Cyber Attack Updates
*Please also refer to previous communication on 2nd June 2021 if you have not already reconnected/restored your laptop on the HSE network
1. Getting your device certified as ‘Green’
Currently Tusla Staff who work on the HSE Network should only use their laptops when connected to the HSE wired network at their office desk. This is to ensure that your device is always protected with the latest updates until the recovery phase is completed. There is now a formal recovery process, known as the path to ‘Green’ to ensure your device is safe and protected. Once your laptop is certified as ‘Green’ it can then be used remotely again on your mifi or tethered phone.
To have your laptop declared ‘Green’ it must be reviewed by a field service engineer who will apply the required updates and certify it as ‘Green’ once all the checks are successfully completed. The same process applies to desktop PCs.
How to get your device certified as ‘Green’:
- Firstly, you must have changed your password since the cyber incident. Make sure that you use a strong password. A strong password contains uppercase, lowercase, symbols and numbers and must be at least 8 characters long. Do not use passwords that follow a similar pattern. For example, if your old password was Emma001, don’t change it to Emma002. You can change your password by pressing ctrl+alt+del together on your keyboard and select ‘Change Password’.
- PFH field service engineers and Tusla ICT staff have already visited some Tusla sites to complete the green process. If your device already has a green sticker then it is completed, and you can use it for remote working again.
- If your device was not already declared green (with a green sticker) then you must visit one of the drop-in Tusla ICT tech hubs that will be available in all Areas throughout the country from Tuesday 15th June. The locations of the tech hubs will be communicated locally by the Area manager’s office to all local staff on a staggered basis to ensure social distancing. Staff in national services can also attend the hubs and details of the locations will be available from your business managers. Tusla ICT staff at the tech hub will also be able to assist you with any questions you might have such as with accessing email or files shares again. We are looking forward to meeting you are your nearest Tech hub and getting you all back up and running on your ICT devices shortly.
- Please note the HSE is also running drop in hubs, if the location of the HSE hubs is convenient to you then you can also visit there instead to get your laptop ‘Green’ as we are both following the same process to ‘green’. The locations of the HSE hubs are listed on http:\\hse.ie\ictadvice
- If your laptop was already inspected by PFH and has failed the verification checks then the field service engineer will have labelled it with a Red sticker. If this has occurred, then the laptop must not be used. Please bring the device to your local tech hub for further review by Tusla ICT.
2. What will happen when I visit the ‘Green’ drop in tech hubs?
Tusla ICT will establish at least one hub in every Tusla Area, the hubs will likely be located in the larger Tusla social work offices in the Area. The whole process should take about one to two hours. For social distancing we ask that you simply drop in your laptop to our technician and then drop back later. We will check your laptop and install the latest protection systems. When you return, you will be asked to log in and at that stage we will run a ‘Green’ test to certify your laptop.
3. Latest update on the restoration of HSE email services
All email systems across the HSE network with 2 exceptions have now been restored. Most Tusla staff should now be able to access email as before, however we are aware of ongoing intermittent issues that will likely continue for another week or more until the restored emails systems are fully established.
Unfortunately, 2 groups of Tusla staff will remain without email for the time being. Firstly, staff on Lotus Notes (Tusla staff in the North East and North West) will not have email restored until a new Outlook based systems is rolled out in these Areas by the HSE over the coming weeks.
Secondly, some Tusla staff on the HSE network who use the new Tusla email system (known as 0365) will also unfortunately not be able to access their email for the time being as the HSE have disconnected the internet connection required by this system (this impacts about 300 Tusla staff). For the majority of Tusla staff who can now access email once again, please note the following important advice.
Accessing your email:
- Open your Outlook as normal, if you get the following message ‘Your mailbox has been temporarily moved ….’ then you should cancel and close Outlook. If this has occurred, then for now you must use Outlook Web Access instead to access your email for a temporary basis until the issue is resolved. You can access Outlook Web Access by opening your internet browser (Chrome or Internet Explorer) and entering the address below depending on the HSE network domain you use.
- East https://mailm.hse.ie/owa
- Midlands https://webmailq.hse.ie/owa
- Midwest https://webmailh.hse.ie/owa
- South https://mailp.hse.ie/owa/
- SouthEast https://webmaila.hse.ie/owa
- West https://guhmail.hse.ie/owa
- Healthirl https://mail.hse.ie/owa
- At this time, you should be aware that some colleagues on the HSE systems may still be having on going or intermittent email issues. We recommend you tick the ‘read receipt’ option when sending emails so you can be assured your colleague was able to access and read the email.
- #ThinkBuClick: Finally, and most importantly when accessing your email after it returns, all staff must be extremely vigilant of phishing emails. We are aware of a large number of emails received by staff in recent weeks that are seeking that you click a link, image or open an attachment. These phishing emails are extremely dangerous and could lead to your emails being extracted by a cyber attacker.
