The HSE is today publishing the report of the independent review into the ransomware cyber-attack on its IT systems which took place earlier this year. The report was commissioned by the HSE Board, in conjunction with the CEO and the Executive Management Team. It was prepared by PwC.

It makes a detailed series of findings in relation to the circumstances leading up to the attack and the attack itself, including the level of preparedness for and the quality of the response to the incident. The HSE has already made urgent changes to protect the organisation against a similar future attack.  It has embarked on implementing recommendations in the report and has begun engagements with the Department of Health with a view to agreeing a multi-year ICT and cybersecurity transformation programme.

The Chairman of the HSE Mr Ciarán Devane said:

We commissioned this urgent review following the criminal attack on our IT systems which caused enormous disruption to health and social services in Ireland, and whose impact is still being felt every day.  It is clear that our IT systems and cybersecurity preparedness need major transformation. This report highlights the speed with which the sophistication of cyber-criminals has grown, and there are important lessons in this report for public and private sector organisations in Ireland and beyond.

The review found that there was a lack of structures and processes in place to deal with the incident. However, the HSE was in a position to draw from prior learnings and processes used in dealing with crisis situations, such as during the Covid pandemic, to help manage the situation.

According to Mr Devane:

The HSE has accepted the report’s findings and recommendations, and it contains many learnings for us and potentially other organisations.  We are in the process of putting in place appropriate and sustainable structures and enhanced security measures.

The CEO of the HSE Mr Paul Reid said:

We were anxious to commission this report so that we had an independent, thorough and transparent assessment of how this cyber-attack happened and to set out the strategic and tactical actions needed. The report sets this out in quite a lot of detail. We have initiated a range of immediate actions and we will now develop an implementation plan and business case for the investment to strengthen our resilience and responsiveness in this area.

The HSE has implemented a number of high-level security solutions to address issues raised in the report. These include a range of new cyber-security controls, monitoring and threat intelligence measures based on best international expert advice.

Notes 

Background

On 14^th May 2021, the HSE was subjected to a serious criminal cyberattack, through the infiltration of IT systems using Conti Ransomware.  With over 80% of IT infrastructure impacted and the loss of key patient information and diagnostics, this resulted in severe impacts on the health service and the provision of care. The HSE employed the assistance of An Garda Síochána, the National Cyber Security Centre, Interpol and the Irish Defence Forces.

Key recommendations

ICT / Cyber governance

§  Board and Executive level working groups to drive continuous assessment of cybersecurity

Technology and Transformation

§  Appoint a Chief Technology and Transformation Officer

§  Enhance our ICT Strategy and multi-year technology plan in line with Cyber recommendations

§  Develop a significant investment plan

§  Transformation of a legacy IT estate

§  Build cybersecurity and resilience into IT architecture

Cyber-security

§  Appoint a Chief Information Security Officer and resource a skilled cyber function

§  Develop and implement a cyber-security transformation programme

Clinical and services continuity

§  Establish clinical and services transformation programme

§  Build on HSE risk, incident, crisis and business continuity processes

§  Establish Operational Policy + Resilience Steering Committee

§  Enhance crisis management capabilities

A copy to the report is available here:

Executive Summary –  https://www.hse.ie/eng/services/publications/conti-cyber-attack-on-the-hse-executive-summary.pdf

Full Report – https://www.hse.ie/eng/services/publications/conti-cyber-attack-on-the-hse-full-report.pdf