The Health Service Executive's information technology system is relying on thousands of out-of-date computers because a plan to replace them has not been completed.

The out-of-date computers, which run on Windows 7, need special security support, which cost the taxpayer over €1m this year.

Last year, the HSE said it had "a programme to migrate" Windows 7 computers to Windows 10 by the end of 2020.

At that time 46,000 of its 58,000 computers remained on Windows 7.

The HSE has since replaced 9,000 of the 46,000 computers leaving 37,000 depending on the old software - 12,000 of those cannot be replaced because they are needed to run radiology and other systems that cannot run on newer software. 

In response to a parliamentary question by Labour leader Alan Kelly, the HSE said its Windows 7 migration programme was "impacted by the Covid-19 pandemic resulting in a lower number of upgraded/replaced Windows 7 devices".

In January, Microsoft stopped protecting Windows 7 computers from viruses and malware, unless it was paid extra money to do it. 

The HSE needed that protection and paid €1.1m for it in 2020. Next year, it faces paying more to Microsoft because the pricing structure per computer doubles.

The HSE confirmed negotiations are "still ongoing" between itself and Microsoft and a "figure is yet to be finalised" on how much Windows 7 protection will cost for 2021.


Read More:
Windows 7 users warned of cyber attacks as software support ends

HSE spent €300k on software patches 


The scaling down of Windows 7 was known widely from 2014 and the HSE started its migration programme in 2017. 

Speaking on RTÉ's Morning Ireland, Mr Kelly said the failure to address the issue showed a lack of preparedness which led to a cost to the taxpayer. 

"I can’t believe that the HSE still hasn’t dealt with this issue. It is costing the taxpayer a huge amount of money.

"One year on, they still haven’t been able to ensure that they brought their software and security settings up to date. It leaves them open to a serious amount of security issues and problems potentially.

"That doesn’t excuse the fact that they were a year behind anyway. That doesn’t excuse the fact that these costs were building up. I accept the fact that it would have been much more difficult this year. But, that isn’t the full story, this could all have been prepared for in advance," he said. 

The HSE said in a statement it has a "layered system of security to mitigate cyber security risk".

"This includes perimeter security, software updating, real time monitoring of assets, mobile device security and endpoint encryption. We also utilise cybersecurity expert partners and Microsoft to provide additional support to the HSE. 

"No single element on its own is sufficient to provide adequate cybersecurity. It is the combination of all elements working together that provides the best cybersecurity. Given the continued threat of cybersecurity, the HSE will continue to invest in cybersecurity tools and education of staff to help minimise this ever-changing threat," the HSE statement read.

Dr Simon Woodworth, director of the health information research centre at University College Cork, said the HSE’s pace of Windows migration is pathetically slow and creates a single point of failure that could have massive consequences.

"I am sympathetic with the HSE because Covid-19 is going to put a 12 month delay on everything.

"It is not just a financial issue. It is an issue of increasing risk. The longer they leave this and the slower they are at remedying the situation the more they are exposing themselves to risk of a vulnerability or a cyberattack.

"The HSE’s multi-layered system is actually very, very good. They are absolutely diligent, and they try very, very hard to make sure there are several layers of security, so if there is a failure on one point it should not affect everything else.

"If you have a single point of failure, while the probability might look very low, the consequences could be quite serious because an enemy agent or a threat to the system - for whatever their motivation is - if they establish a toehold inside anybody’s networks, all they need to do is compromise one machine and then the damage they do spreads outwards from that machine"

Other institutions and organisation are also dealing with similar Windows 7 issues.

Last year, Government departments had 22,312 computers on Windows 7. Today, it has reduced that by almost half to 11,850.