HSE ‘missed opportunities’ to detect malicious activity before ransomware attack
A review found that the health service was using a ‘frail’ IT system without the necessary security.
Your support helps us to tell the story
From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.
At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.
The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.
Your support makes all the difference.A report into the Health Service Executive (HSE) ransomware attack has found there were “several missed opportunities” to detect malicious activity.
An independent review, carried out by PricewaterhouseCoopers, found that the HSE failed to respond to several alerts after a phishing email was opened, weeks before the system was crippled by a ransomware attack.
The report found that the health service was operating on a “frail IT” system that does not have the required resilience and security, and does not have the proper resources.
The report found that the low level of cybersecurity, combined with the frail IT system, enabled the attackers to access the HSE system with “relative ease”.
The ransomware attack on the HSE, which occurred in May, caused major disruption to the Irish health service.
It led to mass cancellations of appointments and surgeries.
The report found that the gang behind the ransomware attack was able to use well-known and simple attack techniques to move around the HSE’s system.
The attackers first accessed the system on March 18, after someone opened a phishing email that contained a malicious Microsoft Excel file.
It triggered access to the IT system, allowing the hackers to operate across the system for a further eight weeks.
The gang was able to extract data and deploy ransomware software over large parts of the system without detection.
“There were several detections of the attacker’s activity prior to 14 May 2021, but these did not result in a cybersecurity incident and investigation initiated by the HSE, and as a result opportunities to prevent the successful detonation of the ransomware were missed,” the report added.
The report said that the HSE did not have a single responsible owner for cybersecurity at either senior executive or management level to provide leadership and direction.
“This is highly unusual for an organisation of the HSE’s size and complexity, with reliance on technology for delivering critical operations and handling large amounts of sensitive data,” the report added.
“As a consequence, there was no senior cybersecurity specialist able to ensure recognition of the risks that the organisation faced due to its cybersecurity posture and the growing threat environment.”
HSE’s chief executive, Paul Reid, said the network was not strategically designed as HSE’s system evolved, describing it as “an obvious weakness”.
The report also said the HSE did not have suitably resourced roles for those with cyber-specific skills and leadership.
The report recommended that the HSE establish an oversight body for cybersecurity and appoint a chief technology and transformation officer.
Mr Reid said the HSE published the report to be open and transparent.
HSE’s interim chief information officer, Fran Thompson, said: “Part of the challenge was that the significance of those (alerts) was missed, and maybe not fully comprehended at the time.
“Therefore when the detonation came, we weren’t prepared for that.”
Mr Reid said: “The cyber evolution has outpaced our technology management and that was a risk.”
The report said there was a need for very significant investment to have a state-of-the-art IT infrastructure for the HSE, adding that it was still vulnerable to another attack.
Mr Reid added: “We’re concerned. It’s quite clear the risks are there. We’re not waiting and many of the actions that we have taken have obviously been to mitigate the exposures highlighted in the report.
“We have taken a very significant range of actions.
“We see that there is an exposure, but a lot of actions have taken place in the last few weeks and months in terms of monitoring, security, user access, third-party access, controls and 24-hour monitoring.”
Subscribe to Independent Premium to bookmark this article
Want to bookmark your favourite articles and stories to read or reference later? Start your Independent Premium subscription today.