Senior HSE cybersecurity roles still not filled three years after major ransomware attack – The Irish Times | #ransomware | #cybercrime

Senior cybersecurity posts have still not been permanently filled by the HSE three years after a major ransomware attack on the health service IT infrastructure that caused lengthy delays in patient treatment and compromised the personal data of 100,000 staff and patients.

The HSE also continues to use the outdated Windows 7 operating system on some of its devices, despite its vulnerability to attack, but Minister of State Alan Dillon said there is “active monitoring of those devices that cannot be eliminated yet before the support applications are in place”.

An independent review by consultants PwC commissioned by the HSE recommended the appointment of a chief technology and transformation officer (CTTO) and a chief information security officer.

Fianna Fáil Senator Malcolm Byrne raised concerns in the Seanad that three years on from the attack in May 2021 “those posts are still being advertised”.

“The successful candidate for the CTTO withdrew after being made an offer but I am concerned that these two vital posts have still not been filled,” he said.

The posts were to be filled by the end of 2022 but were only filled on an interim basis. “And we were told the search was delayed until 2023 because of a review of the job description.”

Mr Byrne acknowledged the difficulties in hiring IT staff, and that the Government has invested in the national cybersecurity centre and “bumped up both personnel and resources” but he expressed concern at the potential impact of another such attack.

He also expressed concerns about the cost of the attack. “It cost the state €37.5 million immediately in May 2021. A year later the estimate was €101 million to tax payer,” he said. “When I asked about the issue last year the running cost was €144 million to the State.”

The Minister said however that since the attack the cost to the taxpayer and the recovery process “was to the tune of €102 million”. Mr Dillon, who was standing in for Minister for Health Stephen Donnelly, added that “specific funding of €55 million was allocated as part of the National Service plan in 2024 to enable the HSE to act on recommendations of independent report”.

Mr Dillon said that following the attack and the PwC report recommendations, the HSE had invested in training, process change and upgrades in technology and significant changes in IT governance.

This investment included “replacing and upgrading legacy applications and the elimination of Windows 7 with active monitoring of those devices that cannot be eliminated yet, before support applications are in place”.

He said that finance and health are two areas that are of particular interest to cybercriminals because of the value of data managed within these sectors. The HSE has invested significantly in cyber remediation since the attack and responds “to thousands of attacks annually and takes appropriate action to ensure awareness of current threats”.

There would be ongoing and sustained investment to strengthen cyber resilience. “It is an important priority for Government and it allocated funding to the HSE to strengthen its cyber resilience.”

Mr Byrne said “I’m worried that the elimination of the Windows 7 estate is still appearing as being part of the process. And there is neither a chief technology and transformation officer or a chief information security officer”.

Mr Dillon insisted that “the HSE has implemented additional controls to monitor and manage the threat to the system”. The HSE had also obtained a High Court order restraining any sharing, processing or selling of data.

And “cybersecurity networks have been monitoring the internet including the dark web since the attack”.

Source link


National Cyber Security