HSE hackers were in healthcare IT system for eight weeks before cyberattack

Updated 4 hours ago

A NEW REPORT on the HSE cyberattack in May shows the hackers were in the healthcare department’s computer systems for eight weeks before launching the attack.

The report, which launched this afternoon, details how the HSE was unprepared for a cyber attack, due to its weak IT system and a lack of detection and monitoring. cybersecurity.

The cyber attack cost the HSE around 100 million euros, with half of the costs incurred in 2021, while the other half will be recurring charges in 2022.

The attack itself caused massive disruption across the country, with normal healthcare operations curtailed due to computer outages.

Covid-19 measures such as testing and contact tracing have been affected, with the number of daily cases and deaths from the virus being inaccessible immediately afterward.

Contingency plans have been put in place by the health department to revert to a paper system due to the inaccessibility of digital health records.

Organizations like An Garda Síochána, the National Cyber ​​Security Center, Interpol and the Defense Forces have been called upon to help the HSE cope with the attack.

Attackers first sent a malicious email to a single workstation on March 16, and then the email was opened on March 18. A malicious Microsoft Office Excel file was downloaded which allowed hackers to enter the HSE computer system.

The hackers stayed within the HSE computer system for eight weeks, gaining additional levels of access to the system and to individual user accounts, before launching the attack on May 14.

While the HSE anti-virus software detected malicious activity on the workstation on March 31, it was configured in watch mode and therefore could not block the activity.

On May 13, a day before the attack, the HSE cybersecurity provider emailed the security operation team stating that there had been unmanaged threats since May 7 on at least 16 systems. The Security Operations team then asked the server team to restart the servers.

The next day the attack took place.

The ransomware attack was only detected when the attack was carried out and the computer system was shut down to prevent further damage. Hackers used Conti ransomware to disrupt HSE during the attack.

The report identified that the legacy IT system used by the HSE was not resilient enough to cope with a cyber attack as the system evolves over time and does not take into account resilience to cyber attacks.

Speaking on RTÉ news to OneHSE CEO Paul Reid said the design of the health service network is not strategic, but arose out of the amalgamation of boards of health, hospital groups and community health organizations ( CHO) in the current health service.

“If you look at our network, it has certainly been built over the history of the health service. From health boards to hospital groups, to CHOs, to the HSE establishment itself, ”said Reid.

“This is not a strategic network design and you certainly wouldn’t start that way.

“It’s very fragmented, very siled, the solutions are delivered to every hospital or community area and many aspects of our legacy network are in place. “

The report identifies HSE staff as resilient, working quickly to ensure service continuity despite the attack.

In a statement on the report’s release, HSE President Ciarán Devane said the impact of the attack was still being felt on health services.

“We have commissioned this urgent review following the criminal attack on our computer systems which caused enormous disruption to health and social services in Ireland, and the impact of which is still being felt every day,” said Devane.

“It is clear that our IT systems and our cybersecurity readiness are in need of a major transformation. “

According to Reid, the health department has taken a number of actions to mitigate future cyber attacks, including new security controls and oversight.

“We have launched a series of immediate actions and we will now develop an implementation plan and a business case for the investment to strengthen our resilience and responsiveness in this area,” said Reid.

These immediate actions include a 24-hour monitoring service for HSE information systems, which is provided by an external service provider, as well as more multi-factor authentication for users.


Following the report published by PwC, the HSE accepted a number of recommendations to improve its cybersecurity measure and stop further attacks on the healthcare service.

Among them are plans for developing a new “major” investment plan and transforming existing IT to integrate cybersecurity into infrastructure.

#open journalism

No news is bad news
Support the journal

Your contributions will help us continue to deliver the stories that are important to you

Support us now

New roles are also expected to be created, with both a Chief Technology and Transformation Officer and a Chief Information Security Officer to be appointed.

Additional cybersecurity crisis management plans are also recommended by the report, to ensure that responses to new cyber attacks are managed properly.

There will also be more testing of HSE cybersecurity defenses through the use of “ethical hackers”, with mock attacks carried out on healthcare IT systems.

“The HSE has accepted the findings and recommendations of the report, and it holds many lessons for us and potentially other organizations. We are in the process of putting in place appropriate and sustainable structures and reinforced security measures, ”said Devane.

According to the report, the investment required to implement the recommendations will have to be “very significant” on an immediate and sustained basis. However, no estimated costs were included in the report.

The HSE has estimated that its IT operating budget for 2022 will increase to 140 million euros, compared to 82 million euros in 2021. They also expect the investment budget to increase to 130 million euros, compared to € 120 million in 2021, which included € 25 million for capital expenditure related to Covid-19.

Reid said the lessons learned from the HSE with the cyberattack would help other agencies and government bodies circumvent the risks posed by cybercriminals and cyberattacks.

Gordon K. Morehouse