Wednesday, 24 November 2021
Nithe i dtosach suíonna - Commencement Matters
Senator Malcolm Byrne wishes to raise the need for the Minister for Health to make a statement on the cyberattack on the health service in May 2021, including the estimated costs and the impact on hospital procedures.
I thank the Minister of State for taking this matter. He will be aware that in May of this year, we had a ransomware attack on our health services. It was the largest known attack on a health service anywhere in the world. For this to happen to any health service is frankly disgraceful, but it is particularly disgraceful as we battle a pandemic. Credit is due to the IT staff who tried as quickly as possible to restore the systems in place. There was undoubtedly a considerable cost. While it is easy to measure the direct IT cost, and I am interested in hearing those figures, there is a broader cost in terms of the impact that the cyberattack had on health procedures. At the time, approximately 7,000 patient appointments were delayed each day as a result of the attack. That has consequences for all of those individuals and their families. Quite frankly, it was a terrorist attack. It is something that unfortunately we are going to see much more of. It is where the new battleground is going to be. Sadly, we are going to see state actors engaged to a far greater extent behind some of these cyberattacks.
This week, Grant Thornton Ireland published a report which estimated that the economic cost of cybercrime in Ireland last year was approximately €9.6 billion. That has very serious consequences for the economy. Obviously, an attack on something like our health services has serious impacts on people's lives. This time it was the health service, but I am worried that next time it could be water services or local authorities. An attack on our infrastructure has very serious consequences. I hope the Government has a strategy in place to prevent this happening not just within the health service but across all areas of critical infrastructure and indeed infrastructure more widely.
It is time to look at the broader question of how we address cybercrime and cyberterrorism. It is essential that we co-operate with our EU partners and indeed as part of the permanent structured co-operation, PESCO, because this is a matter of national security and defence.This constitutes an attack on the State, and as a State we must respond. We are not capable of simply responding on our own. We must respond with fellow democracies to some of these attacks. I hope the Minister of State can respond to my queries about the infrastructure that needs to be put in place here at a domestic level, but given that this is a matter of national defence and security, I believe we should also be taking part in some of the PESCO groups that are designed to combat cybercrime and cyberterrorism. This is where the wars and battles of the future are going to be fought. Earlier this year, Ireland had a salutary lesson that our systems are not up to scratch. I hope that the Government has in place a system so that if we experience a similar attack, we can address it.
I thank Senator Byrne for raising this very important issue. Cyberthreats are a global issue and they are not limited to healthcare. Increasing attacks on critical infrastructure are triggering widespread disruption across the globe and causing significant disruption to companies and State agencies. They impact directly on citizens, as the Senator has rightly outlined.
The Conti ransomware attack on the HSE of 14 May 2021 resulted in an immediate loss of almost all ICT systems, applications and communications networks needed to support the delivery of health and social care services. The impact on patient services and patients was on a scale not seen before. As an immediate response, the HSE took all systems offline to reduce the risk of further contagion while the situation was assessed. All technical staff were diverted to respond to the crisis, supported by senior management from across the organisation. At present, almost all ICT systems have recovered to full functionality. However, some remedial work is required on a small number of older, legacy ICT systems and this work is actively being progressed by the HSE.
There are significant financial costs associated with repairing the damage caused to the HSE’s ICT systems. Funding provided this year addressed the immediate risks to the HSE, including the recovery of systems and data affected by the attack, the upgrade and replacement of legacy systems, and the establishment of a security operations centre for enhanced monitoring of threats. The HSE estimates that these measures cost €37.5 million in 2021 and do not include the wider costs associated with the disruption to health services and patient impact.
I believe there is a need for sustained investment in ICT in the health service in the coming years to protect the health system from the risk of future attacks. The 2022 budget includes funding for the HSE to enhance cyber-resilience. The cyberattack against the HSE’s ICT infrastructure has been unprecedented in severity and scale, and this investment will support the maintenance of a modern and secure ICT infrastructure to mitigate any future attacks.
Considerable work is also under way at Government level to protect against future attacks. The Office of the Government Chief Information Officer has enhanced the Internet connections connecting the Government to the rest of the world and put in place mitigation measures to deal with attacks should they arise, such as performing real-time checks on Internet traffic to block access to reported malicious destinations to mitigate phishing attacks.
Departments are also moving to the build-to-share Government infrastructure model which protects the working environment and monitors malicious activity more efficiently. Plans are also in place to establish the National Cyber Security Centre on a statutory footing and to increase staff numbers to support the critical work they do in protecting infrastructure from future cyberattacks.
I thank the Senator again for raising this issue which has caused huge critical infrastructure malfunctions. It caused significant disruption to companies and State agencies, and it impacted directly on citizens. I thank all of the stakeholders for all the work they have done since that attack. I hope that the funding in place will help us to be aware and to minimise the impact on patient services.
I thank the Minister of State. I appreciate that he is able to measure the direct cost in the figure of €37.5 million this year. We are six months on and, as the Minister of State has said, it still has not been fully resolved. The indirect costs are much more difficult to measure but I have no doubt that we are talking about tens of millions of euro with regard to the loss of productivity and the impact it has had. It has also had an impact on patients' lives. My concern on the broader issue around cybersecurity relates to whether, as a State, we are taking it sufficiently seriously. It requires a cross-government approach. On top of that, I again encourage us to look at partnering with the EU and other democracies through PESCO and other agencies. This is a matter of national defence and security. The Minister of State has said that this attack was unprecedented. He is correct, but I must say to the Minister of State that we are going to see a lot more of it. That is why we need to take it seriously.
I thank the Senator for his contribution to the House on this important topic. Cyberthreats remain a persistent concern across a number of sectors globally. The disruption they cause to services, particularly during a pandemic, is devastating. It is galling that cyberattacks prey on our public healthcare system and our patients, and on some of the most vulnerable people in the State. I assure the Senator that my Department, and the HSE as the key target of the cyberattack in May, are working closely with the Office of the Government Chief Information Officer and the National Cyber Security Centre and its partners to strengthen ICT infrastructure and ensure that health services are resilient to future cyber-incidents.
As well as working with my colleagues in the Government to improve cyber-resilience at national level, my Department is also engaged at EU level to ensure robust cyber-resilience in all EU member states through the implementation of the national information security directive and the proposed critical entities resilience directive, which deal with the protection and resilience of critical entities such as health service providers.
In conclusion, I acknowledge the staff and colleagues in my Department, the HSE and other Departments and Government agencies who worked tirelessly during the ransomware attack to make sure that our health services were restored and, most importantly, that patients got the urgent care they needed.