Irish media reports that the country’s healthcare system will need to spend more than $48 million to recover from a widespread ransomware attack by the Conti Group that took place last year.
In a letter obtained by TENHealth Service Executive acting chief information officer Fran Thompson said costs associated with the ransomware attack include $14.2 million for ICT infrastructure, $6.1 million to pay for the external cybersecurity assistance, $17.1 million for vendor support, and $9.4 million for Office 365.
The letter was sent to Aontú party leader Peadar Tóibín, and Thompson noted that they expected the final cost to be over $100 million. This $100 million does not include the costs associated with implementing the recommendations conveyed in PWC’s detailed report on the attack.
Conti attacked Ireland’s Health Service Executive in May 2021, causing weeks of disruption to hospitals across the country. The country refused to pay the $20 million ransom.
According to TEN and the BBCdozens of outpatient services have been canceled, a vaccine portal for Covid-19 has been shut down and the country has spent weeks trying to get its health information system back online. The newspaper reported that 85,000 computers were shut down once the attack was noticed, and cybersecurity teams scanned the 2,000 different computer systems one by one.
Irish Foreign Minister Simon Coveney called it a “very serious attack”, while Irish Minister of State Ossian Smyth said it was “probably the cybercrime attack most important against the Irish State”.
Emergency services were still operating, but many radiology appointments were cancelled, according to a government statement. There have been delays in reporting COVID-19 test results as well as delays in issuing birth, death or marriage certificates. Pediatric wards, maternity wards and outpatient appointments in some hospitals were all affected by the attack, according to The newspaper.
Dublin’s Rotunda Hospital, National Maternity Hospital, St Columcille’s Hospital, Children’s Health Ireland (CHI) at Crumlin Hospital, UL Group of Hospitals have all reported varying levels of IT outages.
Health Minister Stephen Donnelly added that the HSE’s payment system had been destroyed by the attack. The 146,000 people working in the health sector were facing full payment issues.
Ransomware experts have said that while the numbers seem large, ransomware recovery is an incredibly complex process. Emsisoft threat analyst Brett Callow said recovery costs can be extraordinarily high, as evidenced by the situation facing Scripps Health.
“After a ransomware attack in May 2021, Scripps Health estimated its losses for the third quarter of this year at $112.7 million. It should be noted that some of the costs associated with the incidents are actually catch-up expenses, as organizations fix the weaknesses that allowed the attack to succeed,” Callow said.
“In other words, they are paying off their security debt. Also, the costs don’t necessarily include resolving the incident. Loss of trust, lost opportunities and class action lawsuits can all have an ongoing impact. “
Allan Liska, ransomware expert at Recorded Future, noted that major US municipalities have also had to spend millions to recover from ransomware attacks. Baltimore, Atlanta and other cities had to spend millions recovering ransomware.
Although the numbers seen in Ireland were high, Liska said it accurately reflected how devastating and thorough the attack was against the HSE. It also showed that the HSE is serious not only about recovering, but also about improving its safety in the future.
“That 100 million number likely reflects not just recovery, but the implementation of new security protocols adding new capabilities and erasing what is likely years of technical debt that had accumulated. Most organizations don’t do this during a recovery, they do part of it. You almost have to, but they can’t afford to implement everything they need to fully protect their organizations,” Liska said.
“I think people are amazed at how much recovering from a ransomware attack can really cost. When Baltimore was hit by a ransomware attack, recovery costs were estimated at $18 million. Atlanta spent $17 millions of dollars to recover. Ransomware recovery is expensive, we (the public) just don’t see the true costs most of the time.”