LAST UPDATE | 10 Dec 2021
A NEW REPORT into the HSE cyber attack in May shows that the hackers were in the health service’s computer systems for eight weeks before they initiated the attack.
The report, which was launched this afternoon, gives details on how the HSE were unprepared for a cyber attack, due to the weakness of their IT system and a lack of cybersecurity detection and monitoring.
The cyber attack has cost the HSE approximately €100 million, with half of the cost being incurred in 2021, while the remaining half will be a recurring fee in 2022.
The attack itself saw massive disruption across the country, with usual healthcare operations being curtailed due to IT outages.
Covid-19 measures like testing and contact tracing were hit, with daily case numbers and deaths due to the virus being inaccessible in the immediate aftermath.
Contingency plans were put in place by the health service reverting back to a paper-based system due to the inaccessibility of digital healthcare records.
Organisations like An Garda Síochána, the National Cyber Security Centre, Interpol and the Defence Forces were brought in to assist the HSE in dealing with the attack.
The attackers first sent a malicious email to a single workstation on 16 March, with the email then being opened on 18 March. A malicious Microsoft Office Excel file was downloaded, which allowed the hackers into the HSE’s IT system.
The hackers remained within the HSE IT system for eight weeks, gaining additional levels of access to the system and individual user accounts, before detonating the attack on 14 May.
While the HSE’s antivirus software did detect malicious activity on the workstation on March 31, it was set to monitor mode so was unable to block the activity.
On 13 May, one day before the attack, the HSE’s cybersecurity provider emailed the Security Operation’s team that there had been unhandled threats since 7 May on at least 16 systems. The Security Operations team then had the Server team restart the servers.
The following day the attack was carried out.
The ransomware attack was only detected at the point the attack was carried out, and the IT system was switched off to prevent further damage. Hackers used the Conti ransomware to disrupt the HSE in the attack.
The report identified that the legacy IT system used by the HSE was not resilient enough to cope with a cyber attack, with the system evolving over time and not taking into account resilience to cyber attacks.
Speaking on the RTÉ’s News at One, HSE CEO Paul Reid said that the design of the health service’s network is not strategic but that it came about through the amalgamation of health boards, hospital groups and Community Healthcare Organisastions (CHOs) into the current health service.
“If you look at our network, it’s certainly built over the history of the health service. From health boards to hospital groups, CHO’s and then the HSE establishment itself,” said Reid.
“It’s not a strategic design of a network and you certainly wouldn’t start in this way.
“It’s very fragmented, very siloed, solutions being delivered at each hospital or community area and many, many aspects of our legacy network in place.”
The report identifies the staff of the HSE as being resilient, working quickly to ensure that continuity of services were provided despite the attack.
In a statement on the publication of the report, HSE chairman Ciarán Devane said that the impact of the attack is still being felt by the health service.
“We commissioned this urgent review following the criminal attack on our IT systems which caused enormous disruption to health and social services in Ireland, and whose impact is still being felt every day,” said Devane.
“It is clear that our IT systems and cybersecurity preparedness need major transformation.”
According to Reid, the health service has initiated a number of actions to mitigate future cyber attacks, including new security controls and monitoring.
“We have initiated a range of immediate actions and we will now develop an implementation plan and business case for the investment to strengthen our resilience and responsiveness in this area,” said Reid.
These immediate actions include a 24-hour monitoring service for HSE IT systems, which is being carried out by an external provider as well as more multi-factor authentication for users.
Recommendations
Following the report, issued by PwC, the HSE have accepted a number of recommendations to improve their cybersecurity measure and to stop further attacks on the health service.
Among them are plans for the development of a new “significant” investment plan and the transformation of legacy IT to have cybersecurity built into the infrastructure.
New roles are also set to be created, with both a Chief Technology and Transformation Officer and a Chief Information Security Officer set to be appointed.
Additional cybersecurity crisis management plans are also being recommended by the report, to ensure that responses to further cyber attacks are managed properly.
There will also be more testing of the HSE’s cybersecurity defences through the use of ‘ethical hackers’, with simulated attacks being carried out on health service IT systems.
“The HSE has accepted the report’s findings and recommendations, and it contains many learnings for us and potentially other organisations. We are in the process of putting in place appropriate and sustainable structures and enhanced security measures,” said Devane.
According to the report, the investment needed to carry out the recommendations will need to be “very significant” on an immediate and sustained basis. However, there was no estimated cost included within the report.
The HSE has estimated that their IT operating budget for 2022 will increase to €140 million, up from €82 million in 2021. They also expect the capital budget to rise to €130 million, up from €120 million in 2021, which included €25 million for Covid-19 capital spending.
Reid said that the learnings taken from the HSE with the cyber attack would help other government agencies and bodies around the risks posed by cyber criminals and cyber attacks.
To embed this post, copy the code below on your site
have your say