The effect of the cyber attack on the Irish health service continues to be felt by healthcare teams. David Lynch speaks with the former HSE CIO and examines the impact to date and lessons from the crisis
The cyber attack in May was not the first incident of this nature on health services. Globally, there have been many such attacks, including in May 2017, when the international media headlines reported on a cyber attack that hit the NHS and other organisations.
At the time, the HSE Chief Information Officer (CIO) was Mr Richard Corbridge. On the morning the news broke, he was in Wexford attending the AGM of the ICGP. Prior to his address, Mr Corbridge was busy making phone calls co-ordinating the HSE’s immediate response.
In the end, the HSE was largely unscathed during that crisis.
However, fast-forward to May 2021, and the HSE and the Irish health system was now the specific target of a major cyber attack. Having departed as HSE CIO in late 2017 to pursue opportunities in the UK, Mr Corbridge has been able to view the Executive’s response from a distance, and he was impressed.
“The key lesson learnt will be that the threat is no longer an ‘if’, but a ‘when’, unfortunately,” Mr Corbridge commented. “This is the same across every area now; the art is no longer in just the protection, but in the recovery and reaction to the issue.”
In terms of the response, he said the HSE team “appear to have been amazing in how they have reacted”, adding he believed the public communications “have been phenomenal”.
Awareness
But the HSE’s first CIO also believed that some new structure to increase staff awareness will need to be contemplated.
“The most basic threat protection is awareness and the health system as a whole, not just the HSE, now needs to again look at how it educates its staff.”
Mr Corbridge said there was a role for “a single function to do this across the HSE, health delivery and the Department [of Health]”. This resource now needs “to be looked at and invested in”. He said a key instrument in the fight against such attacks “is knowledge”.
The impact of the May cyber attack on patient services and data has been well documented in the national media. It is also clear that the HSE was aware cyber security was a concern prior to the attack.
In May, it was reported that as recently as March, the HSE audit and risk committee had discussed “cyber risks” and sought a general overview of the Executive’s “technological landscape and changing risk profile”, according to minutes.
The meeting was told the “risks over the last year have changed, with a rise in focus on cyber risks”. Cyber security was also one of 17 ‘red’ risks on the HSE’s Corporate Risk Register (CRR) approved by the HSE board in December. That edition of the register noted 26 risks (17 red and nine amber).
The HSE is not the only health system that has been targeted by hackers across the globe in recent years. Are health organisations particularly vulnerable to such attacks?
“In some ways, yes,” said Mr Corbridge.
“Health bodies find it harder to invest in cyber security at a simple patching and update level due to the nature of technology implemented into hospitals and health centres, [with] often expensive hardware that is required to exist longer term on specific older operating systems.
“Health is a target and again we come back to the knowledge and education that is needed in healthcare to protect from cyber attack.”
There is probably no good time for a nation’s health system to be the victim of a massive ransomware attack. However, everyone agrees that a year into a global pandemic is among the worst times imaginable. The negative impact on the working lives of healthcare teams in all areas of the health system was immediate and profound.
IT staff
However, it has not just been clinical staff and their patients who have faced disruption. This has also been a hectic time for IT teams working across the health system.
“I woke up to a phone call at six o’clock in the morning to say, ‘I think we are in trouble’.” That is how Prof Neil O’Hare, Group Chief Information Officer, Children’s Health Ireland, described the morning of 14 May. He was speaking at the online Future Health Summit on ‘Cybersecurity outcomes: Integration and IT challenges in healthcare’, which was held recently.
“I got into the car and was driving into the hospital and then a colleague in the
HSE phoned me and said, ‘It’s bad Neil, it’s really bad.’ And it was very bad.”
Prof O’Hare highlighted the toll the attack had taken on IT staff. He noted that one of the lessons of the attack was the “over-reliance” on “very scarce technical experts”.
“Our own teams got totally exhausted. By the middle of week two, especially in one hospital where they were working almost 24 hours a day, they [IT staff] were ‘gone’ [with fatigue], they were really suffering,” he told the summit.
