:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/BBZH5ZBRDHFRQQ22QYMJOXQCO4.jpg)
The long tail – and tale – of the devastating cyberattack waged against the Health Service Executive's computer services last May continued in recent days as the HSE received a tranche of stolen patient data via the Garda National Cyber Crime Bureau. The information was being stored in the US.
Now, the long task begins of identifying the individuals whose personal information was compromised during an attack that the HSE predicts may ultimately cost the service more than €100 million to address. For everyone affected – and inevitably, that is all of us – the costs are incalculable. An already-overburdened and delayed medical system was dealt a crippling blow. For weeks, patient consultations, diagnoses or treatments were disrupted.
And that’s before adding in the risks to individuals of having some of their most sensitive personal information – not just names, addresses and credit card data, but treatment details – sold on to the dark web, potentially to be exploited for identity theft, financial fraud, or blackmail attempts.
As the highly critical report on the attack earlier this month from PwC makes clear, the HSE's cyber defences weren't remotely fit for purpose, even though many long-standing problems were clearly identified to the service in the past.
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/FSAYPZBBXFGZJ2XHK6ZGQ7SIQM.jpg)
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/64PZYNLPZWR5D7VQ4YOYGITF4E.jpg)
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/MYXDKA2CTBWYM7DMN4ZUS3CJPU.jpg)
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/NED5VLMRAH4QQOJPEG5RWFZHRI.jpg)
Weaknesses were multitudinous. Systems were old and creaky, a “frail IT estate” that had suffered from lack of investment over many years, PwC stated. And the HSE lacked the expertise to prevent or respond adequately to an attack.
“It does not possess the required cybersecurity capabilities to protect the operation of the health services and the data they process, from the cyberattacks that all organisations face today,” the report concluded. The latter point is notable: this was not a rare and unexpected event, but a digital commonplace in the 21st century. Not just the HSE, but all State departments and agencies must finance the digital systems, security expertise and staff training needed to deal with cyber threats. We have all learned the painful costs of doing otherwise, a price that continues to mount.