HSE knew the cyberattack risks but couldn’t get ahead of the hackers

Health system had been tackling weaknesses in IT security but cyber criminals got there first

The HSE has not been able to say if weaknesses identified in internal audits, flagged in 2018 by its own IT teams, were a factor in last week’s cyber attacks

The HSE has not been able to say if weaknesses identified in internal audits, flagged in 2018 by its own IT teams, were a factor in last week’s cyber attacks

 

The worst fears of the Health Service Executive’s technology chiefs occurred in the early hours of Friday last week when it first began to emerge that the organisation was under attack from cyber criminals.

Parts of the organisation’s information technology systems had been identified as vulnerable at least three years ago and technicians had been working to improve security with a detailed plan of action.

However, the Covid-19 pandemic diverted resources away from those efforts last year, while many of the measures that had been planned were due to be completed later this year.

So, arguably, some actions being taken by the HSE would have come too late to reduce the risk of the kind of assault that was unleashed on its systems – if indeed they could have helped at all.

The HSE has not been able to say if weaknesses identified in internal audits, flagged in 2018 by its own IT teams, were a factor in last week’s cyber attacks. But the issues found by the audits relating to “security controls” and “disaster recovery protocols” did spark efforts to improve the HSE’s cyber security.

Ossian Smyth: “It’s like someone burgles the house and your stuff is delivered back in a skip. ” Photograph: Tom Honan
Ossian Smyth: “It’s like someone burgles the house and your stuff is delivered back in a skip.” Photograph: Tom Honan

Known risk

The HSE’s Corporate Risk Register (CRR) lists cyber security and an update from late last year outlines exactly the kinds of impacts a successful attack would cause. It says: “There is a risk to the HSE effectively protecting the confidentiality, availability and integrity of HSE data including patient data against cyber threats”.

It adds that this would impact “directly on patient care and safety and staff as a result of the inability to deliver ICT and specialised medical device dependent services”. This is what has happened over the last eight days.

The risk register shows that considerable work was planned to improve the security of the HSE’s networks, with 13 major actions, 33 measures within them due to be implemented or initiated either towards the end of last year or across 2021.

The HSE had also decided that the migration of legacy, ageing databases to “the cloud” should happen over this year, and next.

Some measures, like developing a cloud computing framework, and some infrastructure upgrades aimed at addressing security and cyber concerns have been completed.

The HSE also appointed an information security manager last September, an expert whose job it is to “drive the cyber-security agenda and strategy”.

The HSE said a firewall capacity upgrade was completed before the end of 2020 as intended, as was a plan to enhance email security controls.

Efforts to “enhance cyber security education & awareness” included a plan to purchase online security training for staff by the end of March, with an indication that training would begin by the end of June.

Staff updates

On this point the HSE has not said if this target was met, though it did say that staff are regularly updated on education and communication policies and procedures, via PC logons, emails, poster campaigns and intranet updates, among other channels.

The risk register says that efforts by HSE staff to to improve cyber security were affected by the diversion of workers to computer systems to help battle the Covid-19 pandemic. This “has and may continue to impact their ability to deliver” on the actions “in the agreed timeframe”.

The HSE plans to bring in a “single identity programme” for staff and this is said to be 33 per cent complete but progress has been paused due to the pandemic.

The HSE said it has spent €110.5 million on cyber security in the five years between 2016 and 2020 and planned to spend another €37.3 million this year prior to the attack. It insisted it has invested “considerable funding into cyber security” and pointed to remarks by chief executive Paul Reid who said that amid years of investment there is “protection at all points in the network, at endpoint protection, at the network server layer, at our PCs”.

Underway for weeks

Regardless of the investment and steps taken to improve security, hackers were successful in breaching the HSE’s systems. This month’s attack on the HSE seems to have been under way for weeks before there was any communication with the perpetrators.

Efforts are underway to establish how the contact method supplied by the gang was handled, amid fears that if unsanctioned correspondence took place it could have given the cyber-criminals the impression the State was willing to do a deal with them.

However, the hack seems to have been in progress for some time before any communication with the hackers, rather than being prompted by it.

An encryption key, hosted on a darkweb site linked to the hackers, which could potentially unlock the HSE’s systems was received on Thursday.

Since obtaining the encryption key the State and its cyber-security consultants have formed the view that it is genuine, and could allow them to extract raw data from damaged systems. However, even if this is successful, unlocking the data is a first step.

“It’s like someone burgles the house and your stuff is delivered back in a skip,” says Minister of State for Communications Ossian Smyth. “They wreck your network and infect it, and even with the encryption key, you’re not back to day one.”

Core systems

Restoring the data takes time. The HSE is working to bring core systems back online, and also working to clear individual hospital networks. It is unclear, still, just how long this process will take.

On a parallel track, while the encryption key has been heralded as a significant step, the threat to publish data remains. However, Smyth says the policy on payment of any ransom is unchanged. “We’re not going to pay an extortion fee because someone has some data and they’re threatening to publish it,” he said.

This, inevitably, raises the question of what happens if sensitive data is published. While he says he will be “delighted” if it isn’t, Smyth said: “Realistically, data is going to be published.”

A helpline has been set up for such an eventuality.

If the release – or, indeed, the sale – of the data leads to a rise in scams, Smyth points to the capabilities of contact-tracing services set up during the pandemic which shows that the State can handle huge volumes of inbound calls.