An investigation into the springtime cyber-attack on HSE Ireland has found that criminals spent two months inside the healthcare system’s computer network before deploying ransomware.
The attack, which struck HSE Ireland with Conti ransomware in mid-May, forced the health service to take its IT systems offline, leading to the cancellation of multiple hospital appointments.
An investigation into the cybercrime, launched by Ireland’s national police service, Gardai, led to the September seizure of several domains involved in the attack.
An independent review of the attack conducted by multinational professional services network PricewaterhouseCoopers (PWC) found that HSE failed to act on warning signs that a cyber-attack could be imminent.
PWC learned that the ransomware gang behind the attack phished their way into the healthcare system’s network on March 18 when an individual using an HSE computer unwittingly opened a malicious Microsoft Excel document attached to an email.
Cyber-criminals then spent eight weeks accessing sensitive data stored within the health service’s network before using ransomware to encrypt HSE’s files in May.
The review determined that there were “several missed opportunities” to detect suspicious network activity before the ransomware attack took place.
PWC found that the IT system in use by HSE was “frail” and lacking in both security and resilience. The poor cybersecurity posture of the healthcare system allowed the attacker to gain access to its networks with “relative ease.”
“There were several detections of the attacker’s activity prior to 14 May 2021, but these did not result in a cybersecurity incident and investigation initiated by the HSE, and as a result, opportunities to prevent the successful detonation of the ransomware were missed,” the report stated.
PWC found that HSE had not appointed anyone to be responsible for cybersecurity at a senior management or executive level.
“This is highly unusual for an organization of the HSE’s size and complexity, with reliance on technology for delivering critical operations and handling large amounts of sensitive data,” the report stated.
“As a consequence, there was no senior cybersecurity specialist able to ensure recognition of the risks that the organization faced due to its cybersecurity posture and the growing threat environment.”