Subscribe
Legal - January 28, 2025
On 14 May 2021, Ireland’s Health Service Executive (HSE) was subjected to an unprecedented ransomware cyber-attack that impacted all online systems involved in the provision of its services ranging from radiology, pathology/laboratories, radiotherapy, maternity, primary care, disability services and blood tests.
As HSE staff were unable to access patient data, delayed patient admissions and discharges and difficulties with patient handovers were also created a direct result of the attack.
As a precautionary measure designed to limit the impact of the attack, the HSE, which at that time operated with over 70,000 IT devices in approximately 4,000 locations, took the decision to shut down its Information and Communications Technology (ICT) network.
This meant that all HSE systems irrespective of whether or not they had been affected were impacted.
A review into how the attack occurred and how it was possible for an entire national health service to be so effectively compromised was subsequently ordered from PricewaterhouseCoopers (PwC) by the HSE Board and its Chief Executive Officer.
The HSE tasked PwC to urgently establish the facts in relation to the current preparedness of the organisation in terms of its ICT systems, cyber and information protections and its operational preparedness.
The report that followed the post incident review acknowledged the immediate actions taken by the HSE which included requested the assistance of the Garda National Cyber Crime Bureau, the International Criminal Police Organisation (“Interpol”) and the National Cyber Security Centre (“NCSC”). It also highlighted the enormous dedication and effort observed at all staff levels during the response to the Incident.
However, the PwC report was scathing its assessment of the HSE’s preparedness while underscoring the many lost opportunities that could have prevented the attacker from gaining access to the HSE’s ICT systems.
Specifically, PwC says that in its assessment the cyber-attack was enabled to cause the damage that it did because the HSE was operating on what it termed a frail IT estate that had evolved rather than having been designed for resilience and security.
It also found glaring oversight weaknesses such as the fact that at the time of the incident the HSE did not have a single responsible owner for cybersecurity, at senior executive or management level.
It also emerged that there were several detections of the attacker’s activity prior to 14 May 2021, but these did not result in a cybersecurity incident and investigation being initiated by the HSE. As a result, opportunities to prevent the successful detonation of the ransomware were missed.
In terms of the financial impact of the attack, the initial costs were put in the region of approximately €40 million with additional legal costs of €2.6 million being incurred since the cyber-attack. These amounts are only a fraction of the estimated €657 million that will have to be spent to fully implement all of cyber security improvements recommended by the PwC post-incident review.
Since the attack the HSE has worked to significantly address the deficits and vulnerabilities identified within its ICT architecture. It has also taken a number of key steps including the recruitment of a Chief Information Security Officer to lead the end-to-end cyber security operations.
Many of the issues raised by the cyber-attack on Ireland’s health service, in particular the work to update to its ‘frail IT Estate’ are bound to re-emerge following publication on the 15 January of the European Commission’s action plan to strengthen the cybersecurity of hospitals and healthcare providers.
The stated aims of the action plan centre on improving threat detection, preparedness, and crisis response in the European wide healthcare sector. It also aims to provide tailored guidance, tools, services, and training to hospitals and healthcare providers with several specific actions to be rolled out progressively in 2025 and 2026, in collaboration with health providers, Member States, and the cybersecurity community.
The communication from the Commission on the action plan specifically identifies the Irish cyber-attack as an example of the kind of incident capable of demonstrating the potential of cyberattacks to spread rapidly across interlinked systems. It also cites the Irish cyber-attack as an incident that underlines the importance of consistently ensuring that a fundamental cyber hygiene and cybersecurity culture is operative throughout organisations across the EU.
While Ireland’s cyber-attack was an alarming assault causing significant disruption and financial costs, the Commission’s action plan is at pains to highlight the potential for more destructive and sinister outcomes when deployed by state and non-state actors as part of a wider hybrid campaign against the EU’s entire security environment.
Failure to adequately prepare for and repel cyber-attacks may ultimately lead, in the Commission’s view to a destabilisation of our societies by those who seek to profit from division and disruption. This is not to suggest, and the action plan certainly does not suggest that there is a ‘silver bullet’ solution to the cybersecurity challenges that exist with respect to protecting EU healthcare digital platforms.
Instead, it focuses on calling for strengthened prevention, preparedness, and ‘a more coordinated approach to solidarity while tapping into the expertise of the European cybersecurity industry.’ As such, and as the action plan states, it reflects the broader EU approach to security that will be further developed and formalised in the upcoming European Internal Security Strategy.
This is why the plan is specifically urging all member states to adopt a ‘whole-of-society’ and ‘whole-of-government’ approach.
This point is also reflected in guidance documents issued by Ireland’s National Cyber Security Centre (NCSC) specifically in its National Cyber Emergency Plan (NCEP).
The NCEP sets out the national approach for responding to serious cybersecurity incidents that affect the confidentiality, integrity, and availability of nationally important information technology and operational technology systems and networks such as those impacted during the attack on Ireland’s HSE.
Ireland’s willingness to advance to its preparedness in this area may also be seen in the recent publication of the incoming Irish administration’s Programme for Government. There a commitment has been provided that Government will deliver a new National Cybersecurity Strategy in 2025. It also commits to promoting the development of a centre of excellence for developing cyber security skills.
That there is a need for greater levels of technological competence and familiarity with cybersecurity among staff in key national services was also noted in the PwC post incident review.
However, while the need to adopt complex cybersecurity measures within the Irish health systems was accepted, the review also recognised the need to balance this with a need for ease-of-use, especially for clinical staff.
The experience of the HSE cyber-attack and the growing global threat from cyber-criminals makes the realisation of this particular Programme for Government commitment a national imperative.
It is also important that Ireland continues its work on the transposition into Irish law of the updated Network and Information Systems Directive II (NIS2) EU Directive concerning cybersecurity.
The previous Irish Government accepted that this Directive represented a major step forward for cyber resilience and would enhance cyber risk management across the Union including generating significant improvements in the capacity to respond to major incidents such as the HSE attack.
It may finally be noted that that while Ireland through its National Cyber Security Centre is actively taking staps to protect and defend the security and integrity of network and information systems in the State, the previous administration also approved the drafting of the National Cyber Security Bill 2024.
This general scheme of the Bill is noteworthy for the broad range of activities that will be permissible including the scanning of publicly accessible networks and the sharing of personal data with relevant authorities. It may now receive added legislative impetus following publication of Commission’s action plan to strengthen the cybersecurity of hospitals and healthcare providers.
That being said, when the final draft of the Bill is presented, it is highly likely that persistent concerns around how we balance digital security, the drive for open data and the right to personal privacy in a time of increasing cyber-attacks will also feature prominently.