HSE security weaknesses had been flagged in previous years

20 May 2021

Image: © sasun Bughdaryan/Stock.adobe.com

Internal HSE audits had identified a number of cybersecurity issues relating to application password protocols and the management of secure access.

The Irish Health Service Executive (HSE) had been warned of a number of cybersecurity weaknesses from internal audits in 2018 and 2019.

Its 2018 annual report said internal audits identified “vulnerabilities in the area of security controls across parts of the domain including application password protocols and the management of secure access”.

The HSE suffered a serious cyberattack last week, which forced the health service to shut down its IT systems and caused widespread disruption to healthcare across the country.

Yesterday (20 May), the Financial Times reported that hackers have leaked personal data online, demanding a $20m ransom.

While the HSE has said it will take “many weeks” to assess the full impact of the attack and restore IT systems, previous annual reports show that a number of weaknesses in security systems had been flagged.

The 2018 report said weaknesses were identified in some of the areas audited in disaster recovery protocols, particularly in relation to older and legacy systems. The 2019 report identified the same issues and said the office of the chief information officer was committed to improving controls in respect to cybersecurity.

Speaking on RTÉ’s Today with Claire Byrne, Daragh Ó Briain, managing director of infosec company Castlebridge, said it would be more concerning if security issues weren’t flagged in earlier reports because it would indicate “a huge blind spot” in terms of looking out for cybersecurity risks.

He added that what’s important is the actions taken to mitigate such risks.

The 2019 report outlined a number of programmes that were underway to manage weaknesses, including a refresh programme for Windows 7, which stopped receiving critical updates and patches from Microsoft in January 2020.

At the time, the HSE confirmed that the health service still had 46,000 Windows 7 devices on its network of 58,000 computers.

Other upgrade plans outlined in the 2019 report included migration to a single digital identity for staff, which had commenced and roll-out was due to continue during 2020 and 2021.

According to The Irish Times, a HSE spokesperson said a multiannual programme of expenditure around each of the measures the HSE listed in the annual reports aimed at managing the weaknesses “is underway”.

In a statement yesterday, the HSE said it expects to start seeing “some early signs of recovery in some sites over the coming days”.

Jenny Darmody is the editor of Silicon Republic