An independent report on a cyberattack on Ireland’s health service in May found that the consequences could have been even worse than they were.
The ransomware locked personnel out of their computer systems and “severely” disrupted medical care in the country.
But the report said it would have been worse if the data had been destroyed or the Covid-19 vaccination systems or specific medical devices had been affected.
He added that the attack had a “much greater” impact than initially expected.
The report, from PricewaterhouseCoopers (PWC), commissioned by the healthcare executive, found that systems remain vulnerable to even more serious attacks in the future.
Irish technology systems were “fragile” and several opportunities to spot red flags were missed, cybersecurity experts found.
The attackers demanded payment to restore access to the computer systems, and it took four months for the service to fully recover.
On March 18, someone from the Irish Health Service Executive (HSE) opened a spreadsheet that had been emailed to him two days earlier. But the file was compromised with malware.
The criminal gang behind the email spent the next two months making their way through the networks.
There were multiple warning signs that they were at work, but no investigation was launched, and that meant a crucial opportunity to intervene was missed, according to the report.
Then at 01:00 BST on Friday May 14, the criminals unleashed their ransomware.
The impact was devastating.
Pen and paper
More than 80% of the IT infrastructure was affected, with the loss of information and key diagnoses of the patient, causing serious impacts on the health service and the provision of care.
The HSE employs some 130,000 people to provide health and social care to five million Irish citizens.
But all the computer systems were down. Doctors, nurses, and other workers lost access to patient information systems, clinical care, and laboratories.
Emails went down and staff had to resort to pencil and paper.
Lab test data had to be handwritten and entered manually, which carried a higher risk of errors.
Thousands of people’s medical care was interrupted.
A GP received a phone call from a consulting surgeon questioning the location of a patient who was to undergo surgery, when that person had already been operated on, according to the report.