HSE warned three years ago about IT system ‘weaknesses’

Internal audits flagged issues with ‘security controls’ and ‘disaster protocols’

The Government has insisted no ransom will be paid to the criminal gang behind the attack, as the health service and the State’s cyber security apparatus continue to deal with the fallout from the incident. Photograph: iStock
The Government has insisted no ransom will be paid to the criminal gang behind the attack, as the health service and the State’s cyber security apparatus continue to deal with the fallout from the incident. Photograph: iStock

Warnings were made about “weaknesses” in the Health Service Executive’s computer systems three years ago.

Issues were identified with “security controls” and “disaster recovery protocols” by internal audits which were flagged in HSE annual reports for two years in a row.

The HSE is currently dealing with a cyberattack that has thrown many services into disarray and there are fears that patients’ personal data has already been published online.

The Government has insisted no ransom will be paid to the criminal gang behind the attack, as the health service and the State’s cyber security apparatus continue to deal with the fallout of the incident.

READ SOME MORE

The HSE’s 2018 annual report says: “Internal audits have identified vulnerabilities in the area of security controls across parts of the domain including application password protocols and the management of secure access.

“Weaknesses have been acknowledged in some of the areas audited in disaster recovery protocols, particularly in relation to older and legacy systems.”

The report adds the Office of the Chief Information Officer “is committed to improving controls in respect to cyber security”.

Identical lines appear in the HSE’s 2019 annual report which also shows “cyber security” and “Information and Communications Technology (ICT) systems and infrastructure” are listed in the organisation’s corporate risk register.

The 2018 report outlines a number of programmes that were underway to “manage these weaknesses across our large domain.”

These include infrastructure and application software upgrades as well as a “single logon to domains and applications which ensures that all staff have unique and safe access”.

‘Migration to One ID’

It says that “migration to One ID” – a more secure online identity system – “has commenced and will continue to be rolled out during 2019 across” the HSE’s community health organisations, hospital Groups and other departments.

The 2019 annual report outlines the same measures being taken to manage weaknesses in the system and says that migration to a single-digital identity for staff “will continue to be rolled out during 2020/2021”.

The document says that the OCIA also initiated an infrastructure migration programme that would move “selected disaster recovery environments to the cloud”. This programme was to inform a cloud-services procurement that would “include provision for disaster recoveries for all systems”.

Asked about the weaknesses identified in the audits, a HSE spokesman said: “We will have to wait for the outcome of the current assessment and restoration process and any subsequent investigation before knowing whether and to what extent, if any, the issues we listed in our annual reports contributed to this incident.”

He said a multiannual programme of expenditure around each of the measures the HSE listed in the annual reports aimed at managing the weaknesses “is underway”.

The HSE also had “a very substantial investment in IT underway” of circa €300 millon capital and €180 million current expenditure in the last three years alone. “Spend on cybersecurity is embedded within that €300 million capital spending.”

The spokesman added: “It is appropriate for any organisation of the scale of the HSE, which holds such a volume of sensitive personal data, would list cyber security as an item on its corporate risk register” and that the audits referenced in the annual reports were carried out by the HSE internal audit unit.

The 2019 report also notes that a “Windows 7 refresh programme” is under way. The Dáil has been told the HSE still had 37,000 computers that used Windows 7.

Microsoft no longer automatically protects Windows 7 machines from viruses but is offering updates to a security programme for such computers until 2023.

The HSE has denied that issues with Windows 7 machines were the reason for the cyberattack succeeding, saying “we know from our initial assessment that this issue did not contribute to this incident”.

It also said it has “made substantial progress on a programme of reducing the use of Windows 7”.

Cormac McQuinn

Cormac McQuinn

Cormac McQuinn is a Political Correspondent at The Irish Times