Bitcoin ransom will not be paid following cyber attack on HSE computer systems

Taoiseach insists vaccination programme continues uninterrupted despite serious cybercrime incident

Taoiseach Micheal Martin said it would take some days to assess the impact of the attack. File photograph: Nick Bradshaw
Taoiseach Micheal Martin said it would take some days to assess the impact of the attack. File photograph: Nick Bradshaw

Taoiseach Micheál Martin has insisted Ireland will not pay any ransom to hackers who attacked the state's health service.

Earlier, Minister of State for Communications Ossian Smyth has said a bitcoin ransom was demanded following a cyber attack on Health Service Executive (HSE) computer systems.

The demand is being assessed by experts who are attempting to determine if it was sent by those who launched the attack, he said.

Mr Martin, speaking at Government Buildings on Friday evening, said: “We had the people in place, we had the capacity and we had the systems in place to deal with this and we’re dealing with it methodically from the outset.”

READ SOME MORE

“This is something that has to be dealt with in a methodical way. The system has been shut down. There’s an assessment underway, identification of the issues and other processes.

“It will take some days to assess the impact and that is the proper way to do this and we will make those assessments over time. What’s important is people co-operate with the HSE, emergency services are open, the vaccination programme continues uninterrupted.

“At this stage we are dealing with this in accordance with the advice we’ve received from cyber security experts and I think we’re very clear we will not be paying any ransom.

“The work continues by the experts.”

Earlier, a HSE spokesman confirmed a ransom had been demanded and said it would not be paid in line with state policy.

The HSE said on Friday night that Covid-19 test results and contact tracing services have been successfully restored to normal.

Health service IT systems could take days to return to normal after being shutdown following what a Government Minister described as “possibly the most significant cybercrime attack on the Irish State” ever.

Meanwhile, chief medical officer Dr Tony Holohan said the ransomware attack on the HSE will impede the ability of the health service to organise effective testing and to measure the total number of cases.

However, the incident should not distract people from the basic public health messages that protect against infection. Patients with symptoms should self-isolate and attend one of the HSE’s self-testing centres, he said.

“We haven’t switched off testing and there no reason to think the public will deviate from their behaviour,” Dr Holohan said.

The HSE said the main attack began at around 4.30am on Friday and that IT staff switched off systems as a “precaution” in order to protect data and give time to “fully assess the situation with our own security partners”. It said the incident was carried out by international criminals seeking to extort money, though no demand has yet been made.

The attack was a “zero day threat” which meant there was no previous experience of how to respond, said Anne O’Connor, HSE chief operations officer.

The intention is to restart individual elements of the HSE’s IT system once they have been risk assessed and cleared, but the process is likely to continue into the weekend and possibly beyond.

Many hospital clinics and services were continuing today but others have been cancelled or disrupted due to the shutdown. Paper work was being done manually rather than electronically, which could cause delays for patients.

Minister for Health Stephen Donnelly said the attack has had “a severe impact” on health and social care services. However, people with appointments booked for today are advised to attend unless they hear otherwise.

“If this continues into Monday we will be in a very serious situation and we will have to cancel more appointments,” Ms O’Connor told RTÉ’s News at One.

Denial of service

There were “two or three” distributed denial of service (DDOS) attacks on parts of the HSE system on Thursday, which were regarded as routine at the time. However, there is now speculation that they were forerunners for the bigger attack, and that those behind this were “knocking on the door”.

For example, the email system in Beaumont Hospital went down yesterday and the IT department had to individually reset the passwords for users.

HSE chief executive Paul Reid said officials were working with the Garda, the Defence Forces and third party cyber security experts to respond to the attack.

An Garda Síochána said the HSE was the lead agency in dealing with the attack but it was liasing with the health body and the National Cyber Security Centre.

Mr Smyth told RTÉ radio's News at One that he had been briefed by the National Cyber Security Centre on the attack but for operational reasons could not share everything he knew.

He said it appeared to have been an attempt to lock the HSE out of its own systems in order to steal data and then try to extract a ransom.

The attack was “possibly the most significant cybercrime attack on the Irish State,” he said, adding that there was also an attempted attack on the Department of Health last night.

“There is a constant bombardment on systems. This is just one that got through.”

Vaccination portal

The system for Covid-19 vaccinations has not been affected and such appointments are going ahead as planned, though the registration portal has been shut down.

In addition, because GPs are affected, they cannot refer patients for Covid-19 testing. People with symptoms are therefore being told to go to one of the walk-in testing centres currently open. People awaiting test results may face a delay in receiving them.

“We are asking the public to bear with us while we implement a new process to provide results with an initial focus on detected results,” the HSE said.

“It is critical that anyone who is awaiting a Covid- 19 test result, self isolates until they receive their test result. This is an important change from the usual restricting movements advice.”

Contact tracing had been moved to two centres as there were telephony problems in the west of the country, Ms O’Connor said.

The National Ambulance Service is operating as normal, but a system for radiological imaging, called Pacs, has been impacted by the attack. It is used by many of the State’s hospitals.

Tusla said its internal systems, email and portal through which child protection referrals are made is not operating. The child and family agency said this was for “security reasons” as they are hosted on the HSE’s IT network.

A consultant at Cork University Hospital told of the distress being experienced by cancer patients who are awaiting test results but their files are not available as a result of the incident.

Prof Seamus O’Reilly, consultant oncologist at CUH, told RTÉ radio’s Morning Ireland that there were some patient test results outstanding and laboratory data that needed to be available.

“We’ve just found out how utterly reliant we are” on IT systems which highlighted the need for secure firewalls, he said.

Maternity services

There is disruption to services at the National Maternity Hospital (NMH) and the Rotunda Maternity Hospital in Dublin. The NMH said there will be significant disruption but those who have an appointment or need to come to the hospital should come as normal.

Most appointments at the Rotunda Maternity Hospital in Dublin on Friday have been cancelled due to the incident. The only exception is for patients who are 36 weeks pregnant or later or if it is an emergency.

The Master of the Rotunda Maternity Hospital Prof Fergal Malone said it was fortunate that the cyber attack happened before the weekend when outpatient services were not scheduled, "but babies are born on weekends too".

The attack comes almost four years to the day after a similar incident seriously impacted the NHS in Britain.

While the WannaCry virus attacked the NHS systems, it affected more than 200,000 computers in at least 100 countries. Data on infected computers was encrypted and users faced a ransom demand to unlock the devices.

A total of 80 of 236 NHS trusts across England suffered disruption because they were either infected by the ransomware or had turned off their devices or systems as a precaution. The ransomware infected another 603 NHS organisations including 595 GP practices.

The UK health service was forced to cancel almost 20,000 hospital appointments and operations as a result and five A&E departments had to divert pa - Additional reporting PA

Jack Horgan-Jones

Jack Horgan-Jones

Jack Horgan-Jones is a Political Correspondent with The Irish Times

Sarah Burns

Sarah Burns

Sarah Burns is a reporter for The Irish Times

Conor Lally

Conor Lally

Conor Lally is Security and Crime Editor of The Irish Times

Paul Cullen

Paul Cullen

Paul Cullen is a former heath editor of The Irish Times.