# How were hackers able to hack the HSE system?



## almostthere (16 May 2021)

How was it possible that hackers could hack the HSE computer system?  Did they not have enough security in place?


----------



## EasilyAmused (16 May 2021)

almostthere said:


> How was it possible that hackers could hack the HSE computer system?  Did they not have enough security in place?



Correct.
Much like Glanbia the week before. And was it a logistics agency the week before that again.

Ransomware is just another arrow in the quiver of cyber criminals. It’s a global industry. Because the HSE is what it is, it’s front page headlines.


----------



## EasilyAmused (16 May 2021)

The Dept of Health has been attacked too.


----------



## Leo (17 May 2021)

It is exceedingly difficult to keep a determined organisation out, the larger your footprint, the more systems you have exposed to the internet, the more difficult it is. You need a strong IT team who are very organised and patch every single machine and application regularly, and quickly after every vulnerability is uncovered to have a hope. Even then you can get undone by someone clicking on a link in an email.

Hacking for profit is a multi-billion dollar industry. To succeed, they will try thousands of approaches and they just need to get lucky once.


----------



## Purple (17 May 2021)

Running Windows 7 probably didn't help.


----------



## stefanop (19 May 2021)

Windows 2000 probably didn't help either. The last time I was in the datacenter of one of the major hospitals in the country (about a year ago) I was installing a few new servers running Windows 2019, but the two servers on top of them in the rack were hosting some critical apps running on Windows 2000 still....


----------



## joe sod (20 May 2021)

Maybe "working from home" could be responsible someone accessing personal stuff while also having HSE site open and not being properly  protected by the HSE firewall as they would on site. Im not an IT expert but some IT guy was speculating on this factor.

As an aside though I think Paul Reid has been the stand out best performer for the HSE since the corona pandemic, even on this major hacking issue he is really on top of his game and able to give comprehensive answers on this difficult topic


----------



## Purple (21 May 2021)

The HSE is a hodgepodge of dozens of different systems and they are unable to standardise them without running to  into all sorts of HR (Union) problems. Given that and the fact that they have been trying to address the issue in recent years I'd be slow enough to criticise the top guys and gals or the IT people.


----------



## joe sod (23 May 2021)

The HSE couldn't really win with this attack because if they had spent big money on IT and security and the hackers did not succeed in getting in we would not have known that the security had worked. The HSE would be accused of wasting all this money on IT rather than on cancer treatment etc


----------



## Clamball (25 May 2021)

I would say every large company has been attacked in the last 3 years, some luckily escaped, some not so lucky.  Our ICT dept has exploded with staff, all devices are upgraded, compulsory training, fake email trying to catch you out, and if you press the link back to more compulsory training.  And still we get attacked.  Many companies never announce even to staff that they have has a ransomware attack.  Plus fraud is increasing, through fake emails, fake banking details and suddenly you have lost a lorry load of goods to what you thought was a legitimate sale.


----------



## Purple (25 May 2021)

We have literally dozens of attacks every week where I work.
We keep our systems up to date and have a proactive IT department who are generally on top of things. We also back up everything on an ongoing basis. But we are a small company and we don't have to seek the approval of any Unions to make minor changes. We just tell people why we are changing things and if they have a legitimate issue with it we listen and adapt.  

That's a world away from the HSE so I have aa great deal of sympathy for their IT people.


----------



## EmmDee (25 May 2021)

The scale is incredible - I had a conversation with the global head of security at our place (large multinational financial services). There are tens of thousands attempted infiltrations per day. Most are probably kids trying their luck but when you think of the scale, and the fact that it only takes one success, it really is a tough gig.

And the weakest parts of the system are the "bags of mostly water" who do stupid things like click on links. If you 10,000 weak links, it makes the job tougher


----------



## THE_Chris (26 May 2021)

It is also extremely difficult to upgrade medical systems. Even connected network systems have to be tested before and after ANY upgrade, without ANY patient downtime.

I remember an old job where four clinical systems had to be upgraded from Windows XP to Windows 7. From "lets do it" to upgrade day was six months.

Even a simple windows security patch triggers several hours worth of testing of various calculation algorithms and flow checking. All that time the system isn't available for clinical use, which is a big deal when you already have 10 hours worth of patients and an 8 hour day before you end up with overtime, that can't be paid due to budget cuts.


----------



## Purple (28 May 2021)

THE_Chris said:


> It is also extremely difficult to upgrade medical systems. Even connected network systems have to be tested before and after ANY upgrade, without ANY patient downtime.
> 
> I remember an old job where four clinical systems had to be upgraded from Windows XP to Windows 7. From "lets do it" to upgrade day was six months.
> 
> Even a simple windows security patch triggers several hours worth of testing of various calculation algorithms and flow checking. All that time the system isn't available for clinical use, which is a big deal when you already have 10 hours worth of patients and an 8 hour day before you end up with overtime, that can't be paid due to budget cuts.


