HSE computers only monitored for viruses during daytime hours prior to cyberattack, report reveals
The Comptroller and Auditor General finds an attack on the health service last year cost almost €100m.
Before a cyberattack in May 2021, the computers of the Health Service Executive were only checked during the day.
The latest annual report from the Comptroller and Auditor General says that the HSE network of 70,000 IT devices wasn’t closely watched before the costly cyberattack.
A third party provided antivirus monitoring from 8 am to 6 pm daily and on-call service after hours. Since the attack, the HSE has added 24-hour monitoring.
According to the report, the cyberattack has cost the HSE almost €100 million so far. In 2022, this includes €4.4 million in revenue costs and €2.6 million in legal costs. The HSE has also gotten an increase in regular funding of €43 million for ICT spending in 2022, of which €38 million will be used to fight future threats.
Consultants estimate the service will need €657 million in cybersecurity improvements over seven years. Only three of PwC’s 83 recommendations on last year’s cyberattack have been fully implemented, the report says.
The HSE responded that many of these recommendations will take years to complete and that the status of each recommendation does not fully capture the work done to protect it from a future attack.
Before the cyberattack, internal audits of the HSE’s IT infrastructure found problems, like old software that wasn’t being supported.
“Significant investments will need to be made in HSE IT systems to make sure they are fit for purpose, operational platforms are upgraded, and personal information about clients and patients is safe from outside threats.”
In March 2021, an HSE workstation was infected, and in May 2021, HSE and hospital servers were compromised. Attackers demanded $20 million to decrypt the Conti ransomware they installed. In September 2021, the servers were decrypted.
The areas that were most affected were scans, blood tests, lab services, maternity care, and primary care. This meant that staff had to use local workarounds and paper records.
The cyberattack canceled thousands of patient appointments, increasing waiting lists. The report says it’s difficult to separate the attack from COVID-19.
IBM Security reviewed hundreds of recent data breaches and calculated the average number of days it takes to identify and contain them. The HSE was notified of the data breach earlier (57 days vs. 207 days) but it took longer to contain and recover from it (130 days against an average of 70).
The attack’s cost is unknown. Nonprofit costs and staff time spent on the problem are not included. The HSE paid €2.6 million in legal fees, which included getting an order from the High Court to stop sharing patient data without consent.
The HSE says no patients affected by data breaches have taken legal action against it yet, but patients, staff, and clients whose personal information was stolen in the attack have not been told.
The incident also cost other organizations. The Department of Health, which thwarted a cyberattack, spent nearly €1 million on the attack and other costs. Individual hospitals were also affected.