How were hackers able to hack the HSE system?

[almostthere]

How was it possible that hackers could hack the HSE computer system? Did they not have enough security in place?

 

[EasilyAmused]

How was it possible that hackers could hack the HSE computer system? Did they not have enough security in place?

Correct.
Much like Glanbia the week before. And was it a logistics agency the week before that again.

Ransomware is just another arrow in the quiver of cyber criminals. It’s a global industry. Because the HSE is what it is, it’s front page headlines.

 

[EasilyAmused]

The Dept of Health has been attacked too.

 

[Leo]

It is exceedingly difficult to keep a determined organisation out, the larger your footprint, the more systems you have exposed to the internet, the more difficult it is. You need a strong IT team who are very organised and patch every single machine and application regularly, and quickly after every vulnerability is uncovered to have a hope. Even then you can get undone by someone clicking on a link in an email.

Hacking for profit is a multi-billion dollar industry. To succeed, they will try thousands of approaches and they just need to get lucky once.

 

[Purple]

Running Windows 7 probably didn't help.

 

[stefanop]

Windows 2000 probably didn't help either. The last time I was in the datacenter of one of the major hospitals in the country (about a year ago) I was installing a few new servers running Windows 2019, but the two servers on top of them in the rack were hosting some critical apps running on Windows 2000 still....

 

[joe sod]

Maybe "working from home" could be responsible someone accessing personal stuff while also having HSE site open and not being properly protected by the HSE firewall as they would on site. Im not an IT expert but some IT guy was speculating on this factor.

As an aside though I think Paul Reid has been the stand out best performer for the HSE since the corona pandemic, even on this major hacking issue he is really on top of his game and able to give comprehensive answers on this difficult topic

 

[Purple]

The HSE is a hodgepodge of dozens of different systems and they are unable to standardise them without running to into all sorts of HR (Union) problems. Given that and the fact that they have been trying to address the issue in recent years I'd be slow enough to criticise the top guys and gals or the IT people.

 

[joe sod]

The HSE couldn't really win with this attack because if they had spent big money on IT and security and the hackers did not succeed in getting in we would not have known that the security had worked. The HSE would be accused of wasting all this money on IT rather than on cancer treatment etc

 

[Clamball]

I would say every large company has been attacked in the last 3 years, some luckily escaped, some not so lucky. Our ICT dept has exploded with staff, all devices are upgraded, compulsory training, fake email trying to catch you out, and if you press the link back to more compulsory training. And still we get attacked. Many companies never announce even to staff that they have has a ransomware attack. Plus fraud is increasing, through fake emails, fake banking details and suddenly you have lost a lorry load of goods to what you thought was a legitimate sale.

 

[Purple]

We have literally dozens of attacks every week where I work.
We keep our systems up to date and have a proactive IT department who are generally on top of things. We also back up everything on an ongoing basis. But we are a small company and we don't have to seek the approval of any Unions to make minor changes. We just tell people why we are changing things and if they have a legitimate issue with it we listen and adapt.

That's a world away from the HSE so I have aa great deal of sympathy for their IT people.

 

[EmmDee]

The scale is incredible - I had a conversation with the global head of security at our place (large multinational financial services). There are tens of thousands attempted infiltrations per day. Most are probably kids trying their luck but when you think of the scale, and the fact that it only takes one success, it really is a tough gig.

And the weakest parts of the system are the "bags of mostly water" who do stupid things like click on links. If you 10,000 weak links, it makes the job tougher

 

[THE_Chris]

It is also extremely difficult to upgrade medical systems. Even connected network systems have to be tested before and after ANY upgrade, without ANY patient downtime.

I remember an old job where four clinical systems had to be upgraded from Windows XP to Windows 7. From "lets do it" to upgrade day was six months.

Even a simple windows security patch triggers several hours worth of testing of various calculation algorithms and flow checking. All that time the system isn't available for clinical use, which is a big deal when you already have 10 hours worth of patients and an 8 hour day before you end up with overtime, that can't be paid due to budget cuts.

 

[Purple]

It is also extremely difficult to upgrade medical systems. Even connected network systems have to be tested before and after ANY upgrade, without ANY patient downtime.

I remember an old job where four clinical systems had to be upgraded from Windows XP to Windows 7. From "lets do it" to upgrade day was six months.

Even a simple windows security patch triggers several hours worth of testing of various calculation algorithms and flow checking. All that time the system isn't available for clinical use, which is a big deal when you already have 10 hours worth of patients and an 8 hour day before you end up with overtime, that can't be paid due to budget cuts.

