Q&A: How did the HSE miss warning signs that could have prevented the cyberattack?

Q&A: How did the HSE miss warning signs that could have prevented the cyberattack?

The The Remends Leader Strategy Picture: File Report Issue Hse A That Unified And Senior Should For Appoint The A Cybersecurity, Develop Should On External Istock

Almost seven months after hackers crippled its computer servers leading to the cancellation of thousands of operations, a report has finally given an insight into how and why the attack was allowed to happen.

When did the cyberattack start?

March 18 was when the Conti ransomware criminal gang, based in Russia, first got into a HSE computer. The gang sent a phishing email appearing to be a regular work email, with an attached Excel file containing hidden malicious software, to a HSE address. When this file was clicked open by a staff member, it gave the criminals access to the networks.

They then spent eight weeks accessing systems, compromising "a significant number of accounts” — even reaching voluntary hospitals. They had a lot to play with as there are 4,891 servers and 83,000 end users working with 70,000 devices including historic networks dating back before the HSE was amalgamated in its current form.

Did anyone spot this?

Unfortunately, although some hospitals flagged concerns, these were not acted on, and nor were they reported to the gardaí or cybersecurity agencies.

On March 31, antivirus software on the first workstation detected two ransomware tools, Cobalt Strike and Mimikatz, but it was set to “monitor mode” only, so it did not block them.

On May 7, these tools were identified on six servers but no action was taken.

On May 10, one hospital’s antivirus system detected these tools but failed to quarantine them. Staff asked another hospital for suggestions but were advised the risk was low.

The report describes this lack of action as “not sufficient” and says there were just 15 cybersecurity staff across the HSE.

When did the HSE know?

The gang launched their actual attack at 1am on the morning of May 14, encrypting vast swathes of data and executing the Conti ransomware.

By 10am, the HSE were switching off networks, disconnecting emails, closing down patient databanks and even the vital National Integrated Medical Imaging System (Nimis) for radiology images.

The report says the reaction was delayed by the lack of offline data backups, with even many HSE staff having to hear about the problem from the media. 

How did this affect patients?

Thousands of operations were cancelled as hospitals lost access to patient files. Laboratories backed up as they could not share results. The HSE has said it is hard to quantify the impact as waiting lists figures were already so high, now nearing 1m people. However, the head of the HSE, Paul Reid, has said no deaths have been notified as directly linked to the cyberattack.

What did the report recommend?

A “single accountable senior leader” is needed to drive reform; 12 other recommendations include a board with a mix of HSE and outside specialists to develop a strategy, instead of running ad-hoc individual projects and a multi-year programme of reform to include staff training.

The HSE has been warned that over 50% of hacking victims are hit again, but a belated effort to close down problems and fund cybersecurity is under way.

The report urges “very significant investment on an immediate and sustained basis”.

More in this section

Cookie Policy Privacy Policy Brand Safety FAQ Help Contact Us Terms and Conditions

Limited Echo Group © Examiner