We need your help now
Support from readers like you keeps The Journal open.
You are visiting us because we have something you value. Independent, unbiased news that tells the truth. Advertising revenue goes some way to support our mission, but this year it has not been enough.
If you've seen value in our reporting, please contribute what you can, so we can continue to produce accurate and meaningful journalism. For everyone who needs it.
Sign in. It’s quick, free and it’s up to you.
An account is an optional way to support the work we do. Find out more.
By continuing, you are indicating that you accept our Terms of Service and Privacy Policy.
LAST UPDATE | 17 May 2021
THERE IS A risk that medical and other patient data affected by the ransomware attack on the HSE “will be abused”, the Government has warned.
In a statement this evening, the government said: “These ransomware attacks are despicable crimes, most especially when they target critical health infrastructure and sensitive patient data.”
Since the HSE announced on Friday that it had been the target of the ransomware attack, in which patient and staff data may have been compromised, the health and security arms of government have been scrambling to take control of the situation.
On Friday, the Master of the Rotunda Maternity Hospital announced on Morning Ireland that its IT system was down, and that it was operating by the “traditional”, paper-based system until further notice.
Minutes later, it was revealed that the issue affected the whole HSE patient system – and all national and local IT systems involved in transferring or storing data needed to be shut down as a precaution.
Around 86,000 computers have been turned off, and a security team are going through 2,000 systems within the HSE to decide what level of access has been gained in the attack. The HSE has said publicly that it is still unclear what data hackers gained access to, whether that be administrative data, patient data, or staff data.
The HSE’s IT systems were hit by a Conti ransomware attack, where attackers enter into a computer system, study how it works, and encrypt the private data before announcing their attack to the victim and demanding a ransom for it not to be published online.
This particular attack was carried out by an international cyber-crime gang, the Government said in a statement this evening.
“It is aimed at nothing other than extorting money and those who carried it out have no concern for the severe impact on patients needing care or for the privacy of those whose private information has been stolen,” it said, adding:
“These ransomware attacks are despicable crimes, most especially when they target critical health infrastructure and sensitive patient data. The significant disruption to health services is to be condemned, especially at this time.
“Any public release by the criminals behind this attack of any stolen patient data is equally and utterly contemptible. There is a risk that the medical and other data of patients will be abused. Anyone who is affected is urged to contact the HSE and Garda authorities.”
The Government said its main concern is to secure as speedy a resumption of all medical services “as can possibly be achieved, consistent with ensuring that the HSE’s systems can be safely and robustly restored”.
There is currently hundreds of people deployed to tackle this attack in accordance with the predetermined plan for such cyber attacks, according to the statement.
Minister for Justice Heather Humphreys today met with the Garda Commissioner and the head of the Garda Cybercrime Bureau Chief Superintendent Paul Clearly in relation to the attack.
Garda Commissioner Drew Harris informed Humphreys that An Garda Síochána is providing its full support to the National Cyber Security Centre, which is leading the State response to the attack, and is also liaising and cooperating with international law enforcement partners.
Taoiseach Micheál Martin, Tánaiste Leo Varadkar, Transport Minister Eamon Ryan, Justice Minister Heather Humphreys, Health Minister Stephen Donnelly and Minister of State for Communications Ossian Smyth also met this afternoon to discuss the attack.
Tomorrow morning, the Oireachtas Transport and Communications Networks committee will hear from officials from the Department of Communications and the National Cyber Security Centre after requesting an “immediate meeting”.
TDs and Senators will raise issues such as how the breaches occurred, the strategy in place to fully repel the attacks and timescale involved for the resumption of normal operations.
As with all security issues, information about the exact amount being sought is scarce and muddled: particularly around what data the hackers have gained access to, and what ransom amount has been sought by hackers.
Ransom speculation
Reports in Sunday newspapers yesterday indicated that hackers may have had access to the HSE system up to two weeks before a ransom was demanded, and reported widely varied ransom amounts being demanded.
The Business Post reported that the hackers demanded three bitcoin or $150,000, while others cited $20 million – a figure first reported by tech website Bleeping Computer.
Neither amounts have been confirmed as accurate by the HSE or Government.
What services are affected
The main crux of the problem for the HSE is that its core patient system, and its radiation diagnostic system ‘Nimis’, are down.
