The Health Service Executive (HSE) has yet to permanently fill top-tier cybersecurity positions, three years following a substantial ransomware assault that disrupted patient care and put at risk the personal data of 100,000 people. The outdated Windows 7 system still runs on some HSE devices despite the known risks, however, Minister of State Alan Dillon assured that these devices are under active observation until support systems are ready.
A HSE-commissioned review by independent consultants PwC recommended the hiring of a chief technology and transformation officer (CTTO) and a chief information security officer. This was highlighted by Fianna Fáil Senator Malcolm Byrne who was concerned that these key positions are still being advertised, three years after the May 2021 attack. Mr Byrne expressed apprehension over the potential fallout of another comparable attack, despite recognised recruitment difficulties in the IT sector and government investment in national cybersecurity.
Additionally, the senator drew attention to the substantial financial impact of the attack, with immediate costs to the nation amounting to €37.5 million in May 2021, and an estimated €101 million one year later. He disclosed that the previous year’s ongoing expenses had escalated to €144 million. Meanwhile, Minister Dillon, standing in for the Health Minister Stephen Donnelly, reported that the attack’s aftermath and subsequent recovery process cost taxpayers around €102 million. He also indicated that a distinct €55 million fund is earmarked for the 2024 National Service, to help the HSE implement the independent report’s recommendations.
The Minister also noted that following the ransomware attack and subsequent recommendations from the PwC report, significant changes in IT governance have been made and the HSE has committed to training, upgrading technology, and changing processes.
The financial disbursement incorporated the “modification and enhancement of prevailing legacy applications followed by the discontinuation of Windows 7, alongside vigilance over those devices which can’t be discontinued just yet, until appropriate support applications are installed.” Emphasising the level of attraction health and finance sectors hold for cybercriminals, due to the valuable information managed therein, Mr Byrne expressed his concern.
The Health Service Executive (HSE) has dramatically increased its investment in cyber remedy post-incident. They “counter numerous cyber-attacks every year, adopting suitable measures to stay abreast of ongoing threats”. Devoting consistent and continuous investment to bolster cyber resilience is deemed essential. “The government considers it a critical priority and has therefore allocated funding to the HSE for the enhancement of their cyber resilience.”
Despite these efforts, Mr Byrne expressed his concern saying, “It’s disconcerting that the end of the Windows 7 estate still seems to be part of the process. Plus, we are missing two key roles – a chief technology and transformation officer and a chief information security officer.”
Mr Dillon assured that “additional controls have been implemented by the HSE to oversee and counter any system threats”. Additionally, a High Court order has been secured by the HSE prohibiting the sharing, processing, or selling of data. In response to the attack, cyber security networks have been actively supervising internet activities, inclusive of the dark web.