HSE computers only monitored for viruses during daytime hours prior to cyberattack, report reveals

Attack on health service last year has cost almost €100m to date, Comptroller and Auditor General finds

Before the disastrous and costly attack by a criminal cybergang, there was limited monitoring of the HSE network of 70,000 IT devices, the latest annual report by the Comptroller and Auditor General notes. Photograph: iStock
Before the disastrous and costly attack by a criminal cybergang, there was limited monitoring of the HSE network of 70,000 IT devices, the latest annual report by the Comptroller and Auditor General notes. Photograph: iStock

Health Service Executive computers were monitored for viruses during daytime hours only before they were subjected to a cyberattack in May 2021, according to a report.

Before the disastrous and costly attack by a criminal cybergang, there was limited monitoring of the HSE network of 70,000 IT devices, the latest annual report by the Comptroller and Auditor General points out.

A third party provided an antivirus monitoring service between 8am and 6pm each day, with an oncall service outside those hours. Since the attack, the HSE has put in place an enhanced monitoring service providing 24-hour support.

The cyberattack has cost the HSE almost €100 million so far, according to the report, but this is expected to rise further. This includes €51 million in 2021, and €4.4 million in revenue costs and €2.6 million in legal costs in 2022. In addition, the HSE has secured an increase in its recurrent funding of €43 million for ICT expenditure in 2022, of which €38 million is for increasing its capability to deal with future threats.

READ SOME MORE

Consultants have estimated the service will need an additional €657 million over seven years for cybersecurity improvements.

Just three of the 83 recommendations made by consultants PwC in a report on the cyberattack last year have been fully implemented, the report says.

The HSE has responded that many of these recommendations will take a number of years to complete, and that the status of each recommendation does not fully capture the amount of work done to protect it from a future attack.

The Comptroller and Auditor General report points out that internal audits carried out before the cyberattack had identified issues with the HSE’s IT infrastructure, including the use of outdated and unsupported software.

“Substantial investment in the HSE IT systems will be required to ensure that the systems are fit for purpose, that operational platforms are upgraded and to ensure that client and patient personal data is sufficiently protected from external threats.”

The initial infection occurred on a HSE workstation in March 2021 and the attackers then compromised servers in the HSE and a number of hospitals in May 2021.

The attackers demanded $20 million for decryption of the Conti ransomware they had installed but this was not paid. The servers were not fully decrypted until September 2021.

Scans, blood tests, lab services, maternity and primary care were the worst-affected areas, with staff forced to put in place local workarounds and to go back to paper records to make up for the loss of computer connectivity.

Thousands of patient appointments were cancelled in the aftermath of the cyberattack, which led to an increase in waiting lists. The report says it is hard to separate out the impact of the attack from that of Covid-19.

IBM Security has reviewed hundreds of organisations with recent data breaches and has calculated the average number of days it took to identify the breach and to contain it, the report points out. Compared to the overall average, the HSE was notified of the data breach significantly earlier (57 days against an average of 207 days), but took longer to contain and recover from it (130 days against an average of 70).

The full cost of the attack has not been quantified. Costs incurred by voluntary agencies, and staff time spent addressing the problem, are not included in the figures.

The HSE spent €2.6 million on legal costs, including securing a High Court order to prevent sharing of patient data without its consent.

The HSE says no legal actions have been taken against it yet by patients affected by data breaches but, as the report points out, patients, staff and clients whose personal information was stolen in the attack have yet to be told about this.

Other organisations also incurred costs as a result of the incident. The Department of Health, which thwarted a cyberattack on its systems, has spent almost €1 million on dealing with the attack and on other costs, and individual hospitals have been similarly affected.

Paul Cullen

Paul Cullen

Paul Cullen is a former heath editor of The Irish Times.