clinics.

The hospitals are working with an outside cybersecurity firm on its investigation and recovery efforts. And officials have repeatedly stressed they will not pay the attackers. 

As a reminder, Emsisoft has previously offered to help healthcare providers with ransomware recovery amid the COVID-19 pandemic. Healthcare entities should also review guidance on ransomware prevention, detection, and response from DHS CISA and NIST.

Next Steps

Dig Deeper on Healthcare data breaches