The sheer amount of data held by the HSE on Irish citizens is not something that we think about, most of the time. The information, after all, is held for good reason, and most of us trust our doctors and hospitals. Nonetheless, it is worth considering just how much information hackers can potentially access, if they are so minded:
Ireland’s contact tracing database of people who either have contracted Covid-19 or have been close contacts has over 5.1m records.
Details held for all contacts include name, phone number, address and Eircode, and mother’s maiden name, while data for positive cases includes occupation, ethnic background, underlying conditions, pregnancy, and international travel history.
The database can be accessed via a web portal and can be browsed by all HSE public health departments, all acute hospitals, Covid community assessment hub operators, HSE Live operators, and all people employed either directly or indirectly in the provision of contact tracing services, said Ms O’Beirne.
That’s 5.1m records just from Covid alone, with people’s personal data, addresses, and much more besides. Now imagine what they hold in all of their other databases.
The good news is that this morning’s attack on the HSE’s IT system appears to be what is known as a “ransomware” attack. That is exactly what it sounds like: The hackers shut down your system, knowing that you cannot operate without it, and demand a payment (probably a very large payment) to unlock your system and allow you to get back to work. The exact same thing happened in no less a place than the United States this week, and caused a crisis in fuel supply.
In general, with ransomware attacks, the hackers are just after money, rather than personal data. But this incident should, and does, raise severe questions about Ireland’s cybersecurity, and our preparedness to operate in a world of cyberwarfare.
That might sound dramatic – Ireland is, after all, a neutral country. You might think that our neutrality would protect us from being the target of cyberwarfare attacks. This morning, unfortunately, proves that theory incorrect.
It is incorrect because many modern cyber attacks do not come from state actors, but from sophisticated criminal gangs. Given the potential these gangs have to attack vital infrastructure, and demand payment in return, investing in state-of-the-art cybersecurity is a national imperative. Imagine, for example, that this attack was levelled not against the health service, but the electricity grid: It is not inconceivable that large parts of the country could be blacked out for days, in the depths of winter.
Ireland is a particularly juicy target for cyber-attackers, too, due to our role in the EU economy. Consider this fact, from the National Cybersecurity Strategy document, published in late 2019:
Ireland is home, according to some estimates, to over 30% of all EU data, and to the European Headquarters of many of the world’s largest technology companies. Our economic success is therefore closely bound up with our ongoing ability to provide a secure environment for these companies to operate here.
Indeed, just last year, the Irish Times, to their credit, were warning about the “critical concern” over Ireland’s cybersecurity.
In this country, for many decades, we have collectively lived under the assumption that our neutrality, general niceness, and good global reputation would protect us from hostile attacks. That is still true, most likely, in the case of traditional guns-and-tanks warfare. In the cyber realm, though, it simply is not true.
Ireland’s economy is particularly vulnerable to these kinds of attack, making us a very juicy target for those who want to profit from attacking us. That requires urgent, and sustained, investment in state-of-the art countermeasures.