News

HSE cyberattack: Process for unlocking network remains ‘fraught with risk’

HSE cyberattack: Process for unlocking network remains ‘fraught with risk’
Share this article

By James Ward, PA

The process for unlocking the HSE network following the cyber attack remains “fraught with risk”, chief executive Paul Reid has said.

The fallout from the ransomware attack by an organised criminal gang will continue for some weeks to come, he warned.

A decryption key given to Government by the group responsible for the attack is being tested this weekend.

Advertisement

Mr Reid welcomed the news, but said it would not by a silver bullet for the crisis facing the health service.

Advertisement

On Saturday, he tweeted: “Access to the unlocking codes to our network is welcome.

“But it isn’t a ‘switch back on’ process & still fraught with risk. We’ll continue to rebuild services & systems safely whilst evaluating the impact of these codes. The impact remains for the coming weeks for now.”

On Friday, Taoiseach Micheál Martin said the Government did not pay a ransom or use diplomatic channels to obtain the decryption key.

The key was made available on Thursday evening almost a week after the IT system was attacked.

It was given to the Government by the organised crime group behind the cyberattack, believed to be a gang calling itself Wizard Spider, but their reasons for doing so remain unclear.

Taoiseach Micheál Martin said: “No payment was made in relation to it at all. The security personnel don’t know the exact reason why the key was offered back.

“In terms of the operation of getting our services back and getting data systems back, it can help. But in itself, the process will still be slow.

“Certainly the decryption key, getting that is good, but in itself it doesn’t really take away from the enormous work that still lies ahead in terms of rebuilding the systems overall.”

He indicated the rebuilding process will be weeks rather than months.

Stolen data

Meanwhile, gardaí are concerned a protracted wave of scam attacks could follow if data stolen in an attack on the HSE is published or sold on to other criminals.

Sources told The Irish Times that fraud and extortion attempts could follow over a period of years.

Thousands of hospital appointments have been cancelled nationwide due to the attack, while there are concerns that sensitive patient data could be dumped and sold online.

Dr Sean McSweeney, the head of department in computer science at Cork Institute of Technology, said it wasn’t “exceptionally unusual” that the hackers had provided the key.

Speaking to Newstalk Breakfast on Saturday, he said: “Typically with the threat actor, in this case it’s Wizard Spider as probably everyone is aware of at this point in time, it’s not unprecedented for the threat actor to hand over decryption software.

“My understanding is the tool was verified yesterday to be genuine, however, there are concerns within the National Cyber Security Centre and their contractors that there are back doors to this tool.

“Additionally, they have been offered a piece of software by a company known as Emsisoft that will extract the decryption key from the tool that Wizard Spider have offered them, and this is a much safer, more efficient approach to decrypting these scrambled files.”

He shared the concerns of the Taoiseach and Mr Reid that the process for getting systems up and running again will be painstakingly slow.

“We should be under no illusions, this will take several weeks to have a full recovery of the system” he said.

The ransomware attack resulted in the HSE having to close down all its IT services, causing widespread delays and the cancellation of appointments at hospitals across the country.

The number of appointments in some areas of the system has dropped by 80 per cent as health workers grapple with paper records while work continues to recover IT systems.

The NCSC and the Garda National Cyber Crime Bureau are carrying out an international investigation into the attack.

Share this article
Advertisement