Yesterday on Newstalk’s On The Record, HSE Chief Operations Officer Anne O’Connor gave a general overview of what had been cancelled, including: X-ray appointments, paediatric services, and hospital outpatient appointments in the west were more severely affected.
O’Connor said that the voluntary hospitals – including the Mater, Beaumont, James’, Vincent’s, Tallaght, Mercy and South Infirmary – operate on a different IT system, so that they were impacted, but not as severely.
Beaumont and Connolly appointments are also going ahead, but similar to the voluntary hospital, radiology is still affected.
Hospitals in the West – Donegal, Sligo, Mayo, and Galway – have cancelled all outpatient appointments; if your appointment is proceeding they will contact you, O’Connor added. The same is the case with children’s health appointments: Crumlin, Temple Street, and Tallaght have cancelled appointments.
Almost all radiation appointments, including X-ray, MRI, and CT scans, have been cancelled, as computers are needed to assess scans.
At Mercy University Hospital in Cork, the ongoing cyber attack has caused “considerable delays” in the emergency department and has affected outpatient services. All radiology OPD appointments and the processing of GP urgent bloods have been cancelled for the remainder of the week. Any patients with an appointment between now and 21 May are urged to contact the hospital to reconfirm their appointment.
The Covid-19 vaccination programme and testing regime is largely unaffected, as it is a newer, separate IT system.
O’Connor said that there was a risk for the HSE in treating patients with a purely paper-based system.
We can’t order lab tests or radiology electronically. So normally, if you’re in a hospital, it’s all done through computers, and results come back. So for anybody coming in, its back to manual, hand-written notes. We have people in hospitals delivering pieces of papers with lab results, so it really is going back many, many years. There’s a risk with that.
Our priority has got to be to get a patient system back that gives us access to people’s information. So even things like blood transfusions, matching bloods, looking at previous records with medications, allergies, etc – we don’t have access.
The child and family agency Tusla has also been impacted by the attack. Over 90% of the agency’s connectivity, databases and operating systems are on the HSE platform.
Speaking to RTÉ’s News at One today, Tusla CEO Bernard Gloster explained that the agency’s main casework in child protection, welfare and children in case work is hosted on the National Childcare Information System (NCIS).
“All the case management information is on that system and that system is currently not available to us. It was switched off as part of the HSE containment, correctly, on Friday morning,” Gloster said.
Gloster said Tusla has about 20,000 cases open between child protection, welfare and children in care. Those case files are located on the NCIS system, and as a result, are not currently available to Tusla.
“We can do a significant amount of our work today in terms of engaging with the public, but in terms of having all of the necessary information, the tools to do that, we are quite limited,” he said.
Anyone who wishes to make a referral about a child can currently do so by contacting local Tusla offices, phone numbers for which are located on the agency’s website.
People having difficulty locating a phone number of a local Tusla office can call the main office number on 01 771 8500.
What progress has been made
The HSE’s website page of what health services are still available at what hospitals will be updated every hour.
The statement from Government this evening said: “The HSE is continuing the make the necessary arrangements in the interim to provide the maximum possible availability of services to patients across the State.
“While the process will, inevitably, take some time, the HSE and its partners are working to ensure that the maintenance and restoration of care for patients can progress in the coming days.”
HSE CEO Paul Reid said on Morning Ireland today that progress had been made over the weekend in going through all of the HSE’s systems and clearing them out one by one.
He said it would cost “tens of millions” to fix and rebuild the HSE’s IT system from ‘clean’, back-up data. Even after all systems are cleared, it’s possible that hackers could publish any data they obtained if a ransom is not paid.
He said that the capacity of private hospitals will be used, particularly in oncology, to ensure that patients continued to receive the care they needed.
“The risks increase every day as we progress, it’s having very serious impact on people and has very severe consequences for us,” he said, adding that it would impact the HSE “well throughout this week”.
When asked whether private information could be published online by the hackers, Reid said “that’s what these organisations set out to do”.
Everything we’re doing since we became aware of this on Friday is setting out to mitigate that, to rebuild our services, to reassess what has been accessed, what may have been accessed, taking back security – but it’s a really difficult process we’re in.
