HSE cyber-attack: Irish health service still recovering months after hack

The first time Donna-Marie Cullen heard about a massive cyber-attack on Ireland's health system, it was on the morning news.

The 36-year-old mother of two was waiting for her radiation treatment that afternoon for sarcoma, a rare and aggressive form of brain cancer.

"I thought this is an awful situation for the HSE [the Irish health system] to be in," she says.

"After that, I got a call at lunchtime and was told that my radiation wouldn't be going ahead because of the cyber-attack.

"I didn't realise the severity, how invasive and how horrific this attack was."

On 14 May, when the attack occurred, Ms Cullen was nearing the final stages of her treatment, having been diagnosed in September 2020.

"For the space of time when my radiation was paused, there was huge worry," she recalls.

Ransomware attacks involve a criminal group using a form of malware to gain entry to a system, encrypting important data and then demanding a payment in return for decrypting it.

The attack in May was unprecedented in the history of the Irish state, affecting almost every part of its healthcare system, already worn down by more than a year of fighting Covid-19.

Scrambling to deal with the situation, staff reverted to a paper system and the number of appointments in some areas dropped by 80% in the days after the attack.

For Ms Cullen, her radiation treatment looked set to be postponed as staff were not able to enter the correct coordinates used with the machine for her treatment.

She says it was only because St Luke's Radiation Oncology Centre at Dublin's St James' Hospital had been able to separate its machinery from the wider system, and consultants had spent the entire weekend rewriting coordinates, that it was able to resume without a major delay.

But that period caused great worry for Ms Cullen.

"I knew the severity of sarcoma, I knew how fast sarcoma can grow," she says.

"They don't do stages of sarcoma. You either have sarcoma, or it has spread, and if it has spread it is terminal.

"So for me it was the worry. If there was even a minute chance of a crumb of this cancer left in my head, that it would just start to multiply and my radiation plan would need to be completely revised."

Ms Cullen finished her cancer treatment in May.

Although it has been almost four months since the attack, the Health Service Executive (HSE), Ireland's healthcare service, is still feeling the direct and indirect effects.

A section of its website remains, external devoted to giving updates on services across the country.

It notes that emergency departments remain very busy because of the hack, many x-ray appointments remain cancelled and staff still do not have access to their own emails.

The HSE says that more than 95% of all servers and devices have been restored.

"Acute services are almost fully restored, along with community and corporate, with the remaining pieces to be finalised," it adds.

Dr Cormac Doherty, the cybersecurity programme manager at the Centre for Cybersecurity and Cybercrime Investigation at University College Dublin, worked as part of the state's response to the attack.

He says the Russian-based Conti ransomware group, which reportedly asked the health service for $20m (£14m) to restore services, was behind the hack.

Mr Doherty says it chose to target a large organisation because of its ability to pay a ransom.

"They look for organisations who are vulnerable and don't look after their information security," he tells BBC News NI.

"If they [governments and organisations] are perceived to have the means to pay, you can expect them to be targets in the future."

According to Mr Doherty, cyber extortion has a long history and in the past few years ransomware attacks have become more common.

This year the Conti ransomware group has targeted the Scottish Environment Protection Agency, and at about the same time that it attacked the Irish health system it also encrypted a district health board in New Zealand, external.

The attack on the HSE came to an abrupt end after about a week of chaos when the hackers handed over an encryption key reportedly for free.

Mr Doherty says that like any legitimate business, the group responsible for the hack would have concerns about reputational damage and how it would affect its ability to operate in the future.

"There is an entire economy, dark economy, that exists in parallel and along with it ransomware operators.

"[Potential partners] could easily turn around to them and say: 'I can't believe you encrypted a children's hospital, I'm not doing business with you'," he says.

Of the areas recovering from the cyber-attack, radiology is among the worst affected, in part due to its reliance on computers.

Dr Peter Kavanagh, dean of the Faculty of Radiologists and Clinical Radiologists at Connolly Hospital in Dublin, says it was hit with a "double whammy".

"There was the effect of Covid on radiology service provision, in addition to the cyber attack which made many of the issues worse," he says.

When the attack first hit, radiologists sat next to the scanners they were using and took down notes by hand.

While services have returned to about 90% capacity, issues persist.

"It [services] happens in a slower fashion. Each of the elements involved in generating these images are subject to crashes and outages, which happen sporadically," Dr Kavanagh says.

"Which means that patient throughput is slower than usual."

The provision of on-call services has been "particularly hazardous".

He says an on-call radiologist, looking at something which could be a clinical emergency, would ordinarily be able to view a scan in their own home.

However, while that technology has been restored for many, some radiologists are having to go through the process of driving into hospital numerous times over the course of a weekend to provide on-call cover.

Dr Kavanagh says while solutions such as outsourcing patients to the private sector could provide some relief, the fundamental, wider issue of understaffing in radiology remains.

Ms Cullen says that throughout her treatment, she had tried to be as open as possible with her 12-year-old son and had always remained "extremely positive".

"When the cyber-attack hit and we had no idea when we were going to get our treatment back, it was probably the first time I saw fear in him, wondering if this was going to grow back faster than the radiation is going to happen?"

She believes similar attacks could happen again.

"I don't think organisations take into consideration how easy it is to hack into a system," she says.

"For me [the cyber-attack] was the lowest form of criminality, it was just a disgusting thing to do and I have yet to see a more disgusting thing be done."

The HSE says most of its priority systems are back online on local sites, including radiology and diagnostic systems; maternity and infant care; patient administration systems; chemotherapy; radiation oncology; radiotherapy and laboratories.

It adds that over the past three years it has spent €300m (£257m) on capital infrastructure, with €82m (£70m) specifically focused on "protecting the core network from cyber entry".

An Garda Síochána (Irish police force) says it continues to investigate the criminal ransomware attack with the assistance of Europol and Interpol.

It says it is also working with the cyber security industry, academia and other law enforcement experts, including the FBI, Canadian Police, the UK's National Crime Agency and the United States Secret Service.

Ireland's Department of Health, which was targeted in a similar attack a day before the HSE attack, says the situation has "improved significantly since the attack first occurred".

"Access to key ICT systems was fully restored within a short period, with limited issues accessing niche or legacy systems currently being resolved," it says.

A spokesperson for the Department of the Environment, Climate and Communications, which is responsible for the National Cyber Security Centre, said: "No ransom was paid either by or on behalf of the Irish government.

"The only contact with the group which claimed responsibility for this attack was to serve them with the High Court order obtained by the HSE against the release of stolen personal data.

"There has been no other direct or indirect contact with these cyber criminals."