Malcolm Byrne (Fianna Fail)
Link to this: Individually | In context | Oireachtas source

Like others, I welcome the Minister of State to the House and wish him the best in his new role. I know he will put his heart and soul into it.

The issue I raise is the HSE cyberattack. Next week is the third anniversary of the detonation of the Conti ransomware, which caused widespread disruption in the health service at the height of the pandemic. This was the result of a malware infection that gained unauthorised access to the system on 18 March 2021. It remained there for eight weeks, at which point the Conti ransomware, which emanated from Russia, was detonated. There has been a global increase in cyberattacks and ransomware in recent years. On the basis of information provided to me at different stages or in the public domain, we know the immediate cost to the State of the cyberattack in May 2021 was €37.5 million. A year later, the cost to the taxpayer had risen to an estimated €101 million, although it was acknowledged that the full cost had not been quantified. When I asked about this last year, the running cost to the State stood at €144 million. That is not the entire cost because the personal details of 100,000 staff and patients were compromised and I have no doubt the delays to patients being seen also had serious consequences for their health.

In December 2021, the HSE commissioned PwC to conduct an independent review of what happened in order to establish the facts and identify lessons for the HSE and other Government agencies and Departments because if this were to happen again in any other area of society, it could be serious. I appreciate the Minister of State is taking this Commencement matter on behalf of the Minister for Health. I would be grateful if he could indicate the most recent cost to the taxpayer of remedying the challenges and how far the HSE has gone in implementing the recommendations in the PwC report. These included implementing minimum cybersecurity requirements, establishing a cybersecurity oversight committee and establishing a transforming IT and cybersecurity committee at board level in the HSE to oversee this serious issue.

I also have a specific concern.The PwC report, which the HSE accepted, recommended that there was need to appoint both a chief technology and transformation officer at very senior level within the HSE and a chief information security officer. In March 2022, the HSE said that both of these posts would be filled by the end of 2022. The posts had been filled on an interim basis but they were not filled by the end of 2022. We were told the search was delayed until 2023 as a result of a review of the job descriptions. One of the concerns I have is that those posts are still being advertised. I appreciate the successful candidate for the chief technology and transformation officer role withdrew after being made an offer, but I am concerned these two vital posts have still not been filled by the HSE. I realise there is a difficulty with regard to getting staff in cybersecurity but it is critical they are filled. While I appreciate the Government has invested in the National Cyber Security Centre and bumped up both personnel and resources, an attack like this on any aspect of Irish society is very serious.

Alan Dillon (Mayo, Fine Gael)
Link to this: Individually | In context | Oireachtas source

First, I thank Senator Byrne for raising this matter and I welcome the opportunity to address the current position on behalf of the Minister for Health, Deputy Donnelly. The Senator is, of course, referring to the criminal ransomware attack on the HSE in May 2021. The cost of the response and recovery from the cyberattack to the taxpayer in 2021 was to the tune of €102 million. It must be recognised that all organisations that operate online are operating in a threat landscape of cyberattack given the global, economic and geopolitical uncertainty that exists. Finance and health are two areas that are of particular interest to cybercriminals given the sensitivity and inherent value of data managed within these sectors.

The HSE has invested significantly in cyber remediation since the cyberattack in May 2021. The HSE manages and responses to thousands of cyberattacks annually and takes appropriate action to ensure awareness of current threats. The continuing threat will need to be mitigated by ongoing and sustained investment to strengthen cyber resilience and ensure a secure foundation of our technology, data and health information infrastructure.

Cybersecurity, therefore, is an important priority for the Government and it has allocated funding to the HSE to strengthen its cyber resilience. For example, a specific allocation of €55 million was provided as part of the national service plan in 2024 to enable the HSE to act on the recommendations of the independent post-incident report. The report was commissioned by the board of the HSE in the immediate aftermath of the cyberattack.

