May 14 hacking left computer systems paralysed for weeks and led to mass cancellation of vital surgeries and scans
The HSE failed to respond to several alerts about malicious activity in its computer system before it was crippled by an unsophisticated cyber attack last May, a damning report revealed today.
The ransomware attack on May 14 left computer systems across most of the health service paralysed for weeks and led to mass cancellation of patient procedures including vital surgeries and scans.
The report, commissioned by the HSE board, revealed the attackers entered the system as far back as March 18, injecting a malware infection after someone opened a malicious Microsoft Excel file that was attached to a phishing email sent to the user two days previously.
The criminal managed to gain unauthorised access to the HSE's IT environment and continued to operate in its system for the next eight weeks, compromising and abusing a significant number of accounts with high levels of privileges.
The report found "there were several detections of the attacker's activity prior to May 14 but these did not result in a cyber security incident and investigation initiated by the HSE. As a result, opportunities to prevent the successful detonation of the ransonware were missed”.
Asked today if the cyber attack could have been entirely prevented if the alerts were heeded, HSE chief executive Paul Reid said: “It’s hard to say ‘entirely prevented’ because we do not know how they may have navigated separately.
"But the simple thing to say is we did not have the significant response to the alert that we could have. It's impossible to say if we could have killed it all but it was a risk that we did not address to the significant level that should have been."
A unnamed hospital and the Department of Health proactively prevented an attack on their networks.
The alerts came from two hospitals while the HSE's antivirus security operator emailed the HSE highlighting unhandled threat events the day before the attack.
The report found the health service was operating on a frail IT system, which had evolved rather than being designed for resilience and security.
The design, which was aimed at making it easy for staff to access IT applications, exposed the HSE to the risk of cyber attacks from other organisations.
"This network architecture, coupled with a complex and unmapped set of permissions for systems administrators to access systems, enabled the attacker to access a multitude of systems across many organisations and create the large-scale impact that they did.
"The parts of the health service that were arguably best-equipped to maintain clinical services in the face of prolonged IT outages were those that rely on paper records for patient services."
The report, carried out by PWC, found that based on the forensic examination of the attacker’s activity, they used "relatively well-known techniques and software to execute their attack".
The HSE has a very low level of “cyber security maturity”.
The IT environment did not have many of the cyber security controls that are most effective at detecting and preventing human-operated ransomware attacks. The HSE had not done contingency planning for a cyber attack or a complete loss of infrastructure.
Mr Reid said today the HSE has already made urgent changes to protect the organisation against a similar future attack.
It has embarked on implementing recommendations in the report and has begun engagements with the Department of Health with a view to agreeing a multi-year ICT and cyber security transformation programme.
The review found that overall there was a lack of structures and processes in place to deal with the incident.
However, the HSE was in a position to draw from prior learnings and processes used in dealing with crisis situations, such as during the Covid pandemic, to help manage the situation.
Mr Reid said: ”We have initiated a range of immediate actions and we will now develop an implementation plan and business case for the investment to strengthen our resilience and responsiveness in this area.
“The HSE has implemented a number of high-level security solutions to address issues raised in the report. These include a range of new cyber-security controls, monitoring and threat intelligence measures based on best international expert advice.”
It said the HSE will need development investment for a remediation plan which will require funding and be well resourced. Its operating budget next year will rise to €140m and its capital budget to €130m. But it will need significant investment to implement the recommendations.
The report makes a series of recommendations, including the appointment of a Chief Technology and Transformation Officer.
It also calls on the HSE to :
- Enhance our ICT Strategy and multi-year technology plan in line with Cyber recommendations
- Develop a significant investment plan
- Transformation of a legacy IT estate
- Build cyber security and resilience into IT architecture
- Resource a skilled cyber function
- Develop and implement a cyber-security transformation programme