HSE hack: IT staff were diverted from cybersecurity due to pandemic

Warnings were made about weaknesses in the IT network three years ago

‘We have world-class tools employed by world-class suppliers on our cybersecurity,’ said HSE chief executive Paul Reid. Photograph: iStock
‘We have world-class tools employed by world-class suppliers on our cybersecurity,’ said HSE chief executive Paul Reid. Photograph: iStock

Efforts by Health Service Executive IT staff to implement actions to improve cybersecurity were affected by the diversion of workers to computer systems to help battle the Covid-19 pandemic.

Warnings were made about weaknesses in the HSE’s IT network three years ago, and plans were made to take a series of actions to reduce the vulnerabilities identified in internal audits.

The HSE has not been able to say if the weaknesses were a factor in the devastating cyberattack that took place last week.

However, it has now emerged that efforts to strengthen the organisation’s computer systems were hampered when staff from the Office of the Chief Information Officer were redeployed and tasked with developing or running IT systems such as those used for Covid-19 testing and the vaccination rollout.

READ SOME MORE

The diversion of staff is noted in the HSE’s corporate risk register, which set out target dates for the implementation of actions to improve cybersecurity, mostly in late 2020 and across 2021.

The document says: “There are currently capacity constraints within the technical and operations section of the OCIO, and most of our resources have been deployed to Covid-related support and activities.”

It said the teams had been used to support community operations hubs, swabbing centres and contact tracing call centres as well as providing infrastructure to people working form home.

It says this “has and may continue to impact their ability to deliver” on the actions related to cybersecurity “in the agreed timeframe”.

The HSE’s annual report said that the OCIO had 318 staff.

Asked about the diversion of staff to Covid-related activities, HSE chief operations officer Anne O’Connor said: “They were all developing the Covid system, Covax” and “we were deploying people in to support IT during Covid.”

Network maintenance

Chief executive Paul Reid said this did not mean maintenance staff did not continue their work on the HSE’s network and he said there was a “significant part of our resources which are continuing to monitor our networks and sustain our networks”.

At a press briefing on Thursday, he was also asked about the weaknesses found in the HSE’s computer systems that were flagged in annual reports in 2018 and 2019.

Mr Reid said the investigations that found the vulnerabilities were initiated by the HSE and added: “If we didn’t have cybersecurity as a risk identified it would be shame on us. I’m glad the teams did identify it as a risk and I’m pleased it’s identified … on our risk register.”

He said actions were taken – many around authentication and security – pointing to €300 million invested in capital infrastructure over the past three years with about €82 million of that spent on protecting the core network.

On whether the cyberattack was successful as a result of the risks that had been identified, Mr Reid said: “I can’t say just yet. Possibly, but we can’t determine that they are or are they related to other risks that weren’t identified.”

He said: “This is what happens in cyber protection. Everybody strives to accelerate and strengthen their cybersecurity at all stages, and at every stage we’re doing that these cybercriminals are … seeing how they can step above those protections.

“So we have world-class tools employed by world-class suppliers on our cybersecurity.”

Cormac McQuinn

Cormac McQuinn

Cormac McQuinn is a Political Correspondent at The Irish Times

Martin Wall

Martin Wall

Martin Wall is the Public Policy Correspondent of The Irish Times.

Paul Cullen

Paul Cullen

Paul Cullen is a former heath editor of The Irish Times.