A report has found that the HSE is operating on a “frail IT estate”.
A new report has discovered that the hackers who attacked the Health Service Executive of Ireland’s IT system in May had access to it eight weeks in advance.
Commissioned by the HSE and prepared by PwC, the report states that the source of the cyber attack originated from a malicious software infection on a HSE workstation on 18 March.
The infection was the result of the user of the workstation clicking and opening a malicious Microsoft Excel file that was attached to a phishing email sent two days prior.
“After gaining unauthorised access to the HSE’s IT environment on 18 March 2021, the attacker continued to operate in the environment over an eight-week period until the detonation of the Conti ransomware on 14 May, 2021,” the report says.
The cyber attack was not identified and contained until after the detonation of the Conti ransomware.
According to the report, the HSE is operating on a “frail IT estate” that has lacked the investment over many years required to maintain a secure, resilient, modern IT infrastructure.
“It does not possess the required cybersecurity capabilities to protect the operation of the health services and the data they process, from the cyber attacks that all organisations face today,” it said.
“It does not have sufficient subject matter expertise, resources or appropriate security tooling to detect, prevent or respond to a cyber attack of this scale.
“There were several missed opportunities to detect malicious activity, prior to the detonation phase of the ransomware.”
The report also stated that the low level of cybersecurity maturity, combined with the frailty of the IT estate, enabled the hackers to achieve their objectives with “relative ease”.
They were able to use “well-known and simple attack techniques” to move around the National Healthcare Network, extract data and deploy ransomware software over large parts of the estate, without detection.
However, the report did add that a recurring theme observed throughout the post-incident review was the “dedication and effort observed at all levels during the response to the incident”.
Staff across the HSE, impacted hospitals and community healthcare organisations were described as going “above and beyond” in their call of duty.
“This illustrates that, in times of significant challenge or emergencies, staff in the health services are resilient, respond quickly, and have an ability to implement actions and workarounds to maintain even a basic continuity of service to their patients,” it said.
The report also outlined a number of key recommendations to the HSE, including the appointment of a Chief Technology and Transformation Officer and Chief Information Security Officer and the building of cybersecurity and resilience into its IT architecture.
In a statement accompanying the report, the HSE said it has already made urgent changes to protect the organisation against a similar future attack.
“[The HSE] has embarked on implementing recommendations in the report and has begun engagements with the Department of Health with a view to agreeing a multi-year ICT and cybersecurity transformation programme,” the health service stated.
You can find the full report on the HSE’s website here.
LISTEN: You Must Be Jokin’ with Aideen McQueen – Faith healers, Coolock craic and Gigging as Gaeilge
