Ireland’s Health Service Executive ignored warnings its IT systems were hacked for two months before crippling ransomware attack, report finds
The attackers gained initial access to the HSE’s systems on 18 March, when a staff member opened a malicious spreadsheet attached to a phishing message, the study by PricewaterhouseCoopers (PwC) found.
They then spent the next two months examining the service’s IT systems and stealing sensitive medical files before launching the ransomware attack on 14 May.
No investigation was launched, in spite of multiple warning signs, including a message from the service’s antivirus operator the day before the attack.
“There were several detections of the attacker’s activity prior to May 14 but these did not result in a cyber security incident and investigation initiated by the HSE,” the report said. “As a result, opportunities to prevent the successful detonation of the ransonware were missed.”
The attack locked the service’s IT systems, requiring staff to revert to pen and paper and resulting in the cancellation of thousands of appointments, including critical surgeries and scans.
A GP received a phone call from a consultant surgeon asking for the location of a patient due for surgery, when that person had already been operated on, the report found.
While the HSE quickly mobilised a response and brought in the Irish Defence Forces to help, this was hampered by the lack of contingency planning for such a loss of systems.
“The response teams could not initially focus on the highest priority response and recovery tasks due to the lack of preparedness for a widespread disruptive IT event,” the report said.
On 20 May, for reasons not entirely clear, but perhaps seeing the scale of the disruption, the hackers released a decryption key, allowing the service to begin restoring its systems.
Even with the key, however, it took until late September for the IT systems to fully resume services.
“Without the decryption key, it is unknown whether systems could have been recovered fully, or how long it would have taken to recover systems from back-ups, but it is highly likely that the recovery timeframe would have been considerably longer,” PwC found.
It said “transformational change” is required and that systems remain vulnerable to even more serious attacks in the future.
‘Could have been worse’
Indeed, the May attack could have been far worse if data had been destroyed or Covid-19 vaccination systems or specific medical devices disabled, the report said.
“The HSE has accepted the report’s findings and recommendations, and it contains many learnings for us and potentially other organisations,” said HSE chairman Ciaran Devane.
“We are in the process of putting in place appropriate and sustainable structures and enhanced security measures.”