The cyber attack on the HSE has cost taxpayers at least €101 million, while more than €657 million will be spent upgrading HSE’s IT systems to protect against repeat attacks.
But according to a report released today on Public Service Accounts, “the full cost of the attack on the HSE has not been quantified”.
The report states that after the ransomware attack in May 2021, €17 million was spent on professional services including cybersecurity, €14 million was spent on HSE hospitals’ cyber costs, €13 million was spent on IT equipment replacement and 7 million euros for other costs such as Office 365 packages and cloud-based systems. All this amounted to €51 million.
“In addition, cost of sales of around EUR 4.4 million incurred in 2022, mainly related to Microsoft Office 365, were expensed.
“The full cost of the attack on the HSE has not been quantified. Costs incurred by the voluntary organizations are not included in any of the figures. Personnel time spent dealing with the technical aspects of the cyber attack and the additional time required to resume normal services were not charged by the HSE.
“HSE was also unable to meet the personnel costs of maintaining paper records during a system outage and then updating electronic records once system access was restored.”
Since the cyberattack, the HSE has also incurred legal costs of €2.6 million, including a Supreme Court order to prevent data being shared without consent.
“In addition to the costs incurred in 2021, the HSE has secured an increase in its recurring funding from 2022 of €43m for ICT expenditure, of which €38m is earmarked for immediate and shorter-term actions to enable it to increase its ability to act with future threats,” says the report.
“The HSE has prepared an initial plan to implement PwC’s recommendations for the post-incident review and costing of related actions required. The HSE indicated that, according to initial estimates, nearly €657 million will be required over seven years to implement cybersecurity improvements.”
If you add the costs incurred in 2021 to the additional funds for this year, you get 101 million euros.
The attack by Russia-based criminal organization Conti caused unprecedented and widespread disruption across healthcare.
The bait that would bring Ireland’s health service to its knees was secretly laid by a Russian criminal just before St Patrick’s Day.
When a healthcare worker returned to his desk after the national holiday and logged on to his computer, he unknowingly opened an email addressed to him.
A malicious Microsoft Excel file was attached to the phishing email sent to the user two days earlier.
The simple and uncomplicated hack on March 18th allowed the criminals of the Conti gang to plant a malware infection and roam the HSE IT system for another eight weeks, viewing files and planting more malware.
They were prepared to strike on May 14, hijacking the HSE computer system and holding patients’ health information hostage while hospital technologies were shut down – forcing the mass cancellation of procedures, including cancer treatments such as radiation therapy.
A previous report released by the HSE last December found that opportunities were missed to expose the breach and prevent the ransomware from detonating.
It showed how the HSE, with a “vulnerable IT system that had evolved rather than been designed for resilience and security”, was easy prey for the criminals.
The hackers were able to compromise and abuse a significant number of high-privilege accounts.
The computer used by the person who opened the email that allowed the criminal to gain a foothold had not had updated antivirus signatures in over a year.
However, an unnamed hospital and the Ministry of Health proactively prevented an attack on their networks.
The alerts came from two hospitals, while the HSE’s antivirus security operator emailed the HSE the day before the attack, highlighting unhandled threat events.
The HSE system was designed to make it easy for employees to access IT applications. But it exposed the HSE to the risk of cyberattacks by other organizations.
The report noted that based on the forensic examination of the attacker’s activities, they used “relatively known techniques and software to execute their attack.”
The IT environment did not have many of the cyber security controls most effective in detecting and preventing human-powered ransomware attacks. The HSE had not conducted contingency planning for an attack or a complete loss of infrastructure.
The hackers finally released the decryption key on May 20th and no ransom was paid.
It is unclear how much data would have been unrecoverable if the key had not become available, as the HSE’s backup infrastructure was only backed up periodically, the report said.
However, it is not known what personal data the hackers might still have.
Minutes from an HSE Board meeting in April suggest the HSE is anticipating an onslaught of claims.
The minutes state that the HSE has been in contact with the State Claims Agency “to review the merits of establishing a system through which claims against the HSE relating to the cyber attack can be managed.”
The panel also discussed the risk of future use of the data.
The minutes state that “the Garda Council indicates that the risk of using the data decreases over time”.
https://www.independent.ie/irish-news/hse-cyber-attack-cost-taxpayers-at-least-101m-with-a-further-657m-to-be-spent-safeguarding-against-repeat-attacks-42030121.html HSE cyberattacks cost taxpayers at least €101 million, with another €657 million spent on re-attack protection