HSE Cyber Attack – the fallout hasn’t even started!

Typically, they seek a ransom in bitcoins to release the data. If the ransom is not paid, and sometimes even before it’s been asked for, they release some of the data onto the dark web, to show their credentials. The Irish Government has insisted that no ransom will be paid.

On 20 May the HSE announced that they had received what purported to be a “decryption key” from the gang, which would enable them to unlock the data. Again, this is not unusual in ransomware attacks, as the data they want has already been taken. This is now being tested to see if it is authentic, or likely to cause more damage.

The immediate impact of the attack has indeed been catastrophic for an already embattled health service. The HSE has shut down all its systems, and hospitals are having to revert to pen and paper to deal with patients and cannot access any patient records. X-rays can no longer be whisked electronically from the radiographer to the attending physician’s desktop. Instead the physician must attend the lab to review it on the x-ray machine. A system already criticised for delays, is taking even longer, putting lives at risk. In fact, the current joke doing the rounds, is that the gang will have to go on a two year waiting list before the HSE can get back to them.

While those knock-on effects of the attack will hopefully improve over the short term as the IT systems are brought back online, the long term consequences for the HSE and other State institutions may be very uncomfortable. Firstly, questions are going to be asked about the HSE’s IT security. A Report in the “Irish Times” newspaper on 20 May suggested that they were advised three years ago of deficiencies in their systems and may have failed to act on that advice. Under the General Data Protection Regulation (GDPR) organisations that hold or process personal data are obliged to have in place 'appropriate technical and organisational measures' to ensure a level of security appropriate to the risk. What those measure are, will depend on a number of factors such as the state of the art (in terms of available security tools), the costs of implementation, and the likelihood and severity of the risk to the rights and freedoms of individuals.

Ireland’s Data Protection Commission (DPC) have of course been informed, given the nature of this attack and the amount of personal data involved. But will the DPC, when this is over, be tempted to investigate other State institutions holding large amounts of personal data, to see if their security meets the GDPR’s requirements? It would seem at least that some organs of the State are in a healthy position. According to Ireland’s National Cyber Security Centre, similar malicious cyber activity was also detected on the Department of Health’s network on 14 May. However due to a combination of anti-virus software and the deployment of tools during the investigation process, an attempt to execute ransomware was detected and stopped.

The GDPR introduced fines of up to €20 million or 4% of group turnover for data breaches. The HSE must be thanking its lucky stars that when Ireland implemented the GDPR under the Data Protection Act 2018, it placed a limit of €1 million on fines that could be imposed on State institutions. But that may be the least of its troubles. Article 79 of the GDPR provides a right for people to sue if their personal data rights have been infringed as a result of a data breach, and Article 82 gives them a right to seek compensation. It is already being widely reported that some of the personal data stolen by the cyber-gang (or gangs, this data may have already been sold on) has been published on the dark web. As a result, the HSE could potentially face millions of claims from those affected - or a collective action. The GDPR allows for non-profit organisations, set up for this purpose, to represent those affected. Watch this space for the return of Max Schrems, who has set up such an organisation (NOYB, an acronym for ‘None of your Business’!) to the Irish courts!

What lessons can we learn and what (more) should organisations be doing?

Well firstly ransomware attacks will not be disappearing anytime soon. In fact, various estimates suggest ransoms of up to €1 billion in total may have been paid globally in the last year. This was by organisations who either didn’t have the capacity to fix the damage inflicted or didn’t want anyone to find out about it. Companies should be ensuring that their security software continues to meet the standard required by the GDPR and that they apply all patches and updates to protect against current threats; continue to educate your staff about the importance of cyber security and the dangers of phishing emails and the like; have your response procedures in place in case the worst happens. And finally - check that your insurance provides adequate cover.