At 2.50am on Friday 14 May 2021, the Health Service Executive started to receive the first of multiple reports from hospitals of various IT systems being unavailable.

Just under two hours earlier, at around 1am, cyber criminals had executed ransomware attacks on systems within the HSE and across six hospitals.

At 4.36am, the HSE identified malicious encryption on multiple servers in its data centre and within minutes a 'critical incident process' was put into place.

At 7am, RTÉ News reported that the HSE had been the victim of a cyberattack.

Twenty-eight minutes later, the HSE issued a tweet notifying the public of the incident and of the shutdown of its services.

A 'war room' was established and as part of a preventative lockdown strategy, to contain the impact of the attack, the HSE switched off all of its IT systems.

Cybercriminals, believed to be linked to the Russian hacking group Conti, had carried out the ransomware attack.

Their aim was to disrupt the HSE's IT systems and steal data, including sensitive patient information.

They then demanded a ransom for non-publication of the stolen data and for digital decryption keys to unlock the systems they had disabled.

The Government insisted that no ransom would be paid.

Six days after the attack, the hackers released a decryption key which helped in the recovery process.

Unprecedented attack

The HSE has described the cyberattack as unprecedented in severity and scale.

One year on, it is still hard to comprehend the enormous levels of disruption caused by the breach.

An entire national health service was forced to shut down all of its IT systems while the country was in the middle of a pandemic.

Healthcare professionals lost access to patient information and laboratory systems with many of them reverting to pen and paper to continue patient care.

"People who were being diagnosed with cancer, who were due to have therapy, so much was cancelled because of the cyberattack. We don't know at all yet the human impact of this."

"Healthcare services across the country were severely disrupted with real and immediate consequences for the thousands of people who require health services every day," noted the PwC independent review of the cyberattack.

Staff could no longer use email and networked phone lines instead switching to mobile phones, fax machines and face-to-face meetings.

The reset button had been hit on systems used by 130,000 staff across 4,000 locations involving 70,000 electronic devices.

"The incident had a far greater and more protracted impact on the HSE than initially expected, with recovery efforts continuing for over four months," the PwC report notes.

The review traced the cyberattack back to a phishing email that had been opened two months previously, in March 2021.

Investigators identified several 'missed opportunities' before the attack. They also found that the HSE was operating on a frail IT system and did not have proper cyber expertise or resources.

The HSE says it is delivering on the recommendations in the PwC report and has engaged an internationally recognised firm to provide managed cyber defences and security operations.

Other measures that have been introduced include enhanced IT monitoring, email validation systems and additional email scanning.

So, one year on how much has changed and could a similar attack happen again?

Lessons learned?

"I see no lessons learned as of yet," said Peadar Tóibín leader of Aontú.

He has submitted a series of parliamentary questions to the HSE and the Department of Health to assess the scale of the disruption caused by the cyberattack.

"The way lessons should be learned is a proper investigation first and foremost. Aontú is calling for a judge-led investigation into the cyberattack," he said.

"The Department has told me it could cost up to €100 million to rectify the damage caused by the cyberattack but that is secondary to the impact on the many thousands of people whose healthcare was put on hold or stopped because of this."

"People who were being diagnosed with cancer, who were due to have therapy, so much was cancelled because of the cyberattack. We don't know at all yet the human impact of this."

Mr Tóibín is accusing the Government of serious underinvestment in cyber security, something which the Aontú leader believes could have much wider consequences.

"Ireland is a data island. We hold 30% of the EU's data and if we are going to be a weakness and a soft touch in terms of cyber defence, we will put at risk that whole area of foreign direct investment," he said.

IT staff shortages

One of the main recommendations of the PwC review of the cyberattack was the need for the HSE to hire more IT staff.

That is easier said than done. Recruitment of tech workers is incredibly competitive right now and the big multinationals based here pay far better than the public sector.

"It is close to impossible for the likes of the HSE to attract cyber security experts right now," said Ronan Murphy, CEO of cyber security firm SmartTech247.

"There are over two million vacancies in cyber security around the world. It's a tough sector to work in because of the unrelenting pressure. You have to be right all of the time, the bad guys only have to be right once and cyberattacks are growing, so too is their complexity," he said.

"It is very difficult to find the talent that is needed so what you see is some of the hospitals looking at outsourcing and strategic partnerships with companies that already have that talent and those capabilities," he added.

Peadar Tóibín believes the Government has no choice but to compete with the private sector when it comes to attracting IT experts.

"If you're spending €100 million to fix the aftermath of a cyberattack then the economics are very simple. The cost of not filling these posts would be far higher," he said.

The HSE says that when it comes to recruiting cyber security and IT staff, a number of appointments have been made and recruitment competitions are under way for other roles.

"The HSE faces similar challenges to other organisations where recruiting the best cybersecurity talent is an especially difficult task in a tight labour market where demand effortlessly outstrips supply," a spokesperson said.

The HSE says that alongside external recruitment campaigns it is also upskilling existing staff, utilising graduate intakes and internships as well entering cyber security partnerships.

Could it happen again?

One year on, could a similar attack happen again to the HSE or another government body?

"I believe it could, in fact I would say almost definitely," said Ronan Murphy of SmartTech247.

"We see that Conti is ramping up its activities. These guys are very sophisticated and know how to circumvent the tools that are being put in place."

Mr Murphy said that, in terms of impacts on systems, it doesn't get much worse than last year's cyberattack but he believes the HSE is taking steps in the right direction when it comes to investments in IT.

"As a health service, it still has an issue with 'cybersecurity maturity' and they are not there yet but it does take time," he said.

"I think the lessons that need to be learned are business continuity, data backup and protecting the most crucial and critical information to prevent it from being stolen."

A lot has happened in the year since the HSE cyber attack, not least the invasion of Ukraine by Russia.

The unrest caused by the conflict has led to a big increase in online warfare around the world.

Experts warn that when it comes to the next major cyberattack here in Ireland it is a case of when, rather than if.