WIXLIB

Ransomware attacks have risen significantly over thelast few years. Whilst precise figures on the numberof ransomware victims are not available, there arestatistics that indicate the rate of growth of theseattacks. For example, the US agency FinCEN’s9analysis of ransomware-related Suspicious ActivityReports (SARs) filed during the first half of 2021indicates that 590 million10 was paid in ransomwarerelated transactions (likely representing paymentsoriginating from the US to ransomware groups),which exceeds the value reported for the entirety of2020 ( 416 million).community, focusing on how the HSE’s strategy wasimplemented at tactical levels and the effectivenessof the HSE’s coordination of efforts.Despite claims by ransomware groups that theywould not seek to harm people, there are severalrecent examples of attacks against healthcareproviders. Hospitals including St. Lawrence HealthSystem (USA), Sonoma Valley Hospital (USA), andSky Lakes Medical Center (USA), all reported thatthey were impacted by ransomware attacks in 2020.On 20 May 2021, the Federal Bureau of Investigation(“FBI”) identified at least 16 Conti ransomwareattacks targeting US healthcare11. Healthcareorganisations that have been the target of similarattacks this year include, Waikato District HealthBoard, New Zealand (May 2021), Eskenazi Health,USA (August 2021), Memorial Health System, USA(August 2021) and Macquarie Health Corporation,Australia (October 2021). More recently, much of theprovincial healthcare system in Newfoundland wasimpacted by a cyber attack (November 2021). Theransomware attack against the HSE would appearto be the first occurrence of an entire national healthservice being impacted by such an attack.Timeline of the IncidentScope of our reviewIn June 2021, PwC was commissioned by the Boardof the HSE, in conjunction with the Chief ExecutiveOfficer (“CEO”) and the Executive Management Team(“EMT”), to conduct an independent post incidentreview (“PIR”) to urgently establish the facts in relationto the HSE’s technical and operational preparednessfor an incident of this nature; and to identify thelearnings from this Incident both for the HSE andfor State and non-State organisations to inform theirfuture preparedness. We initially undertook a scopingphase, to develop our understanding of the Incidentand our approach to the review, followed by the PIRengagement which was conducted over a 14 weekperiod.This is a complex PIR. In recognition of thiscomplexity, we brought together an experiencedmulti-disciplinary team of international cybersecurityand crisis management specialists. Our teamincluded forensic investigation and response, IT/ cybersecurity, crisis management, culture andbehaviour, and regulatory experts with extensiveexperience in cybersecurity PIRs.On 18 March 2021, the source of the cyber-attack12originated from a malicious software (“Malware”)infection on a HSE workstation (the “Patient ZeroWorkstation”). The Malware infection was the resultof the user of the Patient Zero Workstation clickingand opening a malicious Microsoft Excel file that wasattached to a phishing email sent to the user on 16March 2021.After gaining unauthorised access to the HSE’sIT environment on 18 March 2021, the Attackercontinued to operate in the environment overan eight week period until the detonation of theConti ransomware on 14 May 2021. This includedcompromising and abusing a significant numberof accounts with high levels of privileges (typicallyrequired for performing administrative tasks),compromising a significant number of servers,exfiltrating data and moving laterally to statutory andvoluntary hospitals.The Incident was not identified and contained untilafter the detonation of the Conti ransomware on 14May 2021, which caused widespread IT disruption.There were several detections of the Attacker’sactivity prior to 14 May 2021, but these did not resultin a cybersecurity incident and investigation initiatedby the HSE and as a result opportunities to preventthe successful detonation of the ransomware weremissed. The key events from 18 March 2021 to 14May 2021 are set out in the diagram overleaf.We took a sample approach to review theinvolvement of the hospitals and CommunityHealthcare Organisations (“CHO”) within the nalysis dia/News/2021/210521.pdfHSE’s Incident Response provider Intrusion Investigation Report, September 20212 PwC Independent Post Incident Review 2021 2021 PwC. All rights reserved.

