Malcolm Byrne (Fianna Fail) | Oireachtas source

Like others, I welcome the Minister of State to the House and wish him the best in his new role. I know he will put his heart and soul into it.

The issue I raise is the HSE cyberattack. Next week is the third anniversary of the detonation of the Conti ransomware, which caused widespread disruption in the health service at the height of the pandemic. This was the result of a malware infection that gained unauthorised access to the system on 18 March 2021. It remained there for eight weeks, at which point the Conti ransomware, which emanated from Russia, was detonated. There has been a global increase in cyberattacks and ransomware in recent years. On the basis of information provided to me at different stages or in the public domain, we know the immediate cost to the State of the cyberattack in May 2021 was €37.5 million. A year later, the cost to the taxpayer had risen to an estimated €101 million, although it was acknowledged that the full cost had not been quantified. When I asked about this last year, the running cost to the State stood at €144 million. That is not the entire cost because the personal details of 100,000 staff and patients were compromised and I have no doubt the delays to patients being seen also had serious consequences for their health.

In December 2021, the HSE commissioned PwC to conduct an independent review of what happened in order to establish the facts and identify lessons for the HSE and other Government agencies and Departments because if this were to happen again in any other area of society, it could be serious. I appreciate the Minister of State is taking this Commencement matter on behalf of the Minister for Health. I would be grateful if he could indicate the most recent cost to the taxpayer of remedying the challenges and how far the HSE has gone in implementing the recommendations in the PwC report. These included implementing minimum cybersecurity requirements, establishing a cybersecurity oversight committee and establishing a transforming IT and cybersecurity committee at board level in the HSE to oversee this serious issue.

I also have a specific concern.The PwC report, which the HSE accepted, recommended that there was need to appoint both a chief technology and transformation officer at very senior level within the HSE and a chief information security officer. In March 2022, the HSE said that both of these posts would be filled by the end of 2022. The posts had been filled on an interim basis but they were not filled by the end of 2022. We were told the search was delayed until 2023 as a result of a review of the job descriptions. One of the concerns I have is that those posts are still being advertised. I appreciate the successful candidate for the chief technology and transformation officer role withdrew after being made an offer, but I am concerned these two vital posts have still not been filled by the HSE. I realise there is a difficulty with regard to getting staff in cybersecurity but it is critical they are filled. While I appreciate the Government has invested in the National Cyber Security Centre and bumped up both personnel and resources, an attack like this on any aspect of Irish society is very serious.