Hacker accessed ‘frail’ HSE system two months before ransomware attack

10 Dec 2021

Image: © RVNW/Stock.adobe.com

A report found that the opening of a malicious email attachment gave an attacker access to the HSE’s system eight weeks before the ransomware attack.

There were “missed” opportunities to prevent the ransomware attack that hit Ireland’s health service earlier this year.

That’s according to a report commissioned by the Health Service Executive (HSE) board and carried out by PwC.

The report, released today (10 December), found that the attacker gained access to the HSE’s systems eight weeks before the ransomware was detonated.

They were able to achieve their objectives “with relative ease” due to the “frailty” of the HSE’s IT estate, according to the report, and there was a “lack of structures and processes in place to deal with the incident”.

‘Missed’ opportunities

In May of this year, the HSE was subjected to a cyberattack that infiltrated its IT systems using Conti ransomware. More than 80pc of IT infrastructure was affected and there were severe impacts on the health service in Ireland.

But according to the PwC report, the source of the cyberattack originated eight weeks earlier. An employee clicked on a malicious Microsoft Excel file that was attached to a phishing email sent on 16 March.

The attacker gained unauthorised access to the HSE’s system when that link was opened on 18 March, and operated in the system over an eight-week period leading up to the ransomware detonation on 14 May.

This included compromising a “significant number” of accounts with high levels of privileges, compromising a “significant number” of servers and exfiltrating data, the report found.

It added that there were several detections of the attacker’s activity by a number of hospitals in this period before the ransomware attack, but these did not result in a cybersecurity investigation by the HSE.

“As a result, opportunities to prevent the successful detonation of the ransomware were missed,” the report said.

‘Frail IT estate’

PwC said there were a number of mitigating factors that had a considerable effect in reducing the impact of the attack.

It found that the attacker used relatively well-known techniques and software to execute the attack, while a more sophisticated attack could have had a greater impact.

The release of the decryption key by the attacker on 20 May also allowed for an accelerated recovery process. The report said it is unclear how much data would have been unrecoverable without this development, as “the HSE’s backup infrastructure was only periodically backed up to offline tape”.

It pointed to the swift response to the incident, with HSE staff, State agencies and third parties going “above and beyond” to assist in the response and recovery.

But the report concluded that a low level of cybersecurity maturity combined with the “frailty” of the HSE’s IT systems enabled the attacker to achieve their objectives “with relative ease”.

“The HSE is operating on a frail IT estate that has lacked the investment over many years required to maintain a secure, resilient, modern IT infrastructure. It does not possess the required cybersecurity capabilities to protect the operation of the health services and the data they process from the cyberattacks that all organisations face today,” the report said.

“It does not have sufficient subject matter expertise, resources or appropriate security tooling to detect, prevent or respond to a cyberattack of this scale.”

‘Important lessons’

PwC said the HSE “remains vulnerable” to cyberattacks and made a number of recommendations in its report.

These include appointing a chief technology and transformation officer and a chief information security officer, enhancing its ICT strategy and implementing a cybersecurity transformation programme.

HSE CEO Paul Reid said the report was commissioned to assess how the cyberattack happened and to set out tactical actions needed next.

“The report sets this out in quite a lot of detail,” he added. “We have initiated a range of immediate actions and we will now develop an implementation plan and business case for the investment to strengthen our resilience and responsiveness in this area.”

The HSE said it has already started implementing recommendations in the report and begun engaging with the Department of Health to agree a multi-year ICT and cybersecurity transformation programme.

“It is clear that our IT systems and cybersecurity preparedness need major transformation,” added HSE chair Ciarán Devane.

“This report highlights the speed with which the sophistication of cybercriminals has grown, and there are important lessons in this report for public and private sector organisations in Ireland and beyond.”

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.

Sarah Harford was sub-editor of Silicon Republic