Figure 1: Summary Timeline 18 March - 14 May 202107/05/2118/03/21The Attacker compromised the HSE’s servers for the first timeInitial infectionof Patient ZeroWorkstationMARCH08/05/21 to 12/05/21The Attacker compromised sixvoluntary and one statutory hospitalAPRILMAY10/05/2114/05/21 @ 01:00Hospital C identified malicious activity on a DC12/05/21Hospital A communicates alerts ofmalicious activity to the HSE OoCIO12//05/21 to 13/05/21The Attacker browsed folders & openedfiles on systems within the HSEThe Attacker executedthe Conti ransomwarewithin the HSE13/05/21HSE’s Antivirus Security Provider emailedthe HSE’s Sec Ops team highlightingunhandled threat events13/05/21Hospital A and DoH proactivelyprevented an attack on their networksIn the early hours of 14 May 2021, the HSE identified that they had been a victim of a cyberattack and theybegan to mobilise a response, drawing on their experiences from previous crises, including COVID-19. The keyresponse and recovery events from 14 May 2021 are set out in the diagram below.Figure 2: Summary Timeline 14 May - 21 September 202114/05/21 @ 02:50HSE received reportsfrom hospitals ofencrypted systems14/05/21HSE shutdown all HSE ITsystems and access to the NHN15/05/21HSE set up a war room, andreported the breach to the DPC20/05/2114/05/21HSE obtained a court orderrestraining the sharing of HSE dataThird parties, including governmentagencies were brought in tosupport the responseMAY21/05/21The decryption key was receivedaccelerating the recovery process21/05/21Clinical Indemnity provided todoctors, nurses and midwives21/05/21The HSE established a SitCen in CityWest3 PwC Independent Post Incident Review 2021JUN24/05/21A process wasreleased to enablethe secure recoveryof systemsJULAUGSEP14/06/21 47% of serversare considereddecrypted, with 51% ofapplications restored21/09/21100% of servers are considered decrypted with 99% of applications restored 2021 PwC. All rights reserved.

The HSE was assisted by the Defence Forces andthe NCSC as well as third parties in the early weeksof the Incident, to provide structure to the responseactivities. The response teams could not initially focuson the highest priority response and recovery tasksdue to the lack of preparedness for a widespreaddisruptive IT event e.g. through not having a preprepared list of prioritised clinical systems andapplications to focus their efforts.On 15 May 2021, the HSE senior management setup a war room at a third party’s office building onMolesworth Street. On 20 May 2021, the DefenceForces attended Molesworth Street for furtherdiscussions around the level of support that wasrequired by the HSE during the response andrecovery phases of the Incident and on 21 May 2021,the HSE set up a physical situation centre (“SitCen”)in CityWest to manage the response and recovery.The HSE engaged a third party Incident Responseorganisation (“HSE’s Incident Response provider’’) toinvestigate the cyber attack.On 20 May 2021, the HSE secured a High Courtinjunction13 restraining any sharing, processing,selling or publishing of data stolen from its computersystems. On the same day, the Attacker posted alink to a key that would decrypt files encrypted bythe Conti ransomware. The HSE’s Incident Responseprovider validated that the decryption key workedon 21 May 2021 and provided it to the HSE, allowingthem to gain access to the data that had beenencrypted by the Conti ransomware. Without thedecryption key, it is unknown whether systems couldhave been recovered fully or how long it would havetaken to recover systems from backups, but it ishighly likely that the recovery timeframe would havebeen considerably longer.From 22 May 2021 onward, the HSE Information andCommunications Technology (“ICT”) team movedfrom the response phase into the recovery phase,where they focused their efforts on decryptingsystems, cleansing workstations, restoringsystems and the recovery of applications. The HSErecovered their primary identity systems (Active Directory (“AD”) domain) within days of theIncident, but decryption of servers and acute andcommunity services applications took place largelyover the following three months. By 21 September2021, the HSE had recovered all servers and 1,075applications, out of a total of 1,087 applications14.At the time of issuing this report, the HSE had notifiedthe Data Protection Commissioner (“DPC”) in relationto the Incident, however, they have not made any131415data subject notifications for personal data exposureor exfiltration. The HSE’s Legal and Data workstreamcontinues to work closely with the DPC in relation tothis matter.Mitigating factors impacting on theIncidentThere were a number of mitigating factors which hada considerable effect in reducing the severity