To embed this post, copy the code below on your site
I would be interested to know what security measures were in place to protect our personal data. Was it encrypted at rest? How are the encryption keys managed and stored etc. If it turns out that basic good security practice wasn’t in place this is completely the fault of the HSE and the government.
@Damient McDonagh: hmmm well see that’s not how it works. Common misunderstanding big tech there. Firstly if it’s something like a zero day exploit it’s unseen before and hence can not be guarded against. Now, odds are it came in via email. This is not your Nigerian prince type email. At times it can look like an internal company email with file or link. Click on that and they can then gain access. Matters not any level of encryption because what your looking at or logged into is unencrypted at that stage and that’s what they see. Then it’s case once foot in door of downloading and implanting your exe file. When you’re done then set it off.
@Tom Ripley: for example I’ve memory stick with encrypted data I plug into my computer for hse I then unencryptbthe data to use. My pc is compromised by hacker unknown to me they see that data I’ve unencrypted and can just FTP it right out of there.
Without knowing the full details it’s hard to say if it’s the HSEs fault here. It maybe but people jump the gun I’d rather know the details of hack. But this is Ireland not the USA or UK where we would be told every detail. Here nah, your just told it’s under investigation and operationally sensitive from our secret police.
If you like podcasts check out the Lazarus heist about North Korean hackers. Amazing stuff.
@Tom Ripley: also meant to say common misunderstanding there in first message. Gboard decided to say something different :p
@Tom Ripley: I know they’re saying this was a zero day attack but I seriously have my doubts. Plenty of hospitals have been hit around the world and none of them were hit with a zero day.
Not only does it seem like overkill, but also it seems a bit pointless given how poor the HSE’s IT infrastructure is compared to foreign modern day hospitals. Also if this was done by a the Conti criminal gang, seems a bit unlikely they would have had access to a zero exploit compared to a Nation State.
@Damient McDonagh: Chances are this was something simple as an employee clicking a phishing link either in their work email or else in their personal email maybe on work computer. Most of these attacks occur from something as simple as that and once they unknowingly download a piece of malware, it almost doesn’t matter what security measures are in place because its too late.
Generally, the weakest or strongest defence is your employees, and if that fails, you’re done.
@Nigel: maybe, hard to know with the little info we have to go on. It’s not just nation state actors that have access to zero day exploits. Thats always been the bread and butter for hackers before oldies on Facebook who got “accounts hacked” and think they just guess passwords. Exploits are found everyday. Plus if it’s network exploit and it’s relatively new it could be used in attack and not be patched for months while Microsoft analyse the problem and develop a solution they can roll out. So this same exploit could have been used last month somewhere and next month somewhere else.
@Tom Ripley: But yes of course you can always lock your network down harder. But I wonder… How many in HSE were given a course on Phishing? I bet myself not many and the weakest link at times tends to be the human. You’re only as strong as your weakest link.
@Tom Ripley: When security people use the term zero day, it means an exploit or vulnerability that has never been exploited before and there is no existing fix for it and that’s the term I’m referring to. I don’t mean an exploit that’s been previously used or that was already in the process of being patched.
The point I’m trying to make is I have my doubts as it wouldn’t surprise me if they’re just saying its a zero day attack to take some of the responsibility blame off having poor security in place.
@Tom Ripley: There is no evidence whatsoever this was a zero day exploit, and it’s my understanding the HSE have been very proactive regarding phishing attacks with their staff.
The reality is we don’t yet know how these actors gained access, with such a large network it could be by any number of means. The attack itself was an already know variant and didn’t employ a zero day exploit.
@Tom Ripley: I also know that the HSE does have IT security induction training that includes a lesson on phishing, but this is done when an employee joins. And whether or not they properly ingest the information at the time is a different story. If you look at the HSE’s IT security culture, it is clear to see that it is poor. A visit to a very rural hospital and you will dated infrastructure and a lot of paper based systems.
@Tom Ripley: This has been attacking hospitals since last year. Most of the hse infrastucture is still working in Windows 7!
@Tom Ripley: This has been attacking hospitals since last year. Most of the hse infrastructure is still working in Windows 7!
@Koochulan: I’ll take your work on that. Silly if that’s the case and if that machine is networked
@Nigel: can’t access personal emails on HSE devices
@Tom Ripley: hmmm well you are making a lot of “odds on” assumptions there about stuff similar to “emails from Nigerians” without any evidence of what actually happened.
