The HSE’s IT systems and cybersecurity preparedness “need major transformation”, according to the HSE board Chair Mr Ciarán Devane
Mr Devane was speaking upon the publication today of a HSE-commissioned independent review into the cyberattack in May. The review found there was a lack of structures and processes in place to deal with the incident. Mr Devane commented that there were important lessons in the review for the HSE and other public and private sector organisations in Ireland and internationally.
The review was commissioned by the HSE board in conjunction with the CEO and the executive management team. It was prepared by PwC.
It makes a detailed series of findings in relation to the circumstances leading up to the attack and the attack itself, including the level of preparedness for and the quality of the response to the incident. According to the HSE, it has already made urgent changes to protect the organisation against a similar future attack. It has embarked on implementing recommendations in the report and has begun “engagements with the Department of Health with a view to agreeing a multi-year ICT and cybersecurity transformation programme”.
Mr Devane said: “We commissioned this urgent review following the criminal attack on our IT systems which caused enormous disruption to health and social services in Ireland, and whose impact is still being felt every day. It is clear that our IT systems and cybersecurity preparedness need major transformation. This report highlights the speed with which the sophistication of cyber-criminals has grown, and there are important lessons in this report for public and private sector organisations in Ireland and beyond.”
The review found that there was a lack of structures and processes in place to deal with the incident. However, the HSE was in a position to draw from prior learnings and processes used in dealing with crisis situations, such as during the Covid pandemic, to help manage the situation.
According to Mr Devane: “The HSE has accepted the report’s findings and recommendations, and it contains many learnings for us and potentially other organisations. We are in the process of putting in place appropriate and sustainable structures and enhanced security measures.”
The CEO of the HSE Mr Paul Reid said: “We were anxious to commission this report so that we had an independent, thorough and transparent assessment of how this cyber-attack happened and to set out the strategic and tactical actions needed. The report sets this out in quite a lot of detail. We have initiated a range of immediate actions and we will now develop an implementation plan and business case for the investment to strengthen our resilience and responsiveness in this area.”
The HSE has implemented “a number of high-level security solutions” to address issues raised in the report. These include a range of new cyber-security controls, monitoring and threat intelligence measures based on best international expert advice.
On 14 May 2021, the HSE was subjected to a serious criminal cyberattack, through the infiltration of IT systems using Conti ransomware. With over 80 per cent of IT infrastructure impacted and the loss of key patient information and diagnostics, this resulted in severe impacts on the health service and the provision of care. The HSE employed the assistance of An Garda Síochána, the National Cyber Security Centre, Interpol and the Irish Defence Forces.
Key recommendations include appointment of a Chief Technology and Transformation Officer; development of a significant investment plan; appointment of a Chief Information Security Officer and resourcing of a skilled cyber function; and development of a cyber-security transformation programme.
Further information is available at the below links.
Executive Summary – https://www.hse.ie/eng/services/publications/conti-cyber-attack-on-the-hse-executive-summary.pdf
Full Report – https://www.hse.ie/eng/services/publications/conti-cyber-attack-on-the-hse-full-report.pdf
Leave a Reply
You must be logged in to post a comment.