HSE ‘missed opportunities’ to detect malicious activity before ransomware attack

A report into the Health Service Executive (HSE) ransomware attack has found there were “several missed opportunities” to detect malicious activity.

An independent review, carried out by PricewaterhouseCoopers, found that the HSE failed to respond to several alerts after a phishing email was opened, weeks before the system was crippled by a ransomware attack.

The report found that the health service was operating on a “frail IT” system that does not have the required resilience and security, and does not have the proper resources.

The report found that the low level of cybersecurity, combined with the frail IT system, enabled the attackers to access the HSE system with “relative ease”.

The ransomware attack on the HSE, which occurred in May, caused major disruption to the Irish health service.

It led to mass cancellations of appointments and surgeries.

The report found that the gang behind the ransomware attack was able to use well-known and simple attack techniques to move around the HSE’s system.

The attackers first accessed the system on March 18, after someone opened a phishing email that contained a malicious Microsoft Excel file.

It triggered access to the IT system, allowing the hackers to operate across the system for a further eight weeks.

The gang was able to extract data and deploy ransomware software over large parts of the system without detection.

“There were several detections of the attacker’s activity prior to 14 May 2021, but these did not result in a cybersecurity incident and investigation initiated by the HSE, and as a result opportunities to prevent the successful detonation of the ransomware were missed,” the report added.

The report said that the HSE did not have a single responsible owner for cybersecurity at either senior executive or management level to provide leadership and direction.

“This is highly unusual for an organisation of the HSE’s size and complexity, with reliance on technology for delivering critical operations and handling large amounts of sensitive data,” the report added.

“As a consequence, there was no senior cybersecurity specialist able to ensure recognition of the risks that the organisation faced due to its cybersecurity posture and the growing threat environment.”

HSE’s chief executive, Paul Reid, said the network was not strategically designed as HSE’s system evolved, describing it as “an obvious weakness”.

The report also said the HSE did not have suitably resourced roles for those with cyber-specific skills and leadership.

The report recommended that the HSE establish an oversight body for cybersecurity and appoint a chief technology and transformation officer.

Mr Reid said the HSE published the report to be open and transparent.

HSE’s interim chief information officer, Fran Thompson, said: “Part of the challenge was that the significance of those (alerts) was missed, and maybe not fully comprehended at the time.

“Therefore when the detonation came, we weren’t prepared for that.”

Mr Reid said: “The cyber evolution has outpaced our technology management and that was a risk.”

The report said there was a need for very significant investment to have a state-of-the-art IT infrastructure for the HSE, adding that it was still vulnerable to another attack.

Mr Reid added: “We’re concerned. It’s quite clear the risks are there. We’re not waiting and many of the actions that we have taken have obviously been to mitigate the exposures highlighted in the report.

“We have taken a very significant range of actions.

“We see that there is an exposure, but a lot of actions have taken place in the last few weeks and months in terms of monitoring, security, user access, third-party access, controls and 24-hour monitoring.”