HSE cyberattack leads to shutdown of national health service

21 May 2021

Last Friday, HSE Chief Clinical Officer, Dr. Colm Henry, announced that the HSE had fallen victim to a ransomware attack of an “unprecedented” nature, forcing the health service to shut down its IT systems, and in turn, causing widespread disruption to healthcare across the country. The attack was focused on accessing sensitive patient data stored on central servers. Minister of State for Communications, Ossian Smyth, said on Friday that a €20 million Bitcoin ransom was demanded following the attack, with the attackers threatening the leaking of personal patient data online. Both the HSE and Government have repeatedly stated that no ransom would be paid. 

A week has since passed, and the HSE are still grappling with the fallout of this attack on their systems. The full extent of the attack is still under assessment and the HSE has said that the task of restoring their IT systems will “take many weeks,” with its immediate priority being the maintenance of emergency and essential services for at-risk patients. Minister for Health Stephen Donnelly acknowledged yesterday that sensitive patient data has appeared on the dark net, adding that the attack was “extensive”, “despicable” and has “real-world” consequences for patients. 

Gardaí believe that this data was shared publicly to increase pressure on the HSE to pay the ransom, a tactic utilised by ransom gangs. Meanwhile, on Tuesday, a New Zealand district’s health board fell victim to a ransomware attack eerily similar to the one crippling the HSE, with the Waikato District Health Board’s IT systems and phone lines having to be shut down. A significant rise in such attacks on essential health services has been seen in the past year as the pandemic has rapidly accelerated the digital transformation of these services. From ransomware to data breaches, and from election security to unemployment fraud, COVID-19 has in many ways unleashed a new set of challenges and/or accelerated existing challenges within the global cyberspace.

Since the attack many have voiced their concern over the State’s preparedness for such an attack. Cathal Berry, Independent TD and former officer in the elite Army Ranger Wing, said the fight against the hackers has been undermined because of a failure by Government to properly resource the Defence Forces unit tasked for these incidents. The military’s cyber defence capability is contained within the Communications and Information Services Corps (CIS), and are seen as key actor within the State’s response to dealing with the HSE attack. However, the CIS has suffered massively during the cuts to the Defence Forces which have taken place since 2013, including the loss of a whole company, numbering more than 50 soldiers. 

This ransomware attack has not only huge implications for patients, but moreover, the State could face hundreds of millions in legal claims from victims if the HSE is found to have failed to adequately protect patients’ data. The attack has catapulted cyber-crime to the forefront of Irish society and provides the State with a challenging task ahead of remedying this incident while simultaneously preparing for the next. Timely to this cyberattack, Vulcan Consulting held a cybersecurity webinar on Tuesday examining how firms can best mitigate reputation risk stemming from cyber incidents. Vulcan CEO Lucinda Creighton was joined by cybersecurity experts Mathieu George and Robert Gardiner.