Cyberthreat healthcare alert came months before HSE hit by hackers

Malicious file opened on March 18th triggered shutdown of HSE’s computer systems

The National Cyber Security Centre warned of potential ransomware attacks on the health service in October 2020, more than four months before the Health Service Executive was targeted by hackers, it has been revealed.

The health service was hit by a massive cyberattack earlier this year which caused chaos in hospitals, delayed patient care and and led to expected costs of almost €100 million.

A malicious file attached to a phishing email opened on March 18th led to a shutdown of the HSE’s computer systems once the Conti ransomware was “detonated” on May 14th.

The criminal gang behind the attack – believed by several observers to be most likely based in Russia – demanded $20 million (€17.7 billion) in Bitcoin.

The Government said no ransom would be paid and on May 20th the hackers posted a link to a key that decrypted files which had been encrypted by the ransomware.

Minister of State for eGovernment Ossian Smyth said he still does not know why the gang provided the decryption key, but suggested "there was a lot of pressure which they would not be used to". Mr Smyth said he was told that gardaí believed the attackers were based in seven different jurisdictions.

The Green Party Minister also said that unlike the risk for private hospitals that had been hit by ransomware attacks, “the HSE was not going to go out of business. So those threats were not going to work. I think at some point they figured out that that combination of the world’s law enforcement and military intelligence pointing at them, while not getting any money, it was time to move on to another target.”

He said it was not like targeting an insurance company, adding that in those cases “you’re not going to find the senior officials of your government in the country that you live in being contacted and asked to put pressure on you”.

A PWC report on the cyberattack commissioned by the HSE found that several “alerts” were raised within the health service that the IT system might be compromised after the initial email was opened in March but the significance of the alerts was not identified at the time.

Conti hazard

Mr Smyth said the cyber security centre warned in October 2020 that State healthcare facilities were at risk from the Conti hazard after hospitals in the United States were targeted. "They did say it, they did warn," he said.

Asked if the HSE did not pick up on the warning, Mr Smyth replied: “I think that the PWC report says what the shortcomings were in the HSE’s approach . . . it’s not like this wasn’t predicted.”

He said there would have been engagements with the HSE at the time and “I was told this that they were in a much better position than they had been a year previously. They had done a lot of work.”

However, he said this was being done in the context where “you’re talking about fixing software and what people really want to talk about is ventilators and contact tracing and all this kind of stuff, cancer treatments . . . It’s very hard to get attention for anything non-clinical within a healthcare system.”

The HSE said it was “aware of the heightened alerts and were acting on them through the delivery of additional mitigations and controls”. This included a strategy to back-up files, security patches, external firewalls and “significant user awareness and e-training was available to heighten awareness”.