Five years on from the Conti ransomware attack that brought the Health Service Executive (HSE) to a standstill, the most important observation about the current landscape of healthcare cyber security threats is not that the HSE has recovered. It has, significantly. The observation that should concern every Irish healthcare provider, MedTech company, and digital health supplier is that the adversary has moved at the same pace. For organisations wanting to understand what specialist expertise is needed to navigate this environment, our article on Why Healthcare Consulting Requires Specialist Expertise sets out the framework in detail.
In May 2021, the HSE suffered a major ransomware cyberattack which caused all its IT systems nationwide to be shut down. It continued to cause nationwide IT outages, EHR downtime, health data exposure, and appointment cancellations across Ireland's publicly funded healthcare system for more than four months. The attack remains the largest ever recorded against a health service. What it revealed about the gap between attacker capability and defender readiness in healthcare has not closed. In some respects, it has widened.
The most important lesson from the 2021 attack is consistently underweighted in retrospective discussions: the initial access was not sophisticated. On 18 March 2021, somebody from the HSE clicked a spreadsheet sent to them in a phishing email. The malicious code allowed a gateway for the hackers to use Cobalt Strike to deploy Conti ransomware throughout the HSE's systems, and the attack went undetected for approximately eight weeks.
The HSE's antivirus software detected the execution of two software tools commonly used by ransomware groups on the patient zero workstation on 31 March 2021, but the antivirus software was set to monitor mode, so it did not block the malicious commands. The attack succeeded not because the perimeter was breached by a technically advanced exploit, but because of a combination of a single phishing email, an antivirus set to the wrong mode, and an organisation with no CISO and a fragmented IT estate that had never been designed with resilience in mind.
The damage was catastrophic because of everything that came after initial access, not because of how access was obtained in the first place. That distinction matters enormously for how healthcare organisations frame their healthcare cyber security strategy today.
Today's cyber attackers are "professionally run organisations with HR departments, away days, and bonuses", according to the HSE's head of cyber security, Neal Mullen. That framing deserves to sit at the centre of every board-level conversation about healthcare cyber security threats in 2026. (RTÉ)
The adversary is no longer a lone operator exploiting an unpatched vulnerability. It is a structured, funded, incentivised enterprise operating with the discipline and resources of a mid-sized commercial organisation. It has repeatable processes, defined roles, and performance targets. It invests in research and development. It iterates on what works.
The phishing email that initiated the HSE attack was, by current standards, relatively straightforward. Today the same initial access vector is being executed with AI-generated content that mimics the writing style of known colleagues, references real organisational context, and bypasses the pattern recognition that security awareness training has historically relied upon. The "suspicious email" instinct that security teams have spent years building into staff behaviour is becoming a less reliable defence precisely because the lures have become less suspicious.
This is not a future risk. It is the current operating environment for healthcare organisations across Ireland and the UK, and it demands a corresponding evolution in both technical controls and staff awareness programmes.
The HSE's own assessment following the 2021 attack pointed to the fragmented nature of its IT estate as a significant contributing factor to the scale of the damage. The HSE's history as an amalgamated organisation made it more vulnerable to attack as its systems had not been fully integrated. Five years later, the equivalent structural vulnerability for most Irish healthcare providers and MedTech companies sits in their supply chain.
The question for every organisation examining its exposure to healthcare cyber security threats in 2026 is not whether its own environment is stronger than the HSE's was in 2021. The more important question is whether its third-party vendors, supply chain partners, and connected systems have been assessed with the same rigour applied to the core environment. In most cases, they have not.
Suppliers with privileged access to clinical systems, integration partners connecting into patient data environments, and MedTech vendors with remote maintenance access all represent potential initial access points for a threat actor operating with the patience and methodology of a professionally run organisation. NIS2 readiness requirements make explicit that supply chain security is an organisational obligation, not a vendor's responsibility to self-certify.
Effective supply chain cyber risk assessment in healthcare maps every third party with access to clinical or operational systems, categorises that access by sensitivity and dependency, and applies proportionate assurance requirements to each relationship. It produces a documented, auditable picture of third-party risk that satisfies both internal governance expectations and the requirements of regulators and oversight bodies asking increasingly specific questions about how supply chain access is controlled.
The HSE's response to the 2021 attack has been substantive. The security function has grown from fewer than ten people to seventy. A CISO role that did not exist at the time of the attack has since been filled. Investment in detection, response capability, and governance has increased materially.
The lesson this progress offers to other Irish healthcare providers and MedTech companies is instructive. The gap that existed in the HSE in 2021, between the scale of the organisation's digital dependency and the maturity of its security function, is a gap that exists in varying degrees across the sector today. The difference is that the organisations that have not yet experienced a significant incident have not yet had the forcing event that compels investment.
Waiting for that forcing event is not a defensible position. The threat has professionalised. The regulatory environment, through NIS2 and evolving DSP Toolkit requirements, is hardening. And the consequences of a major cyber incident in a clinical environment are measured in patient harm, not only in data loss or reputational damage.
At Santegic, we work with healthcare organisations and MedTech companies to assess their current security posture honestly, close the supply chain and governance gaps, and build the documented, auditable resilience that regulators and oversight bodies now expect.
The fifth anniversary of the HSE attack is a useful moment to take stock. The HSE has made real progress. The threat has made real progress too. The asymmetry between a professionally organised, well-resourced adversary and a healthcare sector still building its security maturity is the defining challenge for Irish healthcare cyber security strategy in 2026.
The attack in 2021 began with a phishing email and succeeded because of governance failures, not technical ones. The organisations best protected against the equivalent attack today are those that have addressed the governance layer, the supply chain layer, and the cultural layer of their security posture, the technical one.
If your organisation is ready to assess its exposure to current healthcare cyber security threats and build a strategy that matches the professionalism of the adversary, Santegic's healthcare consulting services are available to support you. Get in touch to discuss where the most significant gaps lie and what a proportionate response looks like for your organisation.
Santegic Cyber delivers specialist healthcare cyber security strategy, supply chain risk assessment, and NIS2 readiness advisory to Irish and UK healthcare providers, MedTech companies, and digital health suppliers.
One conversation. The right expertise.