Listening to podcasts about hacking doesn’t make one an expert lols
@Tom Ripley: This was an attack by a Russian cyber crime group known as ‘Wizard Spider, well everyone has to have a cool name these days. They likely used phishing attacks to install the TrickBot or BazarLoader trojans that provide remote access allowing them time to roam the HSE’s network, which they did.
Using this remote access, they spread laterally through a network while stealing credentials and harvesting unencrypted data stored on workstations and servers. Once the hackers have stolen everything of value and gained access to Windows domain credentials, they deploy the Conti ransomware on the network to encrypt all of its devices.
They then threaten the victim in a twofold manner, in this case the HSE have been told the data will be deleted within a certain time frame if they don’t pay and some of the data will be released on the dark net, again if they don’t pay. If they pay, the hackers promise to decrypt all files and send instructions on how to close any loopholes in IT security. Given that they’ve being using these methods for a number of years they can hardly be described as ‘zero day attacks’. I understand the HSE follow and employ recognised IT security methods, their systems are as secure as is reasonably possible and they do regularly keep staff updated on IT security.
@UK Hurling Bloke: And do you know something? It’s not called the IT Journal. It’s a layman’s chat site. It’s just people shooting the sh!t. There are IT sites you can visit if you’re looking for experts.
@Paul Murphy: I’m not trying to be smart, but can you say that for certain on 100% of HSE devices? Across all hospitals countrywide and on any working from home devices?
I don’t know what the restrictions are for their devices but unless that is the case on 100% of devices then you can’t make that statement.
@Damient McDonagh: they use windows xp fgs
@Tom Ripley: agree it’s very unlikely it was a zero day attack, just from speaking with others in IT, it’s been mentioned they use onprem exchange servers, it’s almost impossible to block phishing emails even in a small business environment who’s not on 365/gsuite these days without third party companies or 365 defender, I can only Imagine the amount of phishing emails that go through them on a daily basis, was only a matter of time.
There sure some BAD people out there pure evil .
@Andy Harding: w
And some very naive people who dont see the need to back up a system and have professional monitoring for cybersecurity
@Andy Harding: there sure are….. however, I have had reason to visit the outpatients clinics in a hospital in Cork on a few occasions over the last few years and guess what???? The admin staff are STILL sticking stickers on bits of paper — what IT systems do they actually have? Paying their admin staff far too much instead of investing in a proper IT system that would negate the need for many of the admin staff and enable them to hire more frontline staff (at decent remuneration) and better cyber security :-o
@Nora McElhinney: blame the lowest paid clerical officers in the place for the failings of senior management there Nora. Fair play.
@Nora McElhinney: ps. Those labels are most likely just numbered to let the medical staff know what order the patients arrived in so they know who to call in next, but feel free to advocate thousands of staff losing their jobs all around the country because a few labels irked you.
@Fred spins kdb: ssssssshhhhh NORA is in the fine Gael
@Fred spins kdb: something like 17% of the HSE is administration staff though. Its way way way overstaffed in admin roles. Whether they are clerical officer roles, or above, doesn’t matter. Their jobs are not justifiable.
@Marty Lawless: FF and FG want all those admin roles in the HSE. They only ever cut actual doctor or nurse roles or close beds. So to say her wish for less waste and better standard of free healthcare for everyone and better pay and conditions for those actually providing it is ridiculous, it couldn’t be further from a FF or FG attitude.
@NotMyIreland: I think it’s fairly ff/fg 101 to deflect blame from those in power and oppress the lower to middle income worker, and if you think any of the more left leaning parties would advocate a widespread slashing of lower to middle income admin jobs you are mistaken I think.
Doesn’t yet know the extent of the intrusion.. but can give an estimated cost of repair. Gearing up to get HSE IT budget beefed up next year, ever the optimist.
Anyone heard from our minster for health since this kicked off?
@Anto H:
He’s hacked off
Shambles
@Robert Clifford: Course it is, Bob. Wouldn’t have happened if Bob had been running the show.
Just pay the ransom faffing about for two weeks and then paying is in nobody’s interest. If we had the expertise to solve this problem this problem would never have arisen.
