The cyberattack on the HSE has proven to be an unwelcome wake-up call for the entire country. But it should come as no surprise: The HSE has been warned before, most notably, as reported in this paper, by Bruce Schneier at the Web Summit in December 2020.
There is a saying, attributed to former FBI director Robert Mueller, that there are two types of companies, those that have been hacked and those that will be hacked. So, why was the HSE caught napping? And is it the HSE’s fault?
To answer these questions requires discussion of three factors that led to this cyberattack: The way the HSE’s IT systems are funded, the sheer diversity and age of its computer systems, and the behaviour of the cyberattackers.
The first factor is IT budgeting. The news is rife with stories about IT budget overspend and projects foundering due to requirements creep and poor planning and financial control. Two notable cases are the £12.7bn NHS electronic patient record project, abandoned in 2011, and the €130m PPARS project abandoned by the HSE in 2007.
One might assume that far too much money is already wasted on information technology. This is not the case.
The HSE National Service Plan budget for 2021 is €20bn, up from €17bn in the previous year, including provisions for Covid-19 costs. The total HSE IT budget for 2021 is €120m of this overall budget, again including Covid provisions. This is 0.6% of the overall budget.
Of that, there is a specific project allocation of just over €2m for cybersecurity. But while these seem very big numbers, they fall below what is considered the norm in industry.
The industry norm for IT spend as a percentage of annual turnover is between 2% and 6%, varying by sector. Calculating then what HSE IT spending should be: 2% of an annual budget of €20bn is €400m to spend on IT, over three times the current allocation.
At the 6% level, the annual IT budget would be €1.2bn. IT security typically comes in at about 3% of overall IT budgets, yielding a nominal budget range of €12m to €36m. Clearly the HSE falls far short of these annual budget figures.
The problem is worse than the figures suggest, however, and this is where the second factor comes in. The HSE has grown from separate regional health boards, assimilating a large and diverse range of IT systems in all its hospitals and primary care centres.
These systems number in the low thousands, with many thousands of entry points. Merging these into a smaller set of less diverse systems is time-consuming and expensive, even when IT budgets meet industry norms.
When this happens in any company, the IT manager and her staff frequently have to make do, applying sticking plaster solutions to legacy systems, when better thought out but more expensive solutions are needed.
The HSE is not unusual in this respect: There are countless cases of this sort of growth by aggregation in industry, with the resulting Frankenstein IT systems taking years to harmonise and sort out. The costs associated with this will go beyond the normal annual allocation.
Which brings us to the third factor: The cyberattackers. Budgetary constraints and a diverse network of legacy IT systems left the HSE particularly vulnerable to last week’s cyberattack. The Wizard Spiders, an Eastern European/Russian hacking gang, unleashed Conti ransomware on the HSE’s network.
Conti is a human-operated ransomware, of considerable sophistication and disruptive power. The HSE was unlucky in that this is a zero-day attack, utilising a version of Conti not seen before and therefore difficult to defend against.
It is likely that the attack was opportunistic. The HSE was not sought out for special treatment, but just happened to be a suitable target.
The HSE is not particularly at fault here. Its woes must be seen against a general backdrop of a lack of understanding in Ireland of the cost of IT, a tenuous grasp of what IT does and general complacency about the security of IT.
This flawed thinking extends to government policy on health IT investment and cybersecurity. There is wishful thinking that everything will be all right and nothing too serious will happen to a small country like Ireland. Recent events — Ophelia, Covid-19, and notably this cyberattack — demonstrate that this sort of thinking is wrong. New thinking is needed.
Academics talk about information technology as part of an information system that encompasses people, processes, and technology. This provides clues as to the role of the technology with which we are all familiar.
Though the technology is important, we are more interested in how it helps the people in the HSE carry out their work (processes), that allows them to deliver treatments to patients so that they make a full recovery. This is what we teach students on our MSc in cyber-risk for business.
Seeing the HSE’s IT systems through the lens of an information system allows us to answer some questions raised about the cyberattack. Why doesn’t the HSE use paper backups when caring for patients? Because that would involve double entry or repeatedly printing everything out. Both options are inefficient.
Why wasn’t the HSE able to defend against this attack? Because that requires a sophisticated multi-layered defensive system which is expensive both to build and maintain. Isn’t recovery just a matter of wiping and restoring the affected systems? This is only part of the solution and the bigger problem remains, which is how to recover patient data.
All is not lost, however. Backups exist, GP practices and their unaffected systems hold patient histories and, yes, pen and paper will be used while the IT systems are sorted out. The problems of restoring the data are not insurmountable, but they require huge effort from the HSE and all the organisations that are currently assisting.
But this will happen again, and again, and again. The only solution is to address this at government policy level by properly funding the HSE’s IT infrastructure and by funding cybersecurity in general.
Future HSE running costs might be reduced by seeking efficiencies and rationalising existing systems.
But the will has to exist at government level to invest now in the HSE’s future. Also, cybersecurity needs to receive more attention and funding. The currently vacant position of the director of the National Cyber Security Centre is a telling reminder of how much work remains to be done.
It’s time to get serious.
- Dr Simon Woodworth, director, MSc Cyber Risk for Business, Cork University Business School