skip to main content

Expert warns of cyber risks for HSE without full IT upgrade

The warning came as the HSE published details of 591 Windows 7 devices supporting 31 legacy systems that still need to be 'upgraded or retired'
The warning came as the HSE published details of 591 Windows 7 devices supporting 31 legacy systems that still need to be 'upgraded or retired'

A failure to upgrade old IT systems and applications has left the Health Service Executive open to another cyber attack, a former head of digital transformation at the HSE has warned.

Professor Martin Curley's warning came as the HSE published details of 591 Windows 7 devices supporting 31 legacy systems that still need to be "upgraded or retired" since a debilitating cyber attack paralysed the health service two years ago.

The former HSE head of digital transformation and open innovation described the devices and legacy systems as the "weakest link" in the HSE's IT security.

Details of the 591 devices were detailed in a HSE response to a parliamentary question by Labour TD Seán Sherlock.

The former minister for research and innovation asked whether all HSE computers, laptops, phones, servers and tablets were updated since the cyber attack.

The HSE responded there are "591 Windows 7 machines retained to support 31 legacy applications, which are in the process of being upgraded or retired".

Prof Curley told RTÉ’s Morning Ireland that having "even small numbers" of Windows 7 computers on the HSE IT system poses a cyber attack risk.

"The door is open," he said. "Windows 7 is no longer supported, so there are loopholes that can be exploited."

"A chain is only as strong as its weakest link and this is very much a weak link," he said.

"But the risk here is not just Windows 7, but those 31 legacy apps - who knows what sort of vulnerabilities are in there," added Prof Curley.

In May 2021, the HSE was victim of an attack by the Russia-based Conti criminal organisation

Mr Sherlock said vulnerabilities mean there are cyber attack concerns.

"I am concerned about it because if there are 591 devices still operating on an old Windows 7 operating system - if they can't be upgraded, the question then arises as to who is operating those systems and whether or not they're vulnerable to an attack of some sort," he said.

"Also, if there are vulnerabilities within the system, then the vulnerabilities need to be worked on with a view to ensuring that there is a guaranteed and secure cyber security framework and also to ensure that people's personal details are absolutely protected," added Mr Sherlock.

In May 2021, the HSE was hit by a devastating cyber attack by the Russia-based Conti criminal organisation.

The attack caused unprecedented and widespread disruption across the health service.

In December 2021, the vulnerabilities of Windows 7 machines were highlighted by a Price Waterhouse Cooper report in to the HSE cyberattack.

It said "part of the fragility of the IT estate is an over-reliance on legacy systems" and it emphasised the importance of upgrading for cybersecurity.

The same report recommended the HSE appoint a Chief Technology and Transformation Officer and a Chief Information Security Officer.

We need your consent to load this rte-player contentWe use rte-player to manage extra content that can set cookies on your device and collect data about your activity. Please review their details and accept them to load the content.Manage Preferences

Both positions were recently advertised. Applications closed on 20 April.

Prof Curley is critical of delays in hiring the two key jobs – which are seen as central to IT transformation and security in the HSE.

He said "two years on from the biggest cyber security incident on the planet", that the failure to hire the two permanent roles "is a concern".

"Unless you have senior responsible officers and owners that are driving these agendas you're going to have more vulnerabilities than you otherwise would have," said Prof Curley.

In a statement, the HSE confirmed the two positions were advertised recently.

Funding had to be secured for the jobs before they were advertised.

"With regard to the advertisement of roles for the Chief Information Security and the Chief Technology and Transformation Officers, appropriate funding for these posts had to be secured prior to advertising and the appropriate recruitment process undertaken for the new roles.

"Both competitions closing were on the same day. In addition, there were interim appointees in place since summer 2022 due to the significance of the roles," the HSE said in a statement.

The HSE did not respond to the claim that 591 devices running Windows 7 pose a cyber security risk to the organisation.

In December 2020, months before the cyber attack, 46,000 of the HSE's 58,000 computers ran on Windows 7.

Prof Curley said it needed to be recognised that much work had been done to reduce the number of machines on Windows 7 to 591.

In 2020, the cost of getting additional security patches to support the HSE’s 46,000 Windows 7 machines was €1.1 million.

The HSE said in a statement "there is no need to pay for extended support on these devices".

"The HSE has effectively retired the Windows 7 programme, there are under 500 Windows 7 devices retained and all devices remaining are in place to ensure access to particular medical applications and for tactical reasons, such as IT support," the HSE added.