Lord of the Dance
Independent report finds there was no one responsible for cybersecurity in HSE
News

Independent report finds there was no one responsible for cybersecurity in HSE

AN INDEPENDENT report into a cyber attack on the Health Service Executive's IT system earlier this year has found that there was a lack of preparedness within the HSE to defend against or respond to a such an attack.

The report, which was published today by PricewaterhouseCoopers, stated the HSE "did not have a single responsible owner for cybersecurity, at senior executive or management level at the time of the incident" and that it was a known issue that teams that had elements of cybersecurity in their remit were under-resourced.

 

Timeline

It also delved into the timeline of the cyber-attack, and found that on 18 March the source of the attack originated from a malware infection on a HSE workstation.

The infection was the result of the user of the workstation clicking and opening a malicious Microsoft Excel file that was attached to a phishing email sent to the user two days previously.

After gaining unauthorised access from 18 March, the attacker continued to operate in the environment over an eight week period.

On 10, 12 and 13 May, several hospitals identified or made communications in relation to malicious activity until the detonation of the Conti ransomware on 14 May.

"This included compromising and abusing a significant number of accounts with high levels of privileges compromising a significant number of servers, exfiltrating data and moving laterally to statutory and voluntary hospitals," the report said.

There were several detections of the attacker's activity prior to 14 May, but no investigation was initiated by the HSE, "and as a result opportunities to prevent the successful detonation of the ransomware were missed.

On 15 May 2021, the HSE senior management set up a war room at a third party’s office building on Molesworth Street.

On 20 May 2021, the Defence Forces attended Molesworth Street for further discussions around the level of support that was required by the HSE during the response and recovery phase of the Incident and on 21 May 2021, the HSE set up a physical situation centre in CityWest to manage the response and recovery.

On 20 May 2021, the HSE secured a High Court injunction "restraining any sharing, processing, selling or publishing of data stolen from its computer systems."

On the same day, the attacker posted a link to a key that would decrypt files encrypted by the Conti ransomware. The HSE’s Incident Response provider validated that the decryption key worked on 21 May 2021 and provided it to the HSE, allowing them to gain access to the data that had been encrypted by the Conti ransomware.

The following day, the Information and Communications Technology team moved from the response phase into the recovery phase, "where they focused their efforts on decrypting systems, cleansing workstations, restoring systems and the recovery of applications."

It took some months, but by 21 September 2021, the HSE had recovered all servers and 1,075 applications, out of a total of 1,087 applications.

 

Mitigating factors impacting the incident

The report said that there were a number of mitigating factors which reduced the severity and impact of the incident, the first being the simplicity of the attack and the release of the decryption key.

The attacker "used relatively well-known techniques and software to execute their attack," the report said.

The impact could have been far greater if the ransomware took actions to destroy data at scale, among other things.

There were also significant 'in-the moment' efforts in response to the incident, including "individuals from across the HSE, impacted hospitals, CHOs, and third parties all going “above and beyond” in their call of duty."

"This illustrates that, in times of significant challenge or emergencies, staff in the health services are resilient, respond quickly, and have an ability to implement actions and workarounds to maintain even a basic continuity of service to their patients."

Support of the incident was at a national scale which encouraged support and presence from other state agencies and third parties, "who provided structure, governance, technical expertise and resources to assist the response and recovery."

The HSE had also encountered other significant incidents both directly and through observations of ransomware attacks on other healthcare organisations globally, which "highlighted key learnings that have led to an improved level of crisis management maturity within the HSE."

 

Recommendations

The report made a number of recommendations for the HSE to implement.

"Transformational change is required across the technology foundation for provision of health services and its associated cybersecurity, that will need to be executed over the coming years," it said.

Clear responsibilities for IT and cybersecurity should be established, with a 'code of connection' setting a minimum cybersecurity requirement for all parties.

An oversight committee should also be established "to drive continuous assessed of cybersecurity risk and a cybersecurity transformation programme across the provision of health services."

It also recommends the establishment of an executive level oversight committee for IT, and a board committee to oversee the transformation of IT and cybersecurity to deliver "a future-fit, resilient technology base for provision of digitally-enabled health services, and ensure that IT and cybersecurity risks remain within a defined risk appetite."