@Seanboy: did you read the article? Did you understand it?
The HSE is saying that the attack was dangerous and that the hackers might release the info on the web about patients
Yet the Owen lad on the radio this morning is downplaying it saying that he’s not aware of any data loss and is treating it as a GDPR incident
What is going on all news articles are reporting similar but slightly different reports some saying the social welfare could be targeted and soMe saying it will be fine
I know for now no one really knows what’s going on but I do wish for a more clearer and accurate report
Does anyone know
@Darren Farrell: Their process is to encrypt the data in the onsite server and charge to get the key to unencrypte it, they don’t generally take a copy of the data to release online.
@Jason Walsh: that’s incorrect, previously they used to just encrypt it. Now they use double extortion tactics where they exfiltrate data and threaten to publish it if the ransom victims don’t pay the ransom fee.
If the HSE had backup files, as HSE say they have, just porting them to another platform and closing off outside access should do it. And then use random password generators.
Publication of these files would mean nothing to anybody, so that need not be a great concern, especially as most files would not be understandable to anybody but a doctor due to all the medical lingo.
The concern is to get a new system up and running that would prove a lot tougher to hack by the Conti method.
I have never had any faith in Windows anyway – it would be costly but a lot safer to switch to Apple or Linux OS.
@Michael McGrath: nowhere near that straight forward. Those backups need to be verified that they too aren’t infected. This infection is likely to have been in place weeks, if not months. Random passwords won’t work as people forget them and end up falling into bad habits such as writing them down / changing them to easily guessed/cracked ones.
Apple had two zero day exploits in the last month that they had to patch, Linux releases security updates all the time. Switching to these would not have helped the HSE in any way – they are woefully under staffed from an ICT perspective and use software that is years past its EOL so upgrading OS is not a straightforward process.
@Michael McGrath: Did it ever occur to you that there may be sensitive and private data, psychiatric files, pediatric information, plus all the banking related data of every HSE employee. Just backup the thousands of HSE servers, and how far back would you go, in your expert opinion? And how long would you estimate this will take? I’m sure if you write to the head of the HSE and let him know you never had faith in Windows he’d be shocked…
If they have a patient’s name, address, PPS number, and date of birth, and then publish all that on the dark web, believe me that alone can cause a hell of a problem for a lot of people
Anyone heard from the Data Protection commissioner on this. If the data has been read or lifted then the HSE/ Department are liable
Probably running Windows 95 or 98
@billy bound: might be safer…!!! No one writing virus code for ’95 or ’98 any more!
It’s starting to sound more like data has been stolen and not just encrypted.
I’m open to correction but if you’re locked out of your data, I would imagine it would be obvious what data has been accessed e.g. admin, patient or staff data.
The fact now that they’re warning the data might be abused and that they don’t know what data the hackers gained access to sounds to me like data has been stolen but they can’t ascertain what it was.
Any white hats out there who can explain what the hackers did?
@MrJohne:
He’s hacked off
.
It’s already happening I’m getting 3 phone calls a day saying this is the hse
NIMIS system had been compromised.
In simple terms Xray pictures sharing services.
To access it one needs to have an account created and separate from your normal nt logon.
Meaning that it is controlled and more restrictive access.
Meaning that it is likely that someone with access had to upload something, by negligence, or by design. Possibly back end.
Hacking is far more a game of psychology, rather then learning the system inside out, identifying backdoors. and writing lines of code to crack it.
Someone with access.
Re.:
Shutting down entire patient management systems:
It is precautionary measure to prevent other system from being potentially highjacked for one, and secondly for forensic analysis to preserve the crimescene .
Cleaning and restoration of NIMIS should be straight forward enough.
Identifying when, how and what as well but it will take time, because it is a criminal case.
Assessment wheter ipms. pax and other system are compromised is all together separate ball game.
I was a patient at the Rotunda does this mean my files are gone? My daughter is a patient in Crumlin, has her data been taken?
This is just not acceptable
Dreadful that this has happened.
This has been attacking hospitals since last year!.
https://www.youtube.com/watch?v=2BMVJa6oCxw
@Koochulan: yep we are all gonna click that.
If they publish this info, I hope they have the decency to delete the bit about the boil on my flute.
I’d love to know what kind of personal information they might have about us?
.
have your say