The debilitating ransomware cyberattacks on the information technology systems within the HSE and Department of Health, while dramatic and shocking, are far from unexpected. Since the start of the pandemic, attacks on healthcare systems worldwide have ramped up significantly. There was never any reason to believe Ireland would escape this alarming trend.
The risks for the healthcare sector had grown so significantly by last October that the FBI and two US government agencies issued an unusual joint alert warning of an “increased and imminent cybercrime threat to US hospitals and healthcare providers”. The alert pinpointed data theft and disruption of services as the likely intent – the apparent goal of the Irish attacks as well.
A study by IBM X-Force released at the start of this year found that healthcare cyberattacks more than doubled in 2020. Ransomware attacks constituted over a quarter (28 per cent) of healthcare cyberattacks. Experts believe that healthcare attacks have probably increased because the pandemic has placed severe pressure on healthcare organisations.
Because health information is among the most private and sensitive data associated with individuals, it is a particularly rich trove to target in a cyberattack. Both healthcare providers and patients will be anxious about its exposure. And any system breach that can halt or slow the delivery of healthcare is a crippling blow – especially right now, in overburdened healthcare systems struggling to catch up on a backlog of patient treatment needs while simultaneously managing Covid patients and running national test, trace and vaccination efforts.
This breach emphasises the need to conduct a thorough security assessment across all State organisations
While the full scope of the attacks is not yet clear, it’s readily apparent just how damaging these system breaches can be. The HSE has acknowledged that its core patient management and radiology systems are incapacitated. Urgent radiation treatments have been postponed. Maternity and other appointments have been cancelled and must be rescheduled. Even if the HSE and the Department of Health can reassemble records and restore system data from backups, they the further threat that the attackers will leak data publicly or on to the dark web’s data markets.
With so many aspects of healthcare managed digitally, organisations face significant challenges to prevent or limit the damage from cyberattacks. But the State faces many urgent questions now regarding its current prevention and mitigation strategies. For many years, Irish security experts have expressed concerns about Ireland’s level of preparedness against cyberattacks of all types. This breach emphasises the need to conduct a thorough security assessment across all State organisations, and make any needed investments in security systems and training.