Replacing HSE’s outdated computers to cost €44 million, PAC told

Date for replacing Windows 7 machines slipping as new timeline provided to PAC

The HSE is to take ‘a risk-based approach’ to negotiating extended support from Microsoft for 2022. Photograph: iStock
The HSE is to take ‘a risk-based approach’ to negotiating extended support from Microsoft for 2022. Photograph: iStock

The cost of replacing all of the Health Service Executive’s (HSE) outdated Windows 7 computers has been put at around €44 million.

The sum has been provided to the Public Accounts Committee (PAC) in correspondence.

New dates for replacing many of the computers also suggests that targets for completing the process are slipping.

The correspondence from the HSE comes following questions posed to chief executive Paul Reid at recent meetings of the Dáil's public spending watchdog.

READ SOME MORE

The HSE has said that the machines with the old operating systems were not to blame for the successful cyberattack on the health service in May.

However, it has acknowledged that there are risks related to the HSE’s use of the outdated computers.

Some 30,000 of the HSE's 75,000 computers still use the Windows 7 operating system which requires the purchase of special update patches from Microsoft to maintain security.

The HSE said that Windows 7 devices have extended support from Microsoft until January 2022, at a cost of €1.32million, including VAT.

Correspondence to the PAC shows how the HSE has been replacing machines that run Windows 7 since 2019 – when 46,000 devices had the operating system.

It said the completion of the “full refresh” has been “impacted by Covid demands and the cyberattack”.

The PAC was told there is a requirement to retain 12,000 Windows 7 machines until an upgrade of the National Integrated Medical Imaging System (NIMIS) is finished.

In September Mr Reid told the PAC that the ultimate target date for the replacement of the NIMIS computers “will be in 2022” and “we expect to have the rest if them out in a much shorter period”.

He said that 11,500 units will be gone by the end of 2021 as part of the replacement and another 6,400 units are being deployed “and people are migrating some of their own software from the Windows 7 version across to laptops”.

The HSE letter to the PAC suggests some of these targets are slipping.

It shows that it expects 11,700 machines to be replaced by the end of June 2022, with just 3,947 of these coming before the end of 2021.

Consolidation is to account 6,300 computers by the end of March next year.

A date for replacing the NIMIS machines is described as “TBC” (to be confirmed). There are said to be a number of options being considered in relation to the computers for the NIMIS “which may enable these devices to be refreshed”.

The HSE is to take “a risk-based approach” to negotiating extended support from Microsoft for 2022 “based on fewer devices”.

It also told the PAC that “The cost of replacing all the Windows 7 devices and the associated desktop licences remaining in the estate will be circa €44million.”

The HSE says the risk for the organisation is “zero-day threats” – previously unknown forms of attack or malware – and the availability of Microsoft patches.

In the period since Windows 7 went out of support in January 2020, there has been one patch supplied.

The letter says: “The HSE have addressed the legacy operating system risk through the implementation of additional methodology-based anti-virus software. This will limit the requirement for additional support from Microsoft.”

Social Democrats TD Catherine Murphy raised the issue of the Windows 7 computers with Mr Reid at a PAC meeting in September.

She mentioned how Mr Reid had previously told the PAC that the cyberattack cost around €100 million and asked about the replacement programme for the machines using the old software.

Mr Reid said the Windows 7 issue “is a real cause of concern for us in terms of its deployment” as he outlined replacement plans.

He also told the PAC that Windows 7 was not a contributor to the cyberattack which was “completely separate”.

However, he added: “I fully accept that Windows 7 is an exposure for us.”

Asked by The Irish Times about the apparent slippage in dates, the HSE said the plan set out in the October correspondence to the committee is “on target”.

The statement said the HSE has spent €14 million replacing Windows 7 computers so far. Another €17 million will be spent replacing the remaining Windows 7 devices.

It said the rest of the €44 million “relates to associated licensing costs which are negotiated under the enterprise agreements in place with our vendors.”

Cormac McQuinn

Cormac McQuinn

Cormac McQuinn is a Political Correspondent at The Irish Times