You are reading 1 of 2 free-access articles allowed for 30 days
Acrippling cyberattack on the health service in the middle of a global pandemic is a nightmare scenario within a nightmare scenario. It is something that would have been almost impossible to imagine a couple of years ago. But it is, unfortunately, yet another dark twist in our ‘post-Covid’ world and all too real.
There are some broad parallels to draw between the cyberattack and Covid-19. Like pandemics, the seriousness and scale of cyberattacks are only grasped by many after one occurs. And like pandemics, experts have long warned about the likelihood of these incidents, both now and in the future. In 2017, the then Minister for Health Simon Harris was questioned about whether there was a strategy to protect the HSE from such events following the global WannaCry ransomware attack in May 2017. This attack targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency.
One of the largest agencies struck by the attack was the NHS in the UK. The HSE was also targeted, but was not as badly affected. Earlier that year, the Medical Independent reported of concerns expressed by the Master of the Rotunda Hospital, Dublin, Prof Fergal Malone, over the possibility of ransomware attacks. The “perils of malware software” were cited by Prof Malone in the context of the roll-out of a national electronic health record (EHR) for maternity services, according to hospital board meeting minutes.
And cyberattacks continued. On 13 November 2018, the laboratory information system (LIS) and associated IT infrastructure at the Midland Regional Hospital, Tullamore, suffered a Windows ransomware attack. Last August, we reported that the HSE or HSE-funded bodies had not been subject to any ransomware attacks during the Covid-19 pandemic at that point. Experts had warned that healthcare organisations globally were vulnerable to such attacks during the pandemic.
Asked what measures had been taken to ensure IT security with staff working from home, a spokesperson said the HSE used “best in class” products to provide access to systems for remote working.
“All laptops deployed to support remote working users are fully encrypted in accordance with all prevailing HSE security standards,” the spokesperson said at the time.
Following the WannaCry attack, the then HSE Chief Information Officer Mr Richard Corbridge told this newspaper the removal of Microsoft Windows XP from HSE computers and the recruitment of an IT organisation to focus on cyber security were among the possible actions the HSE were contemplating at the time.
Speaking on RTÉ radio after the recent attack, Mr Corbridge said IT upgrades in healthcare were often seen as a cost rather than an investment. In some cases, after the WannaCry attack, the proposed upgrades were deemed too expensive. Mr Corbridge pointed out that public IT systems, such as those used in healthcare, are targets for cyberattacks, due to under-investment in the area. This is not just an Irish, but an international, issue. He said the attack might been part of a wider probe of health systems across Europe and not specifically targeted against the HSE.
But investment in IT in healthcare in Ireland has fallen short. The slow roll-out of the EHR is just one example. Like pandemics, cyberattacks are difficult to prevent due to the increasingly inter-connected world we live in. Both for pandemics and cyberattacks, the first step to ensuring better protection in the future is a recognition of the likelihood of the threat, and that required funding is not just viewed as a cost.