HSE cyber attack cost taxpayers at least €101 million, state’s spending watchdog reveals
The cyber attack on the HSE has cost the taxpayer at least €101m, while upwards of €657m will be spent on upgrading the HSE’s IT systems to safeguard against repeat attacks.
owever, according to a report on the accounts of the public service, published today, “the full cost of the attack on the HSE has not been quantified”.
The report states that following the ransomware attack in May 2021, €17m was spent on professional services including cyber security, €14m was allocated for HSE hospitals’ cyber costs, €13m was spent on replacing IT device and €7 million went towards other costs such as Office 365 packages and cloud based systems – amounting to €51m in total.
“In addition, revenue costs incurred of around €4.4m, mainly relating to Microsoft Office 365, have been expensed in 2022. The HSE has stated that it will incur other mitigating costs in 2022,” the report states.
“The full cost of the attack on the HSE has not been quantified. Costs incurred by the voluntary agencies are not included in any of the figures. Staff time incurred in addressing the technical aspects of the cyber attack and the additional time required to resume normal services have not been costed by the HSE.
“The HSE was also unable to provide the staff costs associated with the maintenance of hard copy records while systems were down, and for the subsequent updating of electronic records once system access was restored.”
The HSE also incurred legal costs of €2.6 million since the cyber attack, including a high court order to prevent the sharing of data without consent.
“In addition to the costs incurred in 2021, the HSE has secured an increase in its recurrent funding from 2022 of €43 million for ICT expenditure of which €38 million is for immediate and shorter term actions to enable it to increase its capability to deal with future threats,” the report states.
“The HSE has prepared an initial plan to implement PwC’s post-incident review recommendations and to cost the associated actions required. The HSE stated that initial estimates are that this will require almost €657 million over seven years for implementation of cyber security improvements.”
When the costs incurred in 2021 are added to the additional funding for this year, the total comes to €101m.
The attack by the Russia-based Conti criminal organisation caused unprecedented and widespread disruption across the health service.
The bait that would bring the Irish health service to its knees was secretly laid by an unscrupulous Russian criminal just before St Patrick’s Day.
When a health worker returned to their desk and logged in to their computer after the national holiday, they unwittingly opened an email addressed to them.
A malicious Microsoft Excel file was attached to the phishing email sent to the user two days previously.
The simple and unsophisticated hack on March 18 allowed the criminal from the Conti gang to inject a malware infection and roam through the HSE IT system for another eight weeks, looking at files and planting more malware.
They were primed to strike on May 14, hijacking the HSE computer system and holding hostage the health of patients as hospital technologies were paralysed – forcing the mass-cancellation of procedures, including cancer treatments such as radiotherapy.
An earlier report published by the HSE in December, found that opportunities to detect the breach and prevent the detonation of the ransomware were missed.
It showed how the HSE was easy prey for the criminals with a “frail IT system which had evolved rather than being designed for resilience and security”.
The crooks were able to compromise and abuse a significant number of accounts with high levels of privileges.
The computer used by the person who opened the email allowing the criminal to get their initial foothold had not had antivirus signatures updated for over a year.
An unnamed hospital and the Department of Health proactively prevented an attack on their networks, however.
The alerts came from two hospitals while the HSE’s antivirus security operator emailed the HSE highlighting unhandled threat events the day before the attack.
The HSE system was aimed at making it easy for staff to access IT applications. But it exposed the HSE to the risk of cyber attacks from other organisations.
The report found that based on the forensic examination of the attacker’s activity they used “relatively well-known techniques and software to execute their attack”.
The HSE has a very low level of “cyber-security maturity”. The IT environment did not have many of the cyber-security controls that are most effective at detecting and preventing human-operated ransomware attacks. The HSE had not done contingency planning for an attack or a complete loss of infrastructure.
The hackers eventually released the decryption key on May 20 and no ransom was paid.
It is unclear how much data would have been unrecoverable if the key had not become available because the HSE’s backup infrastructure was only periodically backed up to offline tape, said the report.
However, it is unknown what personal data the hackers might still have.
Minutes of an HSE board meeting in April suggest the HSE is expecting a rash of claims.
The minutes state the HSE has been liaising with the State Claims Agency “with a view to considering the merits of establishing a scheme through which claims against the HSE relating to the cyber attack can be managed”.
The board also discussed the risk of the data being used in the future, the minutes stated, but “it was noted that the worldwide injunction was secured and that garda advice suggests that, as time progresses, the risk of the data being used decreases”.
HSE directors were updated again in June, according to minutes of a meeting. They were told the Attorney General has been contacted about the matter.