PricewaterhouseCoopers (PwC)2022-01-172022-01-1703/12/2021http://hdl.handle.net/10147/631006In the early hours of Friday 14 May 2021, the HSE was subjected to a serious cyber attack, through the criminal infiltration of their IT systems (PCs, servers, etc.) using Conti ransomware. The HSE invoked its Critical Incident Process, which began a sequence of events leading to the decision to switch off all HSE IT systems and disconnect the National Healthcare Network (“NHN”) from the internet, in order to attempt to contain and assess the impact of the cyber attack. These actions removed the threat actor’s (the “Attacker”) access to the HSE’s environment. This immediately resulted in healthcare professionals losing access to all HSE provided IT systems - including patient information systems, clinical care systems and laboratory systems. Non-clinical systems such as financial systems, payroll and procurement systems were also lost. Significant disruption immediately occurred and many healthcare professionals had to revert to pen and paper to continue patient care. Healthcare services across the country were severely disrupted with real and immediate consequences for the thousands of people who require health services every day. Normal communication channels, both at HSE’s national centre and within operational services were also immediately lost. This included email and networked phone lines. Staff switched to communicating using mobile and analogue phones; fax; and face to face meetings. The aim of the Attacker was to disrupt health services and IT systems, steal data, and demand a ransom for the non-publication of stolen data and provision of a tool to restore access to data they had encrypted. The HSE initially requested the assistance of the Garda National Cyber Crime Bureau, the International Criminal Police Organisation (“Interpol”) and the National Cyber Security Centre (“NCSC”) to support the response. The ransomware created ransom notes with instructions on how to contact the Attacker. The Attacker also posted a message on an internet chat room on the dark web, with a link to several samples of data reportedly stolen from the HSE. The HSE and the Irish Government confirmed on the day of the attack that they would not pay a ransom. The Incident had a far greater and more protracted impact on the HSE than initially expected, with recovery efforts continuing for over four months.enCC-BY 4.0https://creativecommons.org/licenses/by/4.0/INFORMATION TECHNOLOGYELECTRONIC COMMUNICATIONReport