A report commissioned by the HSE into the major cyber attack on the health service earlier this year found the IT systems being used were “frail”.
As reported in The Irish Times, the file was opened at a HSE workstation on the 18th of March after the email had been sent to the “patient zero workstation” two days earlier.
Over the eight weeks following the opening of the file, a number of “alerts” were raised within the health service that the IT system might be compromised. However, the significance of the alerts had not been identified at the time.
On May 14th, the ransomware from the malicious file was “detonated”, leading to an IT crisis across the health service.
The report does not detail any issues about a ransom or the location of the hackers behind the attack.
Weak IT system
The report found the “frail” IT systems used by the health service as a key weakness, recommending a multi-year programme of investment in IT and cybersecurity.
According to the investigation, there was a “known low level of cybersecurity maturity” within the HSE and the connected national health network.
It is expected that €100 million will be spent to rectify this issue next year, HSE chief executive Paul Reid has said.
Other recommendations in the report included the establishment of a HSE subcommittee to ensure requests for funding to the Government for an IT upgrade “are clearly articulated, and the risks associated with the lack of investment are communicated and understood”.
The report is to be shared with other State and non-State organisations to shape future preparedness against cybercrime.
'Dedication'
It was noted in the report that staff in the health service showed “dedication and effort” in response to the attack.
When the attack happened on May 14th, healthcare professionals across the sector lost access to all HSE-provided IT systems.
According to the latest figures, the HSE is the largest employer in the State and uses more than 70,000 devices.
The report found that, in times of emergency, staff showed they can be “resilient, respond quickly, and have an ability to implement actions and workarounds”.
“Healthcare services across the country were severely disrupted with real and immediate consequences for the thousands of people who require health services every day.”
HSE chief Paul Reid said there was no indication that any patient had died as a result of the cyber attack which was a “great credit” to staff.
'Unusual'
The report said that the HSE did not have a single responsible owner for cybersecurity at either senior executive or management level to provide leadership and direction.
“This is highly unusual for an organisation of the HSE’s size and complexity, with reliance on technology for delivering critical operations and handling large amounts of sensitive data,” the report added.
“As a consequence, there was no senior cybersecurity specialist able to ensure recognition of the risks that the organisation faced due to its cybersecurity posture and the growing threat environment.”
HSE’s chief executive, Paul Reid, said the network was not strategically designed as HSE’s system evolved, describing it as “an obvious weakness”.
The report also said the HSE did not have suitably resourced roles for those with cyber-specific skills and leadership.
The report recommended that the HSE establish an oversight body for cybersecurity and appoint a chief technology and transformation officer.
Mr Reid said the HSE published the report to be open and transparent.
HSE’s interim chief information officer, Fran Thompson, said: “Part of the challenge was that the significance of those (alerts) was missed, and maybe not fully comprehended at the time.
“Therefore when the detonation came, we weren’t prepared for that.”
Mr Reid said: “The cyber evolution has outpaced our technology management and that was a risk.”
-Additional reporting by PA