HSE knew the cyberattack risks but couldn’t get ahead of the hackers | #emailsecurity

The worst fears of the Health Service Executive’s technology chiefs occurred in the early hours of Friday last week when it first began to emerge that the organisation was under attack from cyber criminals.

Parts of the organisation’s information technology systems had been identified as vulnerable at least three years ago and technicians had been working to improve security with a detailed plan of action.

However, the Covid-19 pandemic diverted resources away from those efforts last year, while many of the measures that had been planned were due to be completed later this year.

So, arguably, some actions being taken by the HSE would have come too late to reduce the risk of the kind of assault that was unleashed on its systems – if indeed they could have helped at all.

The HSE has not been able to say if weaknesses identified in internal audits, flagged in 2018 by its own IT teams, were a factor in last week’s cyber attacks. But the issues found by the audits relating to “security controls” and “disaster recovery protocols” did spark efforts to improve the HSE’s cyber security.

Ossian Smyth: “It’s like someone burgles the house and your stuff is delivered back in a skip.” Photograph: Tom Honan

Known risk

The HSE’s Corporate Risk Register (CRR) lists cyber security and an update from late last year outlines exactly the kinds of impacts a successful attack would cause. It says: “There is a risk to the HSE effectively protecting the confidentiality, availability and integrity of HSE data including patient data against cyber threats”.

It adds that this would impact “directly on patient care and safety and staff as a result of the inability to deliver ICT and specialised medical device dependent services”. This is what has happened over the last eight days.

The risk register shows that considerable work was planned to improve the security of the HSE’s networks, with 13 major actions, 33 measures within them due to be implemented or initiated either towards the end of last year or across 2021.

The HSE had also decided that the migration of legacy, ageing databases to “the cloud” should happen over this year, and next.

Some measures, like developing a cloud computing framework, and some infrastructure upgrades aimed at addressing security and cyber concerns have been completed.

Original Source link

Leave a Reply

Your email address will not be published.

− 5 = three