Phishing emails can be carefully constructed and may even have content that looks familiar to you or be from a spoofed email address of a colleague. Remember to #ThinkBuClick and always take your time before clicking a link or attachment to consider if the email is genuine. If you have any suspicions, contact the sender by phone to verify before opening. Always delete any phishing emails you receive. If the phishing email appears to contain genuine Tusla content or if you have any other concerns about the email then please report it Tula ICT and to the Data Protection Unit.
4. Latest update on the restoration of other ICT services and systems
- Applications: At this time all Tusla Applications such as NCCIS, CPNS, Therefore and the Portal are unavailable. However, much progress has been made in restoring, rebuilding, and getting these systems ready for relaunch over the last number of weeks. These Applications will return on a phased basis and further notifications will be issued to staff who use these systems as they become available. However, please be assured that all systems and all data will be restored, and you will shortly be able to return to these systems and to your files they hold just as they were before the cyber incident.
- Mifis and mobile phone tethering are now restored. You can resume using your laptop remotely once it is certified as ‘Green’ as outlined above. VPN remains unavailable at this time. Staff who use VPN for remote access can use mobile phone tethering or MiFi.
- All files shares should now be available for use one again. However, if for any reason your file share appears to still be unavailable then please advise your unit’s business manager who can report all escalated issues to Tusla ICT.
- Internet access: There is no internet access at the moment. This is a security precaution that will likely stay in place for some time to come.
- Printers: Printing is working in some offices, simply try print a test page to check. However, all offices that got new MJ Flood printers since Jan 1st were impacted as the servers used to manage these printers were damaged in the incident. These servers are now restored, and we hope to get these particular printers back up and running shortly. Each office will be advised locally as the MJ Flood team visit to restore these printers over the coming couple of weeks.
- Use of USB keys to transfer files from a HSE device to any other device is not permitted at this time.
5. ICT Assistance - Contact Details
- For support with your device, user account or password resets etc. please contact the HSE ICT dedicated cyber help line 1800 742 900 . You will need your work mobile to verify who you are when contacting the help desk.
- For any other queries the Tusla ICT help desk is also available at 01 7718570, TuslaICT@tusla.ie. Staff who have recently moved from the HSE network to the new Tusla network (TuslaIRL) can also contact this number for assistance.
- A Tusla ICT Cyber Incident Recovery Lead has been appointed to all Areas and all Directorates. The Recovery Leads will continue to be in regular contact with all Area Managers and Directors to co-ordinate the recovery for your service area.
- Update from ICT - Advice for Tusla Staff who work on the HSE Network - 2nd June 2021 @ 14:30
Steps to restore your laptop or computer on the HSE network
If you have not done so already you must undertake the following:
- Make sure your device (laptop or computer) is fully powered off (not in sleep mode).
- Connect it to a HSE wired network at your office desk.
- You can then turn on your device but do not log into your device.
- Leave your device for at least 30 minutes, powered on and connected to the wired network. Your device restores automatically.
- You can now log onto your device as normal.
- You will be prompted to change your password. Make sure that you use a strong password. A strong password contains uppercase, lowercase, symbols and numbers and must be at least 8 characters long. Do not use passwords that follow a similar pattern. For example, if your old password was Emma001, don’t change it to Emma002.
- If you are not prompted to change your password, call the Cyber Attack Support Service 1800 742 900.
- You will then see your desktop. It should look the same as when you last logged on.
- You can now access the local files on your device and use Word, Excel, PowerPoint on your device.
- Your mailbox and calendar should be the same as you last left it. Your old emails should still be there. Emails sent to you from the time our systems closed down may not be available.
If you have any problems or are unsure about anything, please call the HSE Cyber Attack IT support service 1800 742 900.
Where can I use my Laptop?
For now you should only work on your Laptop when connected on the HSE wired network at your office desk. Staff should not use their laptop away from the office.
This is to ensure that your device is always protected with the latest updates as you work.
Tusla staff on some HSE network domains (Healthirl, South, West) can connect to look up historical email and contacts. Staff should not send emails at this time as all Tusla emails are disconnected from external access, meaning all Tusla staff on the HSE network cannot receive external emails. It is expected that full Email for Tusla staff on the HSE network will be available from Tuesday 8th June.
For staff in the North East and North West, please note that the HSE have advised that Lotus Notes cannot be restored at this time. You will be provided with a new email service using your existing email address. We will communicate more details with you next week. The HSE have advised that in time read-only access will be provided to your old Lotus emails.
#ThinkBuClick: When accessing your email after it returns, all staff must be extremely vigilant of phishing emails. We are aware of a large number of emails received by staff in recent weeks that are seeking that you click a link, image or open an attachment. These phishing emails are extremely dangerous and could lead to your emails being extracted. These emails are carefully constructed and may even have content that looks familiar to you or be from a spoofed email address of a colleague. Remember to #ThinkBuClick and always take your time before clicking a link or attachment to consider if it looks genuine. If you have any suspicions, contact the sender by phone to verify before opening. Always delete any phishing emails you receive.