A commitment for further investment in the coming years is required to ensure the HSE continues to build the cyber resilience necessary to reduce the impact of further cyberattacks. A clear plan is in place for the work to be done in 2024 and progress is actively monitored by the Department of Health. The National Cyber Security Centre is also engaged directly with the HSE to support, advise and ensure compliance with appropriate national infrastructure security directives.

There are multiple ongoing programmes of work focused on addressing the issues highlighted by Senator Byrne in the wake of the attack, reducing risk, building cyber resilience, and building additional cybersecurity capability and capacity through the establishment of a dedicated cybersecurity function under the leadership of a chief information security officer within the HSE. The HSE continues to invest significantly in multi-layered cyber defences, including technology, processes and people in order to fend off cyberattacks. The investment that is being made building cyber resilience covers a wide range of actions, including staff training, process change, upgrades to technology and equipment and funding of a significantly enhanced cyber security operations centre. Some practical examples of these actions taken by the HSE include the following: ongoing training of staff, so they are aware of the risks associated with opening unsolicited emails and clicking on links that are not verified; simulated phishing and other cyberattacks and monitoring of the effectiveness of training programmes and communications with staff to deal with this type of attack; replacing and upgrading of legacy applications that had exposure to cyberattack; elimination of the Windows 7 estate, with active monitoring of those remaining devices that cannot be eliminated yet because they support applications that are still needed.The HSE has also introduced an important change in relation to the governance of cybersecurity across the organisation. Members of the HSE's executive management team form the oversight committee for the implementation of the recommendations of the post-incident report. Finally, the board of the HSE has established a subcommittee for transformation and technology with responsibility for

oversight of ICT and cybersecurity.

Again, I thank Senator Malcolm Byrne for raising this important matter and assure him and the House that it is being closely monitored by the Department of Health.

Malcolm Byrne (Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I thank the Minister of State for the response but I am afraid it does not tell us a lot more than we already knew from the reply I received this time last year. I am worried that issues like the elimination of the Windows 7 estate are still appearing as part of the process. There is a lot of emphasis placed on the leadership of a chief information security officer within the HSE but if one visits a jobs website one will see that post currently being advertised at a new national director level. That post has still not been filled, although I appreciate that somebody was filling in on an interim basis.

One of the questions I asked was about the total cost to the taxpayer to date but that is still not clear from the answer. In 2021 there was an immediate cost of €102 million. We have been told that there has been additional allocation in 2024 of €55 million but we have not been told the running cost to the taxpayer. Given some of the recommendations that were made, I am very concerned that, as of this moment, there is neither a chief technology and transformation officer nor a chief information security officer in place within the HSE.

Given the seriousness of this issue, there is very little in this reply. It is essentially the same reply that I received last year. The Minister of State will be aware of the implications of another cyberattack on our health service but his reply does not give me a great degree of certainty that it could not happen again. I ask the Minister of State to relay my concerns to the Minister for Health, particularly with regard to those senior posts. I am also still looking for the final running cost to the taxpayer.

Alan Dillon (Mayo, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I thank the Senator for raising this issue and for giving me the opportunity to address it. I will take the questions he has raised today back to the Minister and departmental officials. As I outlined previously, the HSE has implemented additional controls to monitor and manage threats to the HSE network, including additional staff training and a strengthening of identity and access management processes and controls. There has been an additional allocation of €55 million in the service plan for 2024 to enhance cybersecurity.

The Department of Health is informed that the HSE has worked with international and national cybersecurity experts to protect against future attacks. It should be remembered that the HSE has also obtained a High Court order following the ransomware attack in May 2021 restraining any sharing, processing, selling or publishing of data illegally accessed and copied from computer systems. This order remains in place to prevent anyone from using any of the illegally accessed and copied information. HSE cybersecurity experts have also been monitoring the Internet, including the dark web, since the cyberattack back in May 2021. This continuing threat will need to be mitigated by ongoing and sustained investment to strengthen cyber-resilience and ensure a secure foundation to build our technology, data and health information on.

Again, I will take the questions the Senator raised with me today back to the Minister for a further response.