It just shows how important it is to control the IT infrastructure. It's amazing how one of the big players like Siemens, GE or Phillips  who make thee big ticket imaging and testing products or one of the newer guys like Google, Apple or Microsoft, aren't selling holistic IT systems for Healthcare.

The Texas Medical Centre in Houston employs 106,000 people. It's the biggest Medical Centre in the world. Maybe the HSE should give their head of IT Infrastructure a call. He's on LinkedIn. Offer him €20,000,000 a year for the next 10 years to fix our system. It would be money well spent.


----------



## HyperionDayz (9 Jul 2021)

With one of the most expensive healthcare systems in the world(€20 billion this year alone), it is surprising that we don’t have state of the art IT systems. We’re the last Western European country to initiate a nationwide electronic healthcare record and the fact that we had to develop a separate unique health identifier for every person in Ireland, despite having a perfectly good PPS number, shows that state services aren’t being allowed to collaborate.

I think a root and branch review of the entire healthcare system is needed, starting with the Department of Health. Paul Reid is doing an ok job of steering a broken ship, but it is nonetheless a broken ship.


----------



## Purple (9 Jul 2021)

HyperionDayz said:


> With one of the most expensive healthcare systems in the world(€20 billion this year alone), it is surprising that we don’t have state of the art IT systems. We’re the last Western European country to initiate a nationwide electronic healthcare record and the fact that we had to develop a separate unique health identifier for every person in Ireland, despite having a perfectly good PPS number, shows that state services aren’t being allowed to collaborate.
> 
> I think a root and branch review of the entire healthcare system is needed, starting with the Department of Health. Paul Reid is doing an ok job of steering a broken ship, but it is nonetheless a broken ship.


Nice idea but the Unions exercise their veto to block any meaningful reform  within the Health Service. Just look at how their derailed PPARS by opposing the standardisation of ccontracts.


----------



## Leo (9 Jul 2021)

HyperionDayz said:


> With one of the most expensive healthcare systems in the world(€20 billion this year alone), it is surprising that we don’t have state of the art IT systems. We’re the last Western European country to initiate a nationwide electronic healthcare record and the fact that we had to develop a separate unique health identifier for every person in Ireland, despite having a perfectly good PPS number, shows that state services aren’t being allowed to collaborate.
> 
> I think a root and branch review of the entire healthcare system is needed, starting with the Department of Health. Paul Reid is doing an ok job of steering a broken ship, but it is nonetheless a broken ship.


It's not expensive because it spends money of the best of equipment, it's expensive because it is grossly inefficient, often buying equipment that is not compatible with other systems in place. As an example, the hospital where my wife works bought a new scanner a couple of years back. One team of 'experts' ran the procurement process to select the scanner, the facilities team ran the construction project to manage the building works. They never met to compare notes so when the machine was delivered it was discovered that first, they couldn't get it into the building, and then the room it was to be housed in wasn't big enough. Cue frantic knocking of walls and reconfiguration of space.


----------



## HyperionDayz (10 Jul 2021)

Purple said:


> Nice idea but the Unions exercise their veto to block any meaningful reform  within the Health Service. Just look at how their derailed PPARS by opposing the standardisation of ccontracts.


There’s no way that the current situation is sustainable. We’re already spending 40% of all taxpayer funding on healthcare and it’s clear that is going to exponentially increase with our aging population and the removal of private healthcare. Rather than the standard consensus building of holding hands with every employee, someone needs to create a proper vision and a timeline for cost savings. While I think many in the HSE do a difficult job with little recognition, we need to implement rather than issuing a new report or having another consultation that leads to nothing. Let the doctors go on strike and the public can understand more about the €250,000 they’re making and complaining about it.


----------



## HyperionDayz (10 Jul 2021)

Sounds very


Leo said:


> It's not expensive because it spends money of the best of equipment, it's expensive because it is grossly inefficient, often buying equipment that is not compatible with other systems in place. As an example, the hospital where my wife works bought a new scanner a couple of years back. One team of 'experts' ran the procurement process to select the scanner, the facilities team ran the construction project to manage the building works. They never met to compare notes so when the machine was delivered it was discovered that first, they couldn't get it into the building, and then the room it was to be housed in wasn't big enough. Cue frantic knocking of walls and reconfiguration of space.


Sounds remarkably similar to the industrial printer for government buildings that couldn’t fit into the building.


----------



## tomdublin (10 Jul 2021)

HyperionDayz said:


> Let the doctors go on strike and the public can understand more about the €250,000 they’re making and complaining about it.


