Categories: CyberCrimeSecurity

Ireland Health Service ‘Compromised Two Months Before Attack’

Ireland’s Health Service Executive (HSE) failed to respond to warning signs that hackers had compromised its IT systems weeks ahead of a crippling cyber-attack in May, a report has found.

The attackers gained initial access to the HSE’s systems on 18 March, when a staff member opened a malicious spreadsheet attached to a phishing message, the study by PricewaterhouseCoopers (PwC) found.

They then spent the next two months examining the service’s IT systems and stealing sensitive medical files before launching the ransomware attack on 14 May.

No investigation was launched, in spite of multiple warning signs, including a message from the service’s antivirus operator the day before the attack.

Warning signs

“There were several detections of the attacker’s activity prior to May 14 but these did not result in a cyber security incident and investigation initiated by the HSE,” the report said. “As a result, opportunities to prevent the successful detonation of the ransonware were missed.”

The attack locked the service’s IT systems, requiring staff to revert to pen and paper and resulting in the cancellation of thousands of appointments, including critical surgeries and scans.

A GP received a phone call from a consultant surgeon asking for the location of a patient due for surgery, when that person had already been operated on, the report found.

While the HSE quickly mobilised a response and brought in the Irish Defence Forces to help, this was hampered by the lack of contingency planning for such a loss of systems.

“The response teams could not initially focus on the highest priority response and recovery tasks due to the lack of preparedness for a widespread disruptive IT event,” the report said.

Recovery

On 20 May, for reasons not entirely clear, but perhaps seeing the scale of the disruption, the hackers released a decryption key, allowing the service to begin restoring its systems.

Even with the key, however, it took until late September for the IT systems to fully resume services.

“Without the decryption key, it is unknown whether systems could have been recovered fully, or how long it would have taken to recover systems from back-ups, but it is highly likely that the recovery timeframe would have been considerably longer,” PwC found.

It said “transformational change” is required and that systems remain vulnerable to even more serious attacks in the future.

‘Could have been worse’

Indeed, the May attack could have been far worse if data had been destroyed or Covid-19 vaccination systems or specific medical devices disabled, the report said.

“The HSE has accepted the report’s findings and recommendations, and it contains many learnings for us and potentially other organisations,” said HSE chairman Ciaran Devane.

“We are in the process of putting in place appropriate and sustainable structures and enhanced security measures.”

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Microsoft Executive Indicates Departmental Hiring Slowdown

Amid concern at the state of the global economy, a senior Microsoft executive tells staff…

2 days ago

Shareholders Sue Twitter, Elon Musk For Stock ‘Manipulation’

Disgruntled shareholders are now suing both Twitter and Elon Musk, over volatile share price swings…

2 days ago

Google Faces Second UK Probe Over Ad Practices

UK's competition watchdog launches second investigation of Google's ad tech practices, and whether it may…

2 days ago

Elon Musk Raises His Contribution To Twitter Acquisition

But one of Elon Musk's biggest backers on the Twitter board has tendered his resignation…

3 days ago

Broadcom Confirms VMware Acquisition For $61 Billion

Entry into cloud infrastructure software for US chip firm Broadcom after it confirms reports it…

3 days ago