HSE ‘missed opportunities’ to detect malicious activity before ransomware attack

A laptop screen shows a computer virus warning (Peter Byrne/PA) (PA Media)
A laptop screen shows a computer virus warning (Peter Byrne/PA) (PA Media)

A report into the Health Service Executive (HSE) ransomware attack has found there were “several missed opportunities” to detect malicious activity.

An independent review, carried out by PricewaterhouseCoopers, found that the HSE failed to respond to several alerts after a phishing email was opened, weeks before the system was crippled by a ransomware attack.

The report found that the health service was operating on a “frail IT” system that does not have the required resilience and security, and does not have the proper resources.

The report found that the low level of cybersecurity, combined with the frail IT system, enabled the attackers to access the HSE system with “relative ease”.

HSE director-general Paul Reid launches the HSE “Covid Tracker” contact tracing app at the Department of Health in Dublin (Niall Carson/PA) (PA Archive)
HSE director-general Paul Reid launches the HSE “Covid Tracker” contact tracing app at the Department of Health in Dublin (Niall Carson/PA) (PA Archive)

The ransomware attack on the HSE, which occurred in May, caused major disruption to the Irish health service.

It led to mass cancellations of appointments and surgeries.

The report found that the gang behind the ransomware attack was able to use well-known and simple attack techniques to move around the HSE’s system.

The attackers first accessed the system on March 18, after someone opened a phishing email that contained a malicious Microsoft Excel file.

It triggered access to the IT system, allowing the hackers to operate across the system for a further eight weeks.

The gang was able to extract data and deploy ransomware software over large parts of the system without detection.

This is highly unusual for an organisation of the HSE’s size and complexity, with reliance on technology for delivering critical operations and handling large amounts of sensitive data

PricewaterhouseCoopers

“There were several detections of the attacker’s activity prior to 14 May 2021, but these did not result in a cybersecurity incident and investigation initiated by the HSE, and as a result opportunities to prevent the successful detonation of the ransomware were missed,” the report added.

The report said that the HSE did not have a single responsible owner for cybersecurity at either senior executive or management level to provide leadership and direction.

“This is highly unusual for an organisation of the HSE’s size and complexity, with reliance on technology for delivering critical operations and handling large amounts of sensitive data,” the report added.

“As a consequence, there was no senior cybersecurity specialist able to ensure recognition of the risks that the organisation faced due to its cybersecurity posture and the growing threat environment.”

HSE’s chief executive, Paul Reid, said the network was not strategically designed as HSE’s system evolved, describing it as “an obvious weakness”.

The report also said the HSE did not have suitably resourced roles for those with cyber-specific skills and leadership.

The report recommended that the HSE establish an oversight body for cybersecurity and appoint a chief technology and transformation officer.

Mr Reid said the HSE published the report to be open and transparent.

HSE’s interim chief information officer, Fran Thompson, said: “Part of the challenge was that the significance of those (alerts) was missed, and maybe not fully comprehended at the time.

The cyber evolution has outpaced our technology management and that was a risk

Paul Reid

“Therefore when the detonation came, we weren’t prepared for that.”

Mr Reid said: “The cyber evolution has outpaced our technology management and that was a risk.”

The report said there was a need for very significant investment to have a state-of-the-art IT infrastructure for the HSE, adding that it was still vulnerable to another attack.

Mr Reid added: “We’re concerned. It’s quite clear the risks are there. We’re not waiting and many of the actions that we have taken have obviously been to mitigate the exposures highlighted in the report.

“We have taken a very significant range of actions.

“We see that there is an exposure, but a lot of actions have taken place in the last few weeks and months in terms of monitoring, security, user access, third-party access, controls and 24-hour monitoring.”

Read More

Stephen Port – the quiet, porn-obsessed loner who turned into a serial killer

BBC gets 925 complaints over William and Harry press documentary

Police mistakes ‘probably’ contributed to Port victims’ deaths, inquest finds

Prince of Wales visits Aberystwyth University, where he studied as a young man

Scottish Tory leader Douglas Ross tests negative for Covid-19

Sturgeon warns ‘tsunami’ of Omicron cases could see 25,000 infections a day