Or perpetually whingeing GPs charging 75 Euro for 5 minute appointments.  I don't understand why they get such an easy ride in the media.


----------



## Paul O Mahoney (10 Jul 2021)

HyperionDayz said:


> Let the doctors go on strike and the public can understand more about the €250,000 they’re making and complaining about it.


Despite this being off topic what Dr earns 250k?


----------



## HyperionDayz (10 Jul 2021)

Paul O Mahoney said:


> Despite this being off topic what Dr earns 250k?


I don’t seem to be able to post a link, but just search ‘consultant salary ireland’ in Google and an Irish Times article from May 2021 should pop up. RTE reports the same.

This is the new public only consultants contract and will be worth €252,000 by the end of it. For about 10 years the contract for new consultants mandated a max of 10% private hours and a salary of ~€130,000. Prior to that point, senior consultants were on ~€250,000 and had unlimited private hours.

We are unable to fill ~500 consultant roles mainly because we have about half the consultant numbers of other countries and therefore the role has far too much responsibility and hours of work. Mind you our junior consultants working in the private US healthcare are making between $300,000 - $400,000 depending on their speciality. These are the consultants they’re trying to entice back.


----------



## HyperionDayz (11 Jul 2021)

tomdublin said:


> Or perpetually whingeing GPs charging 75 Euro for 5 minute appointments.  I don't understand why they get such an easy ride in the media.


Don’t worry the state is planning to make all GP care free, like the under 6’s program. There’s no plan on how to pay for it, but that’s only a minor detail.


----------



## Paul O Mahoney (11 Jul 2021)

HyperionDayz said:


> I don’t seem to be able to post a link, but just search ‘consultant salary ireland’ in Google and an Irish Times article from May 2021 should pop up. RTE reports the same.
> 
> This is the new public only consultants contract and will be worth €252,000 by the end of it. For about 10 years the contract for new consultants mandated a max of 10% private hours and a salary of ~€130,000. Prior to that point, senior consultants were on ~€250,000 and had unlimited private hours.
> 
> We are unable to fill ~500 consultant roles mainly because we have about half the consultant numbers of other countries and therefore the role has far too much responsibility and hours of work. Mind you our junior consultants working in the private US healthcare are making between $300,000 - $400,000 depending on their speciality. These are the consultants they’re trying to entice back.


So, its consultants , not Doctors. 
There is a difference between the two professions.


----------



## HyperionDayz (11 Jul 2021)

Paul O Mahoney said:


> So, its consultants , not Doctors.
> There is a difference between the two professions.


GPs are not employed by the state and the majority of other ‘doctor’ roles within the healthcare system (SHO, Reg, SPR etc) would be considered to be a consultant-in-training. So yes when I refer to a doctor, I mean a consultant.


----------



## Paul O Mahoney (11 Jul 2021)

HyperionDayz said:


> GPs are not employed by the state and the majority of other ‘doctor’ roles within the healthcare system (SHO, Reg, SPR etc) would be considered to be a consultant-in-training. So yes when I refer to a doctor, I mean a consultant.


So all doctors will become consultants?
That's a fairly broad assumption and of course isn't actually happen.
If you meant consultant why didn't you say consultant?

You post inferred that all Doctors were earning €250k which incorrect.


----------



## Purple (11 Jul 2021)

Paul O Mahoney said:


> So all doctors will become consultants?
> That's a fairly broad assumption and of course isn't actually happen.
> If you meant consultant why didn't you say consultant?
> 
> You post inferred that all Doctors were earning €250k which incorrect.


There are plenty of GP’s earning €250k a year. The figure for average earnings is artificially low since a large proportion of GP’s work part time. 
it’s also worth noting that GP’s with a GMS contract receive a very generous quasi-public sector pension.
Hospital doctors receive an even more generous pension so add 30% to the salary figures you read about.


----------



## Purple (11 Jul 2021)

Paul O Mahoney said:


> So, its consultants , not Doctors.
> There is a difference between the two professions.


Consultants are doctors.


----------



## Purple (11 Jul 2021)

HyperionDayz said:


> There’s no way that the current situation is sustainable. We’re already spending 40% of all taxpayer funding on healthcare and it’s clear that is going to exponentially increase with our aging population and the removal of private healthcare. Rather than the standard consensus building of holding hands with every employee, someone needs to create a proper vision and a timeline for cost savings. While I think many in the HSE do a difficult job with little recognition, we need to implement rather than issuing a new report or having another consultation that leads to nothing. Let the doctors go on strike and the public can understand more about the €250,000 they’re making and complaining about it.


