Why was Ireland's Health Service Executive (HSE) so vulnerable? Why were they not able to defend the private data of patients all over the country?
Both good questions, but this column is not going to be kicking the HSE when it's down.
There's a good reason for that. For the past few months, I have been a day patient every Wednesday in a hospital in Dublin city center for a treatment that takes several hours. So over the past couple of weeks, I've had a ringside seat at the battle to cope with the ransomware attack which locked up much of the patient data in hospitals around the country.
Not that it matters to the criminals involved, but a more cruel, despicable act is hard to imagine. The first thing, of course, is the effect on patients and on people on waiting lists for treatment. Many kinds of hospital care had to be canceled or postponed, causing real fear and suffering to thousands of people.
The second thing is the effect on hospital staff, already exhausted by the pandemic. Now they had to deal with being unable to access patient history and test results, and they also had to work around the rest of the chaos that a computer system shutdown causes.
This was the last thing they needed. From what I could see, they coped as well as is humanly possible and did so with their usual unfailing kindness. "Workaround" became their new mantra. But it can't have been easy.
Simple things like getting samples from the bloods department to the labs and then getting the test results up to the wards meant handwritten notes which had to be delivered manually. Various computer-linked treatments like X-rays, scans, and radiotherapy had to be canceled altogether.
They are just two examples. That the staff was able to continue to provide care at all seemed remarkable.
And it's an ongoing struggle. So you won't find this column passing judgment on them.
Whatever weaknesses there are in the system here -- and we will get to that -- the finger of blame should point only at the Russian hackers. They could have targeted government departments, institutions, private companies, and so on, as they now do all the time in what has become a lucrative global crime business.
Instead, they attacked a national hospital service, knowing that the pain and suffering caused by a shutdown would be powerful leverage in getting payment of a ransom.
The well-known cyber gang-involved is based in St. Petersburg and is able to operate there unhindered by Vladimir Putin's regime as long as they don't target any Russian businesses. Their ransom demand to unlock the HSE systems was for $20 million.
Having failed to get that, they are now putting the data they have hacked onto the web or selling selected packages of it on to other criminals for extortion, financial scams, and bogus treatment offers. This will be embarrassing and upsetting for many people.
It's one thing if you are a hip replacement patient or even a cancer patient -- you may not care if your health details go up online. You may feel differently if you're being treated for a sexually transmitted disease or a mental health issue.
So even though the Irish government has refused to pay the ransom, there will be difficult weeks and months ahead. And although progress is being made in decrypting and cleaning them, it will be some time before the hospital computer systems countrywide are functioning properly again.
The first question being asked here is, why Ireland? Were we attacked because the hackers discovered we were far more vulnerable than other countries? Or was it just a random search by some hackers who happened to land on an unprotected server in the HSE and were able to get in? Either is possible, according to outside experts.
A little background on the HSE may be helpful. It was set up in 2005 to replace the 11 regional health boards which used to run public hospitals and health services around Ireland.
These were inefficient, there was a lot of staff who were not front line, there was duplication between them, and, worst of all, their waiting lists were prone to interference by local politicians who sat on their boards. Whether you got your hip done quickly could depend on who you knew.
Replacing them with an independent national health service made sense. The HSE is not answerable to local politicians, although policy and funding are set by the Department of Health.
Getting rid of the old structures 15 years ago meant doing deals with the unions involved, which meant very few redundancies. So even today the organization is top-heavy with admin and management staff.
But major progress has been made in rationalizing, concentrating, and improving services. The Cancer Centres of Excellence are just one example.
Despite this, the HSE continues to have a poor reputation and is the subject of endless complaining. The main accusation is that it gets a huge amount of funding from the state every year and we have little to show for it. Ireland is one of the top spenders in Europe on public health but the perception is that our services are poor in comparison with most other countries.
Despite having a huge budget, which increases by a billion or more every year, all the money goes on trying to keep up with daily demand and staff costs. So there is nothing left over to make necessary changes for the future, like upgrading and integrating the computer systems in the hospitals around the country. Which is why, as you may have read in the past week, there are thousands of old servers and tens of thousands of old computers in our hospitals around the country, many still running Windows 7 which is no longer supported by Microsoft.
This made them more vulnerable to attack, although the HSE was paying Microsoft for enhanced security for the old software. But the reality is that even the latest systems can be vulnerable if people make mistakes.
This breach seems to have been caused by someone who opened a file that appeared to come from another part of the HSE, possibly containing a bogus invoice for supplies. The supplier route is now commonly used by hackers as a way in.
The HSE has been aware of its cybersecurity issue and has been working on it for the past three years at least, albeit at a snail's pace. The problem, as usual, is funding.
It could cost a billion or more to update our hospital computer systems, install the best cyberattack defenses and improve staff training. So far, the money has not been available.
The government has now woken up to danger, but one indication of how far we are behind was the revelation that our National Cyber Security Centre (set up in 2011 to advise all state departments and bodies) has been so poorly funded that it lost its chief executive probably because of low pay and has a fraction of the staff it needs. Hopefully, that will now change.
Clearly, we need to be doing much more in this area here. If it was hospitals this time, might it be our air traffic control the next? There may be other critical services here on which lives depend that are more vulnerable than they should be.
To have been caught once is bad enough. To be caught twice would be unforgivable.
None of this is easy and no one is ever completely safe. A few weeks ago, the attack on Colonial Pipeline caused panic among motorists in parts of the U.S.
As this column is being written, there is news of an attack on a major financial services company here, and that is just one of up to a dozen attacks on Irish businesses in the last few weeks. Often these are not reported and the ransom is paid, as happened with Colonial.
One of the more intriguing aspects of the HSE attack was the hackers giving a decryption key to unlock systems here last week. Anyone who thinks this was a gesture of goodwill is mistaken. It's a tactic to try to influence public opinion and put pressure on the government to pay up to prevent data being sold on or published on the web.
As far as we know this is the first cyberattack on this scale that was able to lock up a country's entire public health system. It's a national embarrassment for Ireland, not least because we play up the image of being a hub for the biggest global IT companies here.
But we need not beat up ourselves too much. Yes, we are behind on cybersecurity. But the reality is that every country is vulnerable.
*This column first appeared in the May 26 edition of the Irish Voice newspaper, sister publication to IrishCentral.