At this time all Tusla Applications such as NCCIS, CPNS, Therefore and Portal are unavailable. Applications will return on a phased basis and further notifications will be issued as they become available. However, please be assured that all systems and all data will be restored in due course as Tusla has multiple backups in place for all systems.
Some file shares remain encrypted and some are available. If your file share documents are renamed to .feedc (for examples notes.doc.feedc) then they are encrypted and should not be used for now. Please don’t be concerned as all files will be unencrypted as the HSE team work through each server. The cyber incident also left a readme note in all folders, this can be ignored and will shortly be deleted from all servers .
There is no internet access at the moment.
Phones and Mifi
Phones can be used for voice and text. Email and internet access on Tulsa phones on the HSE network is not currently available. Remote access via mifi, phone tethering and VPN is not available.
Printing is working in some offices, simply try print a test page to check. However, all offices that got new MJ Flood printers since Jan 1st have had their printers converted to stand alone photo-copiers for now to aid paper based working. We expect to be in a position to convert these back to printers next week, each office will be advised locally as the MJ Flood team visit to complete this work .
Remote workers with no access to an office on the HSE network
If you do not have access to an office on the HSE wired network, you will be able to take your device to a central hub near you, where we can check your device is safe. The HSE are expected to announce details of the hubs early next week.
Transferring files using a USB key
Do not use a USB key to transfer files from a HSE device to any other device.
For support with your device, user account or password resets etc please contact the HSE ICT dedicated cyber help line 1800 742 900 . You will need your work mobile to verify who you are when contacting the help desk.
For any other queries the Tusla ICT help desk is also available at 01 7718570, TuslaICT@tusla.ie. Staff who have recently moved from the HSE network to the new Tusla network (TuslaIRL) can also contact this number for assistance.
A Tusla ICT Cyber Incident Recovery Lead has been appointed to all Areas and all Directorates. The Recovery Leads will continue to be in regular contact with all Area Managers and Directors to co-ordinate the recovery for your service area.
- Update fromt Tusla ICT - Monday 31st May @ 11:00
Tusla staff who have already connected their HSE device to the HSE wired network for scanning and security updates as per our update on Wednesday (26/05), can now log on to their laptop/pc at their office desk. For today you can use your laptop/pc in the office, access your old File Shares if they appear for you (not all file shares are back just yet), you can also try to print (print will work in some offices today, others will return in the coming days). All other services (e.g. NCCIS & Email) will not be available until further notice. Tusla staff should NOT attempt to open Email. Mifi and phone tethering access should also not be used.
For those staff who have not yet connected their laptop/desktop to the HSE network, you will need to power on the device, connect to the HSE wired network via network cabled connection in the office for at least 30 minutes before logging on. More updates will follow during the week as more systems return.
Please adhere to social distancing rules and liaise with your line manager to access the office in a safe manner.
- Update from Tusla ICT - Wednesday 26th May @ 13:00
We are aware of a number of different messages on restoring HSE ICT services being issued. For clarity, can all Tusla staff please await messaging from Tusla ICT via text or on this web page before taking action. We can now advise Tusla staff on the HSE network to drop into your office and reconnect your device to the network but do not log on.
The steps are:
1) ensure your laptop/desktop is turned off,
2) connect to the wired network at your desk (not mifi),
3) Turn on you device.
4) DO NOT LOG IN.
This action is to arrange for your device to be scanned and updated. We still have a long way to go, staff will not be able to access their devices in the short term. In some offices HSE ICT staff are on the ground providing assistance for you which you can avail of with the steps above.
Social distancing protocols should be adhered to and may require organisation at local level.
Further messaging will follow in due course.
Regards Tusla ICT
- Staff update from Chief Executive, Bernard Gloster - Tuesday 25/05/21 @ 15:30
- Staff update from Chief Excutive, Bernard Gloster - Tuesday 18/05/21 @ 21:40
The above update can be read in newscast format here.
⁃ Update on current ICT challenges - Sunday 16/05/21 @ 19:30
Please do not turn on any Tusla device other than your phone, for any reason, unless advised by ICT. Line Managers should ensure this is communicated to all of their team.
As you will be aware, our systems (including email, referrals portal, and NCCIS) are currently not operating due to precautionary measures taken by the HSE.
The safety and welfare of children continues to be our priority. Referrals are being taken by phone only (via local duty social work offices).
Case work must continue and case notes should be hand written (as legibly as possible) and stored safely.
Staff may be required to attend briefing sessions in the coming days. Line Managers will have further updates for staff in the next 48hrs.
Office of the CEO