Almost seven months after hackers crippled its computer servers leading to the cancellation of thousands of operations, a report has finally given an insight into how and why the attack was allowed to happen.
March 18 was when the Conti ransomware criminal gang, based in Russia, first got into a HSE computer. The gang sent a phishing email appearing to be a regular work email, with an attached Excel file containing hidden malicious software, to a HSE address. When this file was clicked open by a staff member, it gave the criminals access to the networks.
They then spent eight weeks accessing systems, compromising "a significant number of accounts” — even reaching voluntary hospitals. They had a lot to play with as there are 4,891 servers and 83,000 end users working with 70,000 devices including historic networks dating back before the HSE was amalgamated in its current form.
Unfortunately, although some hospitals flagged concerns, these were not acted on, and nor were they reported to the gardaí or cybersecurity agencies.
On March 31, antivirus software on the first workstation detected two ransomware tools, Cobalt Strike and Mimikatz, but it was set to “monitor mode” only, so it did not block them.
On May 7, these tools were identified on six servers but no action was taken.
On May 10, one hospital’s antivirus system detected these tools but failed to quarantine them. Staff asked another hospital for suggestions but were advised the risk was low.
The report describes this lack of action as “not sufficient” and says there were just 15 cybersecurity staff across the HSE.
The gang launched their actual attack at 1am on the morning of May 14, encrypting vast swathes of data and executing the Conti ransomware.
By 10am, the HSE were switching off networks, disconnecting emails, closing down patient databanks and even the vital National Integrated Medical Imaging System (Nimis) for radiology images.
The report says the reaction was delayed by the lack of offline data backups, with even many HSE staff having to hear about the problem from the media.
Thousands of operations were cancelled as hospitals lost access to patient files. Laboratories backed up as they could not share results. The HSE has said it is hard to quantify the impact as waiting lists figures were already so high, now nearing 1m people. However, the head of the HSE, Paul Reid, has said no deaths have been notified as directly linked to the cyberattack.
A “single accountable senior leader” is needed to drive reform; 12 other recommendations include a board with a mix of HSE and outside specialists to develop a strategy, instead of running ad-hoc individual projects and a multi-year programme of reform to include staff training.
The HSE has been warned that over 50% of hacking victims are hit again, but a belated effort to close down problems and fund cybersecurity is under way.
The report urges “very significant investment on an immediate and sustained basis”.