It just shows how important it is to control the IT infrastructure. It's amazing how one of the big players like Siemens, GE or Phillips who make thee big ticket imaging and testing products or one of the newer guys like Google, Apple or Microsoft, aren't selling holistic IT systems for Healthcare.

The Texas Medical Centre in Houston employs 106,000 people. It's the biggest Medical Centre in the world. Maybe the HSE should give their head of IT Infrastructure a call. He's on LinkedIn. Offer him €20,000,000 a year for the next 10 years to fix our system. It would be money well spent.

 

[HyperionDayz]

With one of the most expensive healthcare systems in the world(€20 billion this year alone), it is surprising that we don’t have state of the art IT systems. We’re the last Western European country to initiate a nationwide electronic healthcare record and the fact that we had to develop a separate unique health identifier for every person in Ireland, despite having a perfectly good PPS number, shows that state services aren’t being allowed to collaborate.

I think a root and branch review of the entire healthcare system is needed, starting with the Department of Health. Paul Reid is doing an ok job of steering a broken ship, but it is nonetheless a broken ship.

 

[Purple]

With one of the most expensive healthcare systems in the world(€20 billion this year alone), it is surprising that we don’t have state of the art IT systems. We’re the last Western European country to initiate a nationwide electronic healthcare record and the fact that we had to develop a separate unique health identifier for every person in Ireland, despite having a perfectly good PPS number, shows that state services aren’t being allowed to collaborate.

I think a root and branch review of the entire healthcare system is needed, starting with the Department of Health. Paul Reid is doing an ok job of steering a broken ship, but it is nonetheless a broken ship.

Nice idea but the Unions exercise their veto to block any meaningful reform within the Health Service. Just look at how their derailed PPARS by opposing the standardisation of ccontracts.

 

[Leo]

With one of the most expensive healthcare systems in the world(€20 billion this year alone), it is surprising that we don’t have state of the art IT systems. We’re the last Western European country to initiate a nationwide electronic healthcare record and the fact that we had to develop a separate unique health identifier for every person in Ireland, despite having a perfectly good PPS number, shows that state services aren’t being allowed to collaborate.

I think a root and branch review of the entire healthcare system is needed, starting with the Department of Health. Paul Reid is doing an ok job of steering a broken ship, but it is nonetheless a broken ship.

It's not expensive because it spends money of the best of equipment, it's expensive because it is grossly inefficient, often buying equipment that is not compatible with other systems in place. As an example, the hospital where my wife works bought a new scanner a couple of years back. One team of 'experts' ran the procurement process to select the scanner, the facilities team ran the construction project to manage the building works. They never met to compare notes so when the machine was delivered it was discovered that first, they couldn't get it into the building, and then the room it was to be housed in wasn't big enough. Cue frantic knocking of walls and reconfiguration of space.

 

[HyperionDayz]

Nice idea but the Unions exercise their veto to block any meaningful reform within the Health Service. Just look at how their derailed PPARS by opposing the standardisation of ccontracts.

There’s no way that the current situation is sustainable. We’re already spending 40% of all taxpayer funding on healthcare and it’s clear that is going to exponentially increase with our aging population and the removal of private healthcare. Rather than the standard consensus building of holding hands with every employee, someone needs to create a proper vision and a timeline for cost savings. While I think many in the HSE do a difficult job with little recognition, we need to implement rather than issuing a new report or having another consultation that leads to nothing. Let the doctors go on strike and the public can understand more about the €250,000 they’re making and complaining about it.

 

[HyperionDayz]

Sounds very

It's not expensive because it spends money of the best of equipment, it's expensive because it is grossly inefficient, often buying equipment that is not compatible with other systems in place. As an example, the hospital where my wife works bought a new scanner a couple of years back. One team of 'experts' ran the procurement process to select the scanner, the facilities team ran the construction project to manage the building works. They never met to compare notes so when the machine was delivered it was discovered that first, they couldn't get it into the building, and then the room it was to be housed in wasn't big enough. Cue frantic knocking of walls and reconfiguration of space.

Sounds remarkably similar to the industrial printer for government buildings that couldn’t fit into the building.

 

[tomdublin]

Let the doctors go on strike and the public can understand more about the €250,000 they’re making and complaining about it.

Or perpetually whingeing GPs charging 75 Euro for 5 minute appointments. I don't understand why they get such an easy ride in the media.