andimpact of the Incident.Relative simplicity of the attack and the release ofthe decryption keyBased on the forensic examination of the Attacker’sactivity, it would appear that the Attacker usedrelatively well-known techniques and software toexecute their attack. A more sophisticated attackmay have involved gathering intelligence in advance,before it could be successfully and subtly exploited.The impact of the Incident on the HSE and healthservices could have been significantly greater, with farmore severe clinical impact. Some examples of thisinclude, but are not limited to: if there had been intent by the Attacker to targetspecific devices within the HSE environment (e.g.medical devices); if the ransomware took actions to destroy data atscale; if the ransomware had auto-propagation andpersistence capabilities, for example by usingan exploit to propagate across domains andtrust-boundaries to medical devices (e.g. theEternalBlue exploit used by the WannaCry andNotPetya15 attacks); if cloud systems had also been encrypted such asthe COVID-19 vaccination system.An additional mitigating factor was the release of thedecryption key by the Attackers on 20 May 2021,which allowed for an accelerated recovery process.It is unclear how much data would have beenunrecoverable if a decryption key had not becomeavailable as the HSE’s backup infrastructure was onlyperiodically backed up to offline tape. Therefore it ishighly likely that segments of data for backup wouldhave remained encrypted, resulting in significant dataloss. It is also likely to have taken considerably longerto recover systems without the decryption rder-perfected-20-may-2021.pdfWeekly Brief, 21 September 4 PwC Independent Post Incident Review 2021 2021 PwC. All rights reserved.

Significant ‘in-the moment’ efforts in response tothe IncidentA recurring theme observed throughout the PIR wasthe dedication and effort observed at all levels duringthe response to the Incident. This included individualsfrom across the HSE, impacted hospitals, CHOs, andthird parties all going “above and beyond” in theircall of duty. This illustrates that, in times of significantchallenge or emergencies, staff in the health servicesare resilient, respond quickly, and have an ability toimplement actions and workarounds to maintain evena basic continuity of service to their patients.National supportThe impact of the Incident was at a national scalewhich encouraged support and presence from otherstate agencies and third parties, who providedstructure, governance, technical expertise andresources to assist the response and recovery.Lessons learned from COVID-19 and previous ITdisruptionsWhilst the HSE had not previously encounteredan incident of this scale, they have been exposedto other significant incidents both directly (e.gCOVID-19) and through observations of ransomwareattacks on other healthcare organisations globally(e.g WannaCry ransomware attack) over the pastfive years. Each of these incidents highlighted keylearnings that have led to an improved level of crisismanagement maturity within the HSE.Strategic recommendations andfindingsThe Incident demonstrated that the HSE andorganisations connected to the NHN are vulnerableto common cyber attacks that can cause significantimpact to the provision of health services.Transformational change is required across thetechnology foundation for provision of health servicesand its associated cybersecurity, that will need to beexecuted over the coming years.In order to deliver a significant and sustainablechange in the exposure to cybersecurity risk, fourareas of strategic focus are required across the HSEand other parties connected to the NHN. There aredependencies across these four areas and they needto be progressed in parallel. They are summarisedbelow, with further detail provided in Section 4.1.More detailed findings and recommendations areprovided in Section 5.5 PwC Independent Post Incident Review 20211.Implement an enhanced governance structureover IT and cybersecurity that will provideappropriate focus, attention and oversight.1.1 Establish clear responsibilities for IT andcybersecurity across all parties that connect tothe NHN, share health data or access sharedhealth services. Establish a ‘code of connection’that sets minimum cybersecurity requirementsfor all parties and develop an assurancemechanism to ensure adherence.One of the challenges faced by the HSE is thatcybersecurity risk materialises as a ‘common risk’to all organisations connected to the NHN giventhe interconnected nature of the IT systems. Underthe governance constructs of the health service,organisations have varying levels of autonomy overIT and cybersecurity decision making, yet the risk isshared - with organisations