The cyber attackers who hacked the Health Service Executive's IT system had accessed the system eight weeks before it detonated the malicious software.

A report by PwC has found there were several "missed opportunities" after a phishing email was opened allowing the attacker access to the system, which caused devastating disruption across healthcare services.

It found that the HSE was operating on a frail IT system and did not have proper cyber expertise or resources.

A forensic examination of the hacker's activity showed that relatively well-known techniques and software were used to execute the attack.

The HSE said the cyber attack has cost approximately €100m.

Half of that cost has been incurred this year, with the remainder being spent on cyber initiatives next year.

The attacker first accessed the system when a phishing email was opened on a computer on 18 March.

Over the following eight weeks, it compromised a significant number of servers and accessed a number of accounts with high levels of procedures.

During this time, a number of hospitals reported malicious activity, but the significance of the activity was missed.

The conti ransomware was detonated in the early hours of 14 May.

The HSE shut down all its IT systems and a "war room" was set up in a building on Molesworth Street in Dublin and a "physical situation centre" was set up in Citywest.

PwC said the HSE is operating on a frail IT estate that has been lacking investment over many years to maintain a secure infrastructure and does not have the required cyber security to protect the operation of the health services.

It also said it is lacking the expertise and resources to detect, prevent or respond to a cyber attack of this scale.

It recommended the creation of two new key roles - a chief technology and transformation officer and chief information security officer - along with 24/7 monitoring.

It said: "The HSE does not have a single responsible owner for cybersecurity at either senior executive or management level to provide leadership and direction.

"This is highly unusual for an organisation of the HSE’s size and complexity with reliance on technology for delivering critical operations and handling large amounts of sensitive data."

The report found that the HSE was operating on a frail IT system

The report found that the HSE had only 15 full-time equivalent staff in cybersecurity roles, and "they did not possess the expertise and experience to perform the tasks expected of them".

The malicious software created ransom notes with instructions on how to contact the attacker who also posted a message on an internet chat room on the dark web.

This message had a link to several samples of data reportedly stolen from the HSE.

This report does not give information about the ransom or the criminals behind it but on the day of the attack the Government said a ransom would not be paid.

The HSE-commissioned investigation also found that the severity of the attack was reduced because of its simplicity, saying a more sophisticated attack could have involved gathering intelligence in advance and targeting areas including medical devices or the Covid-19 vaccination system.

Recovering from the attack could have been "considerably longer" if the criminals had not posted a link to a decryption key on 20 May.

"The low level of cybersecurity maturity, combined with the frailty of the IT estate, enabled the Attacker in this Incident to achieve their objectives with relative ease," it said.

The report praised the "dedication and effort observed at all levels", including HSE staff and affected hospitals, who went went "above and beyond" in their call of duty.

PwC said the HSE remains vulnerable to cyber attacks similar to this or attacks that may have an even greater impact.

HSE Chief Executive Paul Reid said: "We have initiated a range of immediate actions and we will now develop an implementation plan and business case for the investment to strengthen our resilience and responsiveness in this area."

HSE Chief Executive Paul Reid

In a statement, the HSE said it has implemented a number of high-level security solutions to address issues raised in the report.

These include a range of new cyber-security controls, monitoring and threat intelligence measures based on best international expert advice.

Speaking on RTÉ's News at One, Mr Reid has said that 50 incidents that are treated as potential cyber attacks are identified in the HSE system every week.

Mr Reid said that he was acknowledging that the cyber attack in May was not "identified at the level that it should have been".

He aid: "In reality we get across our network, this is probably, most definitely, the biggest network in the State - the HSE network.

"It's a very fragmented network and certainly we would see in any given week about 50 incidents that would be identified and addressed as potential cyber attacks.

"But obviously in this one, the significance of this one wasn't addressed to the level it should have been, or identified to the level that it should have been, and we're openly acknowledging that and that's our publication of the report today."

He added that the HSE did not wait until its publication and took a "range of immediate actions" to strengthen the security and monitoring of the network.

Mr Reid also said that there is a high level of repeat attacks on organisations once they go through a cyber attack.

He said: "What we have specifically done in relation to that is, as I just briefly mentioned, we've brought in an international firm who've been walking us through the cyber attack to carry out 24/7 monitoring on our network and increasing our resources and skills.

"We've certainly engaged all across the organisation and increased user awareness and controls put in place.

"We increased what is called multi-factor authentication, so people when they're logging into systems, that we can get greater clarity that it is the individual concerned logging in, so they may have to give two or three prompts of identification of their information."