Categories: CyberCrimeSecurity

Ireland Health Service ‘Compromised Two Months Before Attack’

Ireland’s Health Service Executive (HSE) failed to respond to warning signs that hackers had compromised its IT systems weeks ahead of a crippling cyber-attack in May, a report has found.

The attackers gained initial access to the HSE’s systems on 18 March, when a staff member opened a malicious spreadsheet attached to a phishing message, the study by PricewaterhouseCoopers (PwC) found.

They then spent the next two months examining the service’s IT systems and stealing sensitive medical files before launching the ransomware attack on 14 May.

No investigation was launched, in spite of multiple warning signs, including a message from the service’s antivirus operator the day before the attack.

Warning signs

“There were several detections of the attacker’s activity prior to May 14 but these did not result in a cyber security incident and investigation initiated by the HSE,” the report said. “As a result, opportunities to prevent the successful detonation of the ransonware were missed.”

The attack locked the service’s IT systems, requiring staff to revert to pen and paper and resulting in the cancellation of thousands of appointments, including critical surgeries and scans.

A GP received a phone call from a consultant surgeon asking for the location of a patient due for surgery, when that person had already been operated on, the report found.

While the HSE quickly mobilised a response and brought in the Irish Defence Forces to help, this was hampered by the lack of contingency planning for such a loss of systems.

“The response teams could not initially focus on the highest priority response and recovery tasks due to the lack of preparedness for a widespread disruptive IT event,” the report said.

Recovery

On 20 May, for reasons not entirely clear, but perhaps seeing the scale of the disruption, the hackers released a decryption key, allowing the service to begin restoring its systems.

Even with the key, however, it took until late September for the IT systems to fully resume services.

“Without the decryption key, it is unknown whether systems could have been recovered fully, or how long it would have taken to recover systems from back-ups, but it is highly likely that the recovery timeframe would have been considerably longer,” PwC found.

It said “transformational change” is required and that systems remain vulnerable to even more serious attacks in the future.

‘Could have been worse’

Indeed, the May attack could have been far worse if data had been destroyed or Covid-19 vaccination systems or specific medical devices disabled, the report said.

“The HSE has accepted the report’s findings and recommendations, and it contains many learnings for us and potentially other organisations,” said HSE chairman Ciaran Devane.

“We are in the process of putting in place appropriate and sustainable structures and enhanced security measures.”

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago