Irish health cyber-attack could have been even worse, report says

  • Published
A nurse with a clipboardImage source, Getty Images

An independent report into a cyber-attack on Ireland's health service in May has found the consequences could have been even worse than they were.

Ransomware locked staff out of their computer systems and "severely" disrupted healthcare in the country.

But the report said it would have been worse if data had been destroyed or Covid-19 vaccination systems or specific medical devices had been hit.

It added the attack had "a far greater" impact than initially expected.

The report, by PricewaterhouseCoopers (PWC), commissioned by the healthcare executive, found that systems remain vulnerable to even more serious attacks in the future.

The Irish technology systems were "frail" and several opportunities to spot warning signs were missed, cyber-security experts found.

The attackers demanded payment to restore access to the computer systems, and it took the service four months to fully recover.

Image source, Getty Images

On 18 March, someone in the Irish Health Service Executive (HSE) opened a spreadsheet that had been sent to them by email two days earlier. But the file was compromised with malware.

The criminal gang behind the email spent the next two months working their way through the networks.

There were multiple warning signs that they were at work, but no investigation was launched, and that meant a crucial opportunity to intervene was missed, the report found.

Then at 01:00 BST on Friday 14 May, the criminals unleashed their ransomware.

The impact was devastating.

Pen and paper

More than 80% of IT infrastructure was affected, with the loss of key patient information and diagnostics, resulting in severe impacts on the health service and the provision of care.

The HSE employs about 130,000 people to provide health and social care to five million Irish citizens.

But all computer systems were switched off. Doctors, nurses and other workers lost access to systems for patient information, clinical care and laboratories.

Emails went down, and staff had to turn to pen and paper.

Lab test data had to be handwritten and manually entered - leading to greater risks of mistakes.

Thousands of people's healthcare was disrupted.

A GP received a phone call from a consultant surgeon questioning the location of a patient due for surgery, when that person had already been operated on, the report said.

Image source, Getty Images

Confidential medical files were also stolen, with hackers threatening to release the data.

A response was quickly mobilised internally, and the Irish Defence Forces were called in to help.

Senior staff set up a "war room", but the report criticises the lack of preparation or contingency planning for such a loss of systems.

"The response teams could not initially focus on the highest priority response and recovery tasks due to the lack of preparedness for a widespread disruptive IT event," it says.

A lesson for others

The attackers used software developed by a group known as Conti. The report does not go into detail of who was behind the attack, but the ransomware has previously been linked to Russian criminal gangs.

The criminals had left instructions on how to get in touch, but the Irish government confirmed on the day of the attack that it would not pay a ransom.

"The attacker posted a message on an internet chat room on the dark web, with a link to several samples of data reportedly stolen," the report says.

On 20 May, the attackers, for reasons not entirely clear - but perhaps realising the scale of what was happening - posted a link to a key that would decrypt files.

This allowed a long recovery to begin.

"Without the decryption key, it is unknown whether systems could have been recovered fully, or how long it would have taken to recover systems from back-ups, but it is highly likely that the recovery timeframe would have been considerably longer," the report says.

It still took until late September for all the computer servers to be back online.

The report concluded that "transformational change" was required in technology and cyber-security to protect from future incidents and warned that other organisations needed to learn the lessons of this case.

HSE chairman Ciaran Devane said: "The HSE has accepted the report's findings and recommendations, and it contains many learnings for us and potentially other organisations.

"We are in the process of putting in place appropriate and sustainable structures and enhanced security measures."