He added that private industry and the HSE provided support, but the attack had proven the need for hospitals and the health system to “grow” internal teams of IT staff and experts.
“During Covid, there was a big focus on the frontline heroes, but I just also want to make the call out to my own team and all the IT teams across the country and operation teams, the people that are often forgotten about. They for me are huge heroes [during the cyber attack].”
In terms of other lessons to be learned, Prof O’Hare said that “we need a better view of data security”. He added there was much work to be done in the recovery process.
“We have to start looking at back-loading of data, and that became a real issue, because bear in mind we had gone totally manual,” he said.
“So every patient was registered manually; all their details were taken manually. Now we have to go back and put that information back in.” He described this as “slow, careful, methodical work that needs to be done”.
He noted that the use of Windows 7 in the health service had been criticised. However, Prof O’Hare stated “we have to use” Windows 7, as “many of our applications still need Windows 7″. He said that “we would like to get rid of it, but we can’t until certain other systems are upgraded or replaced”.
E-health agenda
With the health system’s IT staff focused on dealing with the fallout from the attacks, some have raised concerns that this may slow progress on the broader e-health agenda within the HSE.
Mr Corbridge said: “The attacks are a drain on finance and time… and health systems must be resourced properly to ensure that when it does happen, it is managed by experts in the field. Running the health system’s technology must continue at the same time.”
Thinking back to his old HSE position, he added: “I am certain that right now, and since the incident, every bit of focus of the entire Office of the CIO will have been on this issue.”
He said the cost of this focus — not just financially, but in terms of “missed opportunity” in delivering the e-health agenda — “must not be underestimated”.
Since May, there have been improvements, but the impact continues across the entire service
“Give the CIO the resource to support recovery; the resource then can and must be pointed at protection and preparation for the future.” Since May, there have been improvements, but the impact continues across the entire service. “As part of remediation following the cyber attack, we are working to strengthen our network against future cyber threats, increase the cyber profile of the HSE, and apply lessons from the present attack,” a HSE spokesperson said.
The spokesperson described this work as “ongoing”. They said an interim “multi-supplier security operations centre” is in the process of being agreed.
Ms Anne O’Connor, HSE Chief Operations Officer, told a press briefing on 8 July that the Executive was still dealing “with just reintroducing systems” but that “huge progress” had been made.
She noted that “our email is back”, as well as “remote connectivity”, while the HSE was “still working on getting the VPN back and our Internet access has been restored and that is stable”.
“So we have access to a lot more now. In terms of the actual systems, 80 per cent of our servers are decrypted, so 3,933, and that’s just five up from last week and we’ve 83 per cent of our end-user devices, so just over 69,000,” said Ms O’Connor.
“In terms of our systems, we’ve good progress made. So we now have 52 per cent [of] sites with functioning patient management systems and that’s an increase of six on the number reported last week.”
She said “we are making huge progress” but that there were still gaps “being worked through on a daily basis”.
Department of Health
The Department of Health was also a target of the May cyber attack. However, a spokesperson said the situation had “improved significantly”.
“Access to key ICT systems was fully restored within a short period, with limited issues accessing niche or legacy systems currently being resolved,” the Department spokesperson said.
“The incident and subsequent access issues created significant backlogs in a number of areas, which the Department is quickly working to clear.”
In terms of actions taken, the spokesperson said improved security measures have already been put in place within the Department’s IT systems.
“A complete security review of the Department’s infrastructure was undertaken. Specialised monitoring software has been installed to mitigate against malicious software and to provide early warning notifications of same,” said the spokesperson.
“The Department of Health continues to liaise closely with the National Cyber Security Centre, the Office of the Government Chief Information Officer, our security partner and with colleagues across the public service to ensure that best practice is followed as it relates to all aspects of cyber security.”
Asked whether the perpetrators of the attack had been in touch with the HSE in recent weeks, the HSE said this was a matter for An Garda Síochána.
“The Garda Síochána investigation into the ransomware attack on the HSE is ongoing,” the Garda press office stated. “The Garda National Cyber Crime Bureau, in conducting its investigation into this cyber crime, is continuing to work closely with the HSE and international law enforcement agencies.” ?
