Rebuilding HSE’s computer systems after cyberattack could take ‘weeks’

True scale of cyberattack and what, if any, data has been compromised is not yet clear

The attack, which began early on Friday morning, has been identified by the HSE as a variant of Conti ransomware. Photograph: iStock

The attack, which began early on Friday morning, has been identified by the HSE as a variant of Conti ransomware. Photograph: iStock

Your Web Browser may be out of date. If you are using Internet Explorer 9, 10 or 11 our Audio player will not work properly.
For a better experience use Google Chrome, Firefox or Microsoft Edge.

 

When the HSE made the decision to shut down its computer systems that were being hit with a ransomware attack, it was the first in a long line of decisions facing its crisis management team.

Security experts have warned rebuilding systems after a ransomware attack can take weeks, as IT infrastructure is combed through for signs the attackers have been there.

The attack, which began early on Friday morning, has been identified by the HSE as a variant of Conti ransomware, which can steal data from the victim as well as encrypt it. Attacks are typically accompanied by a ransom demand, usually to be paid in cryptocurrency.

However, paying the ransom is risky; it doesn’t guarantee that you will get access to your data. “There is no guarantee that if the ransom is paid or partially paid that they are going to be honourable and release the encryption keys to you,” said Steve MacNicholas, chief executive of Ekco Ireland.

Precautionary measure

The first step was taking systems offline as a precautionary measure. HSE staff were told not to turn on work laptops or computers, and those who had already done so were told to turn them off.

“That’s the right approach,” said Conor Scolard, technical director of Ekco Ireland, who has been involved in the incident response of many high-profile ransomware attacks in Ireland in the last year. “They take everything down and treat everything as potentially compromised. From there, you have to work your way through.”

It also left hospitals and health services without access to vital information, such as patient records and test results. While some appointments continued, patients were warned to expect disruption as staff turned to paper records where available – which was likely to result in delays. Virtual and online appointments were cancelled. Agencies such as Tusla were also affected as access to the core systems was offline.

Priority

The attack was focused on data rather than on critical hospital systems, so vital equipment in intensive care units was unaffected. The Covid-19 vaccination programme was still going ahead too, although the GP referral system for Covid-19 testing was down. Close contacts and those with symptoms were being given priority at the walk-in testing centres around the country. As of Friday evening, the Covid-19 testing and contact tracing services had been restored and vaccine registration systems were back online.

However, the true scale of the attack and what – if any – information has been compromised is not yet clear.

In attacks of this scale, MacNicholas says, the work can take some time. “Everything has to be cleaned, all devices, all servers have to be cleaned, and then you’re in a restoration of that data infrastructure on a large degree of infected domains and servers. From a business point of view, that runs for weeks.”

The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
SUBSCRIBE
GO BACK
Error Image
The account details entered are not currently associated with an Irish Times subscription. Please subscribe to sign in to comment.
Comment Sign In

Forgot password?
The Irish Times Logo
Thank you
You should receive instructions for resetting your password. When you have reset your password, you can Sign In.
The Irish Times Logo
Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.
Screen Name Selection

Hello

Please choose a screen name. This name will appear beside any comments you post. Your screen name should follow the standards set out in our community standards.

The Irish Times Logo
Commenting on The Irish Times has changed. To comment you must now be an Irish Times subscriber.
SUBSCRIBE
Forgot Password
Please enter your email address so we can send you a link to reset your password.

Sign In

Your Comments
We reserve the right to remove any content at any time from this Community, including without limitation if it violates the Community Standards. We ask that you report content that you in good faith believe violates the above rules by clicking the Flag link next to the offending comment or by filling out this form. New comments are only accepted for 3 days from the date of publication.