DUBLIN — Ireland’s national health service was wholly unprepared for the ransomware attack that crippled its services in May and remains vulnerable to a second strike, according to a government-commissioned analysis published Friday.
External analysts found that the attackers started to infiltrate the Health Service Executive’s systems in mid-December and gained system-wide access once a staff member with high-level privileges clicked a malicious Excel attachment on a phishing email on March 18. That user, the report found, had already been targeted several times by the same attacker.
The HSE — Ireland’s largest employer with 130,000 staff and contractors, 54 hospitals and 1,200 networked locations — received warnings of suspicious activity from two hospitals and its own antivirus software provider in the days running up to the May 14 attack but took no action, the report found.
“The low level of cybersecurity maturity, combined with the frailty of the IT estate, enabled the attacker to achieve their objectives with relative ease,” the report said. “The attacker was able to use well-known and simple attack techniques to move around the NHN (National Health Network), extract data and deploy ransomware software over large parts of the estate, without detection.”
It criticized the HSE’s failure to have any official in charge of cybersecurity and said its 15 IT staff tasked with protecting systems — two of them students — “did not possess the expertise and experience to perform the tasks expected of them.”
When the attackers triggered their attack May 14, they were able to encrypt 2,800 servers and compromise 3,500 workstations before HSE chiefs ordered a national shutdown of all systems. The initial attack breached the systems of six hospitals as well as the HSE, but two targets — the Department of Health and one hospital that had warned the HSE days earlier of suspicious activity — both deployed their own, better managed antivirus defenses to pinpoint the danger and stop its spread.
The HSE’s failure meant that, until mid-September, many doctors nationwide lost access to patient information, clinical care and laboratory systems. With email and networked phones turned off, hospitals were reduced to using pen and paper, faxes, personal mobile phones and face-to-face planning — in the midst of a national rollout of COVID-19 vaccinations. Tens of thousands of appointments and procedures, particularly for cancer patients, were cancelled.
The 157-page report by consultants PwC warned that the attack could have been much worse — and still could be if the attackers return.
It noted that the attackers may have had access to, but did not target, hospital patients’ medical support devices. Nor did they seek “to destroy data at scale.” They also didn’t vandalize the HSE’s newer cloud-based systems, most critically the COVID-19 vaccine program.
The report found that hospitals’ records would have suffered “significant data loss” without the decryption key, because the HSE’s digital infrastructure “was only periodically backed up to offline tape. Therefore it is highly likely that segments of data for backup would have remained encrypted.”
The analysts found that HSE staff were much too reliant on a single suite of antivirus software, which wasn’t even set up correctly on most of the HSE’s 70,000 devices. It noted that the staff member who made the fateful March 18 click was using a computer that hadn’t updated its antivirus protection in more than a year.
Most of the technical and management weaknesses that made the attack possible remain today, the report warned.
“The HSE remains vulnerable to cyber attacks that may have an even greater impact,” it concluded.