We have a relatively small public sector in this country but we spend a lot on health, with a disproportionately large amount of that on wages. 
Health spending is hard to measure since different countries but different things into their health budgets. 
The worrying thing here is our relatively young population and that large spend on wages plus the gross structural waste.


----------



## Paul O Mahoney (11 Jul 2021)

Purple said:


> There are plenty of GP’s earning €250k a year. The figure for average earnings is artificially low since a large proportion of GP’s work part time.
> it’s also worth noting that GP’s with a GMS contract receive a very generous quasi-public sector pension.
> Hospital doctors receive an even more generous pension so add 30% to the salary figures you read about.


Theres always going to some earning 250k and let's for argument sake that's net of costs they might incur by running clinics. The averages I've seen are no where near €250k and even the Irish Patients Association gives a figure of 110-140k before costs.
Those with medical card patients do earn more but we know that that's not equal income .
I thought we were discussing wages not benefits but if the average hospital doctor was on €150k after years of service the additional 30% would get them to €200k still not €250k

After saying that what this discussion has to do with the hacking of the HSE computer system is beyond me.


----------



## HyperionDayz (11 Jul 2021)

Ok so we’ve established that:

- consultants are doctors and are paid €250k
- some GPs make a lot of money, but are actually private contractors to the state
- the HSE has not invested substantially in IT services, eHealth or Digital Health

What does everyone think of the idea of utilising a national network of computers that covers 97% of the population that could allow patients to manage their own health data? That computer or should I say mobile phone attends every health visit and could just as easily carry the data between visits.


----------



## Sophrosyne (11 Jul 2021)

HyperionDayz said:


> What does everyone think of the idea of utilising a national network of computers that covers 97% of the population that could allow patients to manage their own health data?



I think this should be on a new thread.


----------



## EmmDee (12 Jul 2021)

HyperionDayz said:


> What does everyone think of the idea of utilising a national network of computers that covers 97% of the population that could allow patients to manage their own health data? That computer or should I say mobile phone attends every health visit and could just as easily carry the data between visits.



A couple of problems with that. First of all security - a phone can be hacked reasonably easily. Second is data security - If you are proposing that the data is stored on the phone, what happens if you lose your phone. So it would only really work if you're talking about an app with the data stored elsewhere.

In the US there is data portability between medical providers - but there is quite a stringent requirement on data protection and permission around access


----------



## Purple (12 Jul 2021)

EmmDee said:


> A couple of problems with that. First of all security - a phone can be hacked reasonably easily. Second is data security - If you are proposing that the data is stored on the phone, what happens if you lose your phone. So it would only really work if you're talking about an app with the data stored elsewhere.
> 
> In the US there is data portability between medical providers - but there is quite a stringent requirement on data protection and permission around access


Humanity was able to put a man on the Moon almost 50 years ago so securing data to have a universal patient identifier is not beyond the realms of human endeavour. Lets see if we can drag our Healthcare system into the latter half of the 20th Century. I know all the evidence to date suggests otherwise but I think we can do it.


----------



## EmmDee (12 Jul 2021)

Purple said:


> Humanity was able to put a man on the Moon almost 50 years ago so securing data to have a universal patient identifier is not beyond the realms of human endeavour. Lets see if we can drag our Healthcare system into the latter half of the 20th Century. I know all the evidence to date suggests otherwise but I think we can do it.



The question was asked whether phones could be used as the core storage for people's medical data - nothing to do with a universal patient identifier and data storage. I was pointing out the fact the phones are problematic as the the key device for managing medical data


----------



## Purple (12 Jul 2021)

EmmDee said:


> The question was asked whether phones could be used as the core storage for people's medical data - nothing to do with a universal patient identifier and data storage. I was pointing out the fact the phones are problematic as the the key device for managing medical data


Using your phone as a key to access your data though, that shouldn't be a problem. 
At the moment the same person can have multiple patient numbers in the same hospital. That is just one of the thousands of ways we waste what adds up to billions in our health service each year.


----------



## EmmDee (12 Jul 2021)

Purple said:


> Using your phone as a key to access your data though, that shouldn't be a problem.
> At the moment the same person can have multiple patient numbers in the same hospital. That is just one of the thousands of ways we waste what adds up to billions in our health service each year.



I don't disagree on having a single identifier. Again - the proposal was that phones be used as the storage of your data. I already said an app as the identification isn't a bad idea. But the question was about where the data is stored securely


----------



## Leo (12 Jul 2021)

HyperionDayz said:


> Sounds very
> 
> Sounds remarkably similar to the industrial printer for government buildings that couldn’t fit into the building.


The printer problem happened after the scanner one, but shows a pattern for government procurement issues with no repercussions for those involved.


----------

