‘Real arms race' on defending Irish health system against cyber attacks
There is a “real arms race” between cyber attackers and efforts to defend Irish health systems, a committee has heard.
The Public Accounts Committee also heard that 32,000 letters had been issued in recent weeks to patients, clients and staff affected by the 2021 Health Service Executive (HSE) cyber attack.
The ransomware attack – which took place during the height of the pandemic – resulted in the HSE having to close down its IT services, widespread delays and the cancellation of appointments at hospitals across the country.
Around 113,000 people whose information was illegally accessed during the cyber attack are due to be notified by April.
Those affected are given the option to request the data that was stolen during the attack, and to date 220 people have requested that information.
The committee heard that the Department of Health has not received any pre-litigation action in relation to the attack.
Evidence given to the committee indicates that the cyber attack cost the HSE 53 million euros and the Department of Health a further one million euros, with the costs spent on its immediate response and improving its cybersecurity.
Assistant secretary at the Department of Health Derek Tierney said that “2022 saw 43 million recurring investment provided or allocated to HSE and ringfenced for cyber purpose. And then again in 2023, we've added to that with 40 million once off to allow us necessary time just to understand what the longer term needs are”.
He added: “There's a state investment requirement just north of 675 million over seven years; we have just about reached that, but we need to do some further work just to analyse that in the context of where we currently are.”
Fran Thompson, chief information officer at the HSE, said there is a “real arms race between the attackers on one side and the defenders on the other”.
He said: “We have now got best-in-class cyber companies supporting what we do. And as I said before, we see a huge number of attacks daily that are notified to us.
“Some of them are benign, but they have to be followed up. I think it's 40,000 notifications we would have got last year and of those then we would follow those up and a number of them we would have reports about and then we will take actions where required.
“And part of this is around the speed of the response, and how we deal with something – not just around the notifications, (but) having all the processes and procedures in place that deal with the response very quickly.”
On the building of the National Children's Hospital, the committee heard that it could take up to mid-2025 before the Electronic Health Record (EHR) system is implemented fully as part of the build.
Mr Tierney said that 40% of new births are registered on an electronic health record already, but said there was a “funding issue” to roll it out further.
“What we have learned is that a single national instance rollout, I can count on one hand, probably three instances where we see it worldwide, even with a single vendor. So we have to understand that inter-operability is always going to play a part in linking our systems. Rolling out a national EHR will take time,” he said.
“The scale of investment for a national EHR rollout is probably north of a billion.”
When asked by Green Party TD Neasa Hourigan: “Are you saying you don't have the money to do digital health records?” Mr Tierney responded that they did not.
“We've no allocation for a full national rollout and that's an engagement that has to take place,” he said.