Rebuilding HSE’s computer systems after cyberattack could take ‘weeks’

True scale of cyberattack and what, if any, data has been compromised is not yet clear

When the HSE made the decision to shut down its computer systems that were being hit with a ransomware attack, it was the first in a long line of decisions facing its crisis management team.

Security experts have warned rebuilding systems after a ransomware attack can take weeks, as IT infrastructure is combed through for signs the attackers have been there.

The attack, which began early on Friday morning, has been identified by the HSE as a variant of Conti ransomware, which can steal data from the victim as well as encrypt it. Attacks are typically accompanied by a ransom demand, usually to be paid in cryptocurrency.

However, paying the ransom is risky; it doesn't guarantee that you will get access to your data. "There is no guarantee that if the ransom is paid or partially paid that they are going to be honourable and release the encryption keys to you," said Steve MacNicholas, chief executive of Ekco Ireland.

Precautionary measure

The first step was taking systems offline as a precautionary measure. HSE staff were told not to turn on work laptops or computers, and those who had already done so were told to turn them off.

"That's the right approach," said Conor Scolard, technical director of Ekco Ireland, who has been involved in the incident response of many high-profile ransomware attacks in Ireland in the last year. "They take everything down and treat everything as potentially compromised. From there, you have to work your way through."

It also left hospitals and health services without access to vital information, such as patient records and test results. While some appointments continued, patients were warned to expect disruption as staff turned to paper records where available – which was likely to result in delays. Virtual and online appointments were cancelled. Agencies such as Tusla were also affected as access to the core systems was offline.

Priority

The attack was focused on data rather than on critical hospital systems, so vital equipment in intensive care units was unaffected. The Covid-19 vaccination programme was still going ahead too, although the GP referral system for Covid-19 testing was down. Close contacts and those with symptoms were being given priority at the walk-in testing centres around the country. As of Friday evening, the Covid-19 testing and contact tracing services had been restored and vaccine registration systems were back online.

However, the true scale of the attack and what – if any – information has been compromised is not yet clear.

In attacks of this scale, MacNicholas says, the work can take some time. “Everything has to be cleaned, all devices, all servers have to be cleaned, and then you’re in a restoration of that data infrastructure on a large degree of infected domains and servers. From a business point of view, that runs for weeks.”