It appears likely that the attack may have emanated from a phishing campaign exploiting the current stresses on healthcare workers and the Coving remote working structures in place across circa 80,000 HSE devices. Emergency departments and urgent care centers remain operational as do many hospital services, however delays are accumulating.
In addition to patient files, the data stolen also includes HSE internal files, reportedly including on equipment purchase and minutes of meetings. Contractors to the HSE may be impacted and their commercial arrangements potentially at risk of disclosure. So far, the Financial Times has claimed it has seen screenshots of 27 HSE files released on the dark web in recent days. The media attention has, to date, been on the human side (the 27 files disclosed so far include 12 patient files) more so than on the potential for commercial disclosures. The issue is an evolving one as the hackers seek to pressure the Irish governments non-payment of ransom position. They are now believed to have issued a deadline of May 24 for payment of the ransom.
The HSE have included the following information for suppliers in their overall health service disruption notice (available here):
“Information for HSE suppliers and contractors
The HSE is experiencing difficulty with the communication of Purchase Orders to all Suppliers and Contractors due to the recent cyber attack on HSE systems. An interim approach to support the processing of Purchase Orders is presently underway and updates in this regard will be posted here as available. The continued understanding and support of all Suppliers and Contractors is greatly appreciated during these unprecedented times.”
The National Cyber Security Centre, which is currently involved in the investigation and management of the incident, has issued an alert stating it is monitoring other networks to address the risk of further attacks (available here). It also advises a useful short and snappy set of measures to be taken in the event of an attack on page 3.