Malcolm Byrne (Fianna Fail)
Link to this: Individually | In context | Oireachtas source

Cuirim fáilte roimh an Aire Stáit. This weekend marks the second anniversary of the largest ever cyberattack on a State institution or agency. As far as we know, it is the largest cyberattack ever in the State. The attack in question was, of course, on the HSE and resulted in up to 7,000 patient appointments being delayed or cancelled. As we now know, up to 100,000 letters have been sent to patients, with a significant number of them being informed of potential data breaches. When I raised in November 2021 a similar Commencement matter with then Minister of State, Deputy Feighan, regarding the cost and the actions to be taken, he informed me that, as a result of the cyberattack, €37.5 million had been spent in the first six months to address IT infrastructure. At the beginning of this year, the Committee of Public Accounts was told that the Department of Health had spent €1 million and the HSE had spent €53 million but that sum was scheduled to rise.

It is important that we know the cost and the reason it is important to invest in this infrastructure, but also the steps that have been taken to avoid similar attacks on the HSE or other State agencies under the Department of Health or on a wider government level. The number of cyberattacks on State institutions and agencies is increasing. Many of those involved in perpetrating the attacks do not care what their target is. As part of hybrid warfare, they will target vulnerabilities in the infrastructure. In many cases, there is state-sponsored or state-condoned attacks, mainly emanating from four countries, namely, Russia, China, North Korea and Iran. We know the attack on the HSE emanated from Russia. As I stated at the time, I am very concerned that although there were protests at the Russian embassy with regard to the attack, no stronger action was taken.I used the example of Albania, which has a much less developed infrastructure than Ireland. In September 2022, when Iranian authorities attacked Albania and there was a ransomware attack on a number of government agencies, Albania decided to cut all diplomatic ties with Iran. I am not suggesting we do that with Russia but a serious question needs to be asked about our cyber defences. We know that evidence from the European Union Agency for Cybersecurity and Microsoft is that in 2022 the proportion of state supported cyber attacks has increased from 20% to 40%, as a proportion of the overall attacks. A lot of this is because of Russia's attacks on Ukraine, but also increasingly on those who are allied or perceived as supporters of Ukraine. Our health service is a critical piece of infrastructure. We know about the damage done when it was attacked in the middle of a pandemic. We have, unfortunately, seen a global increase in these types of attack. I hope the Minister can outline to us today what actions have now been taken, the level of security now in place to ensure it does not happen again and to inform us of the costs and what other actions may need to be taken.

Niall Collins (Limerick County, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I thank the Senator for raising this matter, and I welcome the opportunity to outline the current position. He is referring to the criminal ransomware attack on the HSE in May 2021. The cost of the response and recovery from the cyberattack was €50,909,769. In 2022, the cost incurred was €38,796,638. This is a total cost for those two years of €89,706,407. It must be recognised that all organisations that operate online are operating in a threat landscape of cyberattack, given the global economic and geopolitical uncertainty. Finance and health are two areas of particular interest to cyber criminals, given the sensitivity and inherent value of the data managed within these sectors. This continuing threat will need to be mitigated by ongoing and sustained investment to strengthen cyber resilience and to ensure a secure foundation on which to build our technology, data and health information. Cybersecurity is, therefore, an important priority for the Government, which has allocated funding to the HSE to strengthen its cyber resilience. A further allocation of €54.88 million was provided as part of the service plan for 2023, to enable the HSE to act on the recommendation of the independent post-incident report. That report was commissioned by the board of the HSE in the immediate aftermath of the cyberattack.

A commitment to further investment in the coming years is also required to ensure the HSE continues to build the cyber resilience necessary to reduce the impact of further cyberattacks. A clear plan is in place for work to be done in 2023 and progress is actively monitored by the Department of Health. The national cybersecurity centre is also engaged directly with the HSE to support, advise and ensure compliance with the appropriate national infrastructure security directives. The investment being made to build cyber resilience covers a wide range of actions including staff training, process change, upgrade of technology and equipment, and funding of a significantly enhanced cybersecurity operations centre. Some practical examples of actions taken by the HSE include the ongoing training of staff, so that they are aware of the risks associated with opening unsolicited email and clicking on links that are not verified. There are also simulated phishing attacks and monitoring of the effectiveness of training programmes and communications with staff to deal with this type of attack. The HSE is replacing and upgrading legacy applications that had exposure to cyberattack. The Windows 7 estate is being reduced from more than 30,000 devices to fewer than 600 currently, with active monitoring of the remaining devices, which cannot yet be eliminated because they support applications that are still needed. The remaining Windows 7 estate will be eliminated. Older applications are being taken offline completely or access is only provided to users as and when required. There is investment in the replacement and upgrade of underlying ICT technical infrastructure, including servers, firewalls, networks and ed-user devices. Services and applications have been migrated to the cloud, and there is significantly enhanced active monitoring of threats by a cybersecurity operations centre, tagging and classification of threats and associated interventions to deal with these threats. Finally, a prioritised list of actions and interventions is in development for the future based on the recommendations of the independent post-incident report.

Malcolm Byrne (Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I thank the Minister of State for his response. He has provided us with pretty eye-watering figures. We know that to the end of 2022, simply for response and recovery, the State has had to spend €89.7 million. In addition, as part of the service plan to upgrade the systems, we are looking at the spending of almost €55 million. It has not stopped yet. As the Minister of State indicated, the work continues. For instance, he mentioned Windows 7 is still being operated on a number of devices, when Microsoft stopped repairs and updates for Windows 7 in early 2020. It is still a concern. I appreciate there is a small number of devices in place. This has to be a top priority for all of Government, and not just for the Department of Health. We cannot have that kind of data breach in the future. The lesson needs to be learned from the HSE, for all Departments and agencies.

Niall Collins (Limerick County, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

The HSE has introduced important changes to the governance of cybersecurity across the organisation based on the recommendations of the post-incident report. An interim chief technology and transformation officer and chief information security officer were appointed in 2022. Competition to fill these roles on a permanent basis is under way. Members of the HSE executive management team formed the oversight committee for the implementation of the recommendations of the post-incident report. Finally, the board of the HSE has established a new subcommittee for transformation and technology with responsibility for oversight of ICT and cybersecurity. I thank the Senator for raising this important issue and I assure him and the House that this important matter will also be closely monitored by the Department of Health.