Ransom demanded by cybercriminals in HSE attack

A ransom was demanded following cyber attack on Health Service Executive (HSE) computer systems but it will not be paid.

A HSE spokesman confirmed a ransom had been demanded and said it would not be paid in line with state policy.

The ransom demand was made in bitcoin.

Health service IT systems could take days to return to normal after being shutdown following what a Government Minister described as “possibly the most significant cybercrime attack on the Irish State” ever.

Meanwhile, chief medical officer Dr Tony Holohan said the ransomware attack on the HSE will impede the ability of the health service to organise effective testing and to measure the total number of cases.

However, the incident should not distract people from the basic public health messages that protect against infection. Patients with symptoms should self-isolate and attend one of the HSE’s self-testing centres, he said.

“We haven’t switched off testing and there no reason to think the public will deviate from their behaviour,” Dr Holohan said.

The HSE said the main attack began at around 4.30am on Friday and that IT staff switched off systems as a “precaution” in order to protect data and give time to “fully assess the situation with our own security partners”. It said the incident was carried out by international criminals seeking to extort money, though no demand has yet been made.

The attack was a “zero day threat” which meant there was no previous experience of how to respond, said Anne O’Connor, HSE chief operations officer.

The intention is to restart individual elements of the HSE’s IT system once they have been risk assessed and cleared, but the process is likely to continue into the weekend and possibly beyond.

Many hospital clinics and services were continuing today but others have been cancelled or disrupted due to the shutdown. Paper work was being done manually rather than electronically, which could cause delays for patients.

Minister for Health Stephen Donnelly said the attack has had “a severe impact” on health and social care services. However, people with appointments booked for today are advised to attend unless they hear otherwise.

“If this continues into Monday we will be in a very serious situation and we will have to cancel more appointments,” Ms O’Connor told RTÉ’s News at One.

Denial of service

There were “two or three” distributed denial of service (DDOS) attacks on parts of the HSE system on Thursday, which were regarded as routine at the time. However, there is now speculation that they were forerunners for the bigger attack, and that those behind this were “knocking on the door”.

For example, the email system in Beaumont Hospital went down yesterday and the IT department had to individually reset the passwords for users.

HSE chief executive Paul Reid said officials were working with the Garda, the Defence Forces and third party cyber security experts to respond to the attack.

An Garda Síochána said the HSE was the lead agency in dealing with the attack but it was liasing with the health body and the National Cyber Security Centre.

Minister of State for Communications Ossian Smyth TD told RTÉ radio’s News at One that he had been briefed by the National Cyber Security Centre on the attack but for operational reasons could not share everything he knew.

He said it appeared to have been an attempt to lock the HSE out of its own systems in order to steal data and then try to extract a ransom.

The attack was “possibly the most significant cybercrime attack on the Irish State,” he said, adding that there was also an attempted attack on the Department of Health last night.

“There is a constant bombardment on systems. This is just one that got through.”

Vaccination portal

The system for Covid-19 vaccinations has not been affected and such appointments are going ahead as planned, though the registration portal has been shut down.

In addition, because GPs are affected, they cannot refer patients for Covid-19 testing. People with symptoms are therefore being told to go to one of the walk-in testing centres currently open. People awaiting test results may face a delay in receiving them.

“We are asking the public to bear with us while we implement a new process to provide results with an initial focus on detected results,” the HSE said.

“It is critical that anyone who is awaiting a Covid- 19 test result, self isolates until they receive their test result. This is an important change from the usual restricting movements advice.”

Contact tracing had been moved to two centres as there were telephony problems in the west of the country, Ms O’Connor said.

The National Ambulance Service is operating as normal, but a system for radiological imaging, called Pacs, has been impacted by the attack. It is used by many of the State’s hospitals.

Tusla said its internal systems, email and portal through which child protection referrals are made is not operating. The child and family agency said this was for “security reasons” as they are hosted on the HSE’s IT network.

A consultant at Cork University Hospital told of the distress being experienced by cancer patients who are awaiting test results but their files are not available as a result of the incident.

Prof Seamus O’Reilly, consultant oncologist at CUH, told RTÉ radio’s Morning Ireland that there were some patient test results outstanding and laboratory data that needed to be available.

“We’ve just found out how utterly reliant we are” on IT systems which highlighted the need for secure firewalls, he said.

Maternity services

There is disruption to services at the National Maternity Hospital (NMH) and the Rotunda Maternity Hospital in Dublin. The NMH said there will be significant disruption but those who have an appointment or need to come to the hospital should come as normal.

Most appointments at the Rotunda Maternity Hospital in Dublin on Friday have been cancelled due to the incident. The only exception is for patients who are 36 weeks pregnant or later or if it is an emergency.

The Master of the Rotunda Maternity Hospital Prof Fergal Malone said it was fortunate that the cyber attack happened before the weekend when outpatient services were not scheduled, “but babies are born on weekends too”.

The attack comes almost four years to the day after a similar incident seriously impacted the NHS in Britain.

While the WannaCry virus attacked the NHS systems, it affected more than 200,000 computers in at least 100 countries. Data on infected computers was encrypted and users faced a ransom demand to unlock the devices.

A total of 80 of 236 NHS trusts across England suffered disruption because they were either infected by the ransomware or had turned off their devices or systems as a precaution. The ransomware infected another 603 NHS organisations including 595 GP practices.

The UK health service was forced to cancel almost 20,000 hospital appointments and operations as a result and five A&E departments had to divert patients to other units. That attack took four days to get under control.