dependent on each otherfor cybersecurity. There is no ‘code of connection’for all parties that connect to the NHN, share healthdata or use shared services in order to set a minimumbaseline of security standards.1.2 Establish an executive level cybersecurityoversight committee to drive continuousassessment of cybersecurity risk and acybersecurity transformation programme acrossthe provision of health services.Within the HSE, there is no dedicated executiveoversight committee that provides direction andoversight to cybersecurity, both within the HSE andall organisations connected to the NHN. A knownlow level of cybersecurity maturity, including criticalissues with cybersecurity capability, has persisted.It is important that the cybersecurity oversightcommittee includes participation from user groups,so that culturally cybersecurity moves from beingperceived as an IT challenge, to being perceivedas ‘how we work’. The cybersecurity oversightcommittee should be accountable for ensuringcompliance with the evolving requirements of the EUNISD for essential services across the health service.1.3 Establish an executive level oversightcommittee for IT.With a fragmented set of decision rights over ITdevelopment and support across the provision ofhealth services, a necessary enabler for drivingtransformational change will be the establishmentof an executive level committee, chaired by theChief Technology and Transformation Officer (seeRecommendation 2 below), that can agree thepriorities for IT development and investment, andalign all interested parties behind a clear vision,strategy and plan. Critical to its success will be the 2021 PwC. All rights reserved.

participation of IT leaders from across the healthservice.1.4 Establish a board committee (or repurposean existing one) to oversee the transformationof IT and cybersecurity to deliver a futurefit, resilient technology base for provision ofdigitally-enabled health services, and ensurethat IT and cybersecurity risks remain withina defined risk appetite. Consider the inclusionof further specialist non-executive membersof the committee in order to provide additionalexpertise and insight to the committee.Cybersecurity was recorded as a ‘High’ risk in theCorporate Risk Register in Q1 2019.16 At the timeof the Incident, the risk rating for cybersecurity onthe Corporate Risk Register was 16, based on alikelihood scoring of 4 (likely, with a 75% probability)and an impact scoring of ‘Major’.17 The HSE’s riskassessment tool is described in Appendix H.Risks on the Register are subject to a quarterly reviewprocess and the quarterly reports are reviewed bythe relevant Board Committee. The Performanceand Delivery Committee of the Board reviewed thecyber risk with management in September 202018and this was followed by a revised mitigationplan. The Committee includes two experienced ITleaders in large organisations, although they are notcybersecurity specialists. This revised mitigation planhad a number of actions due to be completed postthe date of the Incident. The actions completed priorto the Incident did not materially impact the risk facedin this area.The HSE’s IT-related risks had been presented atBoard level on a number of occasions. However,the gravity of cybersecurity exposure was not fullyarticulated to the Board, given the HSE’s levelof vulnerability to a cyber attack, or assessedagainst a defined risk appetite. Known issues withcybersecurity capability have made limited progressover the course of several years.Given the scale of change required across theprovision of health services, it is recommended thata focused committee of the board is established,with relevant training provided. Considerationshould be given to appointing additional individualsto that committee with specialist skills to act in anon-executive capacity and enhance the abilityfor the committee to support and oversee the ITand cybersecurity transformation. A key role forthe committee will be to ensure that HSE requestsfor government funding (e.g. to the Department of161718Public Expenditure and Reform (“DPER”)) to investin addressing IT and cybersecurity issues are clearlyarticulated, and the risks associated with lack ofinvestment are communicated and understood.2.Establish a transformational Chief Technology& Transformation Officer (“CTTO”) and officeto create a vision and architecture for aresilient and future-fit technology capability;to lead the delivery of the significanttransfor

analysis of ransomware-related Suspicious Activity Reports (SARs) filed during the first half of 2021 indicates that 590 million10 was paid in ransomware-related transactions (likely representing payments originating from the US to ransomware groups), which exceeds th