Report reveals hackers got into 'frail' IT system two months before HSE took action

Report reveals hackers got into 'frail' IT system two months before HSE took action

System To With Picture: And The Were “relative Known File Ease” Simple The Gang Move Istock Report External Able States The “well Techniques” Attack Using Through

Cyberhackers first accessed the “frail” HSE computer system as early as March 18 but despite alerts flagged about suspicious activity no action was taken until the gang demanded a ransom on May 14.

Although thousands of patients were affected when operations and procedures were cancelled around the country, it is believed no deaths were directly attributed to the crisis.

An external report into the devastating cyberattack shows the Russian-based Conti crime gang sent a malicious Excel file attached to a phishing email to a user at an ordinary patient workstation. Clicking on the file allowed the gang full access to the system, ultimately leading to “ accounts with high levels of privileges”.

Worryingly however the report states “several detections” of the gang’s activity were made during this eight-week period but they were not investigated. It states the gang were able to move with “relative ease” through the system using “well-known and simple attack techniques”.

It is understood that while the suspicious activity was noticed, it was not reported to the Gardaí or to the National Cyber Security Centre. An alert was sent just hours before the ransom demand referring to "unhandled threat events". 

The report refers to a “low-level of cybersecurity maturity” across the system and describes the security as “frail” across numerous areas. 

Among the serious cyber-weaknesses highlighted in the report, carried out by PriceWaterhouseCooper were:

  • reliance was placed on a single antivirus which was not monitored or effectively maintained 
  • no security monitoring able to detect and respond to alerts 
  • a lack of effective updates or bug fixes across the IT estate 
  • no single person responsible for cybersecurity at senior level, described as “highly unusual” for an organisation of this size 
  • since 2018 the chief information officer has worked in an interim basis with “limited practical mandate, authority and resources” 
  • just 15 cybersecurity staff who “did not possess the expertise and experience” needed 

The report is critical in a number of places of the limited staffing numbers dedicated to such a sprawling computer network, and the lack of central leadership on this.

The network includes 4,000 locations with 4,891 servers and 83,000 end-users operating across over 70,000 devices between hospitals, community services and external health providers linked to the HSE. The differences between these are highlighted in the report when it says that one hospital was able to "proactively prevent" the attack, as was the Department of Health. 

The HSE has previously said they allocated €100m between this year and next year to tackle the immediate problems.

The report indicates that a “multi-year technology transformation” is needed and makes a series of specific recommendations.

It refers to an upgrade of the imaging and radiology system NIMIS which was badly affected during the cyberattack leading to a significant impact on cancer patients. It is believed the HSE do not see that the reliance of this system on Windows 7 was a factor in the attack.

It is understood that the HSE is preparing a business plan to send to the Department of Health and request urgent changes to funding over the next number of years.

The service plan for 2022 includes operational expenditure of €43 million, and capital funding of €62million to be focused on IT security.

However over the five years between 2016 and 2020 the full expenditure was just €110m.

Key recommendations:

ICT / Cyber governance 

  • Board and Executive level working groups to drive continuous assessment of cybersecurity 

Technology and Transformation 

  • Appoint a Chief Technology and Transformation Officer 
  • Enhance our ICT Strategy and multi-year technology plan in line with Cyber recommendations 
  • Develop a significant investment plan 
  • Transformation of a legacy IT estate 
  • Build cybersecurity and resilience into IT architecture 

Cyber-security 

  • Appoint a Chief Information Security Officer and resource a skilled cyber function 
  • Develop and implement a cyber-security transformation programme 

Clinical and services continuity 

  • Establish clinical and services transformation programme 
  • Build on HSE risk, incident, crisis and business continuity processes 
  • Establish Operational Policy + Resilience Steering Committee 
  • Enhance crisis management capabilities

More in this section

Cookie Policy Privacy Policy Brand Safety FAQ Help Contact Us Terms and Conditions

Limited Group Echo Examiner ©