Malcolm Byrne (Wicklow-Wexford, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

381. To ask the Minister for Health the total sum spent on cybersecurity measures within her Department during each of the years 2022, 2023 and 2024. [14675/25]

Jennifer Carroll MacNeill (Dún Laoghaire, Fine Gael)
Link to this: Individually | In context | Oireachtas source

The health service was targeted by a criminally motivated cyber-attack in May 2021. The impact of this serious incident varied depending on the extent to which services relied upon technology, but in the main the ransomware attack had a devastating impact on the delivery of health services generally and specifically for patients who relied on them.

The HSE has invested significantly in cyber remediation since the cyberattack in 2021. An independent post incident report (PIR) commissioned by the board of the HSE following the attack, highlighted areas that needed to be addressed. The HSE have been very effective in addressing all issues highlighted since the publication of that report. Recommendations from that report were ranked such that the ones that would have the most immediate impact and could be implemented soonest, were pursued first. Following the immediate work to rebuild and reinstate systems and services, the HSE has produced a plan in January of each year, to advise what will be prioritised in terms of building cyber resilience, and these plans are informed by the recommendations of the PIR. This is what forms the basis of investment in cyber resilience every year since 2021.

There are multiple ongoing programmes of work focused on addressing all issues highlighted in the wake of the attack, reducing risk, building cyber resilience, and building additional cyber security capability and capacity through the establishment of a dedicated cyber security function under the leadership of a Chief Information Security Officer (CISO) within the HSE.

The cost of remediation of services in the aftermath of the 2021 cyberattack was estimated by the HSE to be €102m (as of Nov 2024). The HSE continues to invest significantly in multi-layered cyber defences, including technology, processes, and people, in order to reduce the likelihood and impact of cyberattacks. The HSE allocated funding for specific actions within the voluntary sector also.

In order to address the ongoing risks associated with cyberattack and the need to build cyber resilience, the Government has provided additional, dedicated funding in recent years. There was an additional non-core funding of €40m in 2023, an additional allocation of non-core funding of €55m in 2024, and in 2025, the ICT & Cyber programme was allocated a total of €70m as part of core funding under the HSE National Service Plan.