HSE’s outdated IT system likely targeted for its ‘vulnerability’
Expert says €2m on security was too low
THE Health Service Executive (HSE) was likely chosen by cyberattackers for its ‘vulnerability’, with a €2m security budget that should have been ‘at minimum’ €36m, a leading expert has said.
Dr Simon Woodworth, who lectures in business information systems at University College Cork, said that of the HSE’s overall €20.6bn budget for 2021, €120m was allocated to its IT systems or eHealth budget.
According to Avasant Research’s Computer Economics in the US, a healthcare provider should be spending between 3% and 5.9% of its budget on its IT system.
Dr Woodworth argues that the HSE should therefore be spending between €610m and €1.12bn on its IT systems.
He told the Irish Mail on Sunday: ‘Security budget is usually 6% of IT spending so not only is the HSE underspending on IT, but it is also underspending on security as a percentage of that already small budget. At minimum it should have been €36m.’
When asked if we were attacked because of our vulnerable IT system, Dr Woodworth said:
‘There is a theory that the HSE was attacked because it was an easy mark.
‘If you look at the history of the HSE, it was formed over several regional health boards, and typically in an organisation when an organisation grows like that, you end up with quite a lot of different IT systems, and the cost of merging them into a single unified system that’s easier to protect is very high.
‘The security budget for this year is far too small for an organisation of that size. There’s been a history of IT underspend in the HSE.
‘I can imagine with budget constraints, if the choice of spending money is on IT or spending money on increasing treatment capacity, the patients are going to get the money first. But that must change, unfortunately.
‘They have to accept the budget has to be spent on stuff like this to make sure they’re secure.’
The expert said he believes the HSE was hit because it had ‘a diverse IT infrastructure with lots of different systems’.
Dr Woodworth said: ‘They [cyberattackers] might have thought that this was a very good target to test out attack techniques that they could then deploy against larger systems for higher monetary gain.’
The ‘Conti’ ransomware attack was first noticed on the HSE IT system at 4am on Friday.
The attack was a ‘zero-day exploit’ which means it was the first variant of its kind that most IT systems would not have been prepared for.
However, Dr Woodworth said a more sophisticated IT system would mean the whole system would not have shut down.
He added: ‘If they had a properly designed network of computers with all the latest security features, part of their system might have come down, but not all of it. The recovery time would in theory be shorter, they would be able to isolate and close down the affected networks very quickly.’
Due to the length of current patient waiting lists and the amount of information that will need to be restored and appointments rescheduled, Dr Woodworth told the MoS: ‘I think we’re going to be well into the end of this month, like the week of May 24, before we start to see serious restoration.
‘And even when they get the systems back up, they’re going to have to contact all their patients and rebook all those appointments again.
‘And that’s going to take a few days in its own right. It’s not just about getting the computers fixed. It’s about getting all the people that they are treating back into the system and getting them organised for whatever was planned for this week.’
He warned this is not the last attack we will see, and that the impact will be more severe if we are not prepared.
He said: ‘I think this serves as a warning to the Government and the whole country. Cyber security is now a serious issue; this is the biggest attack of its type in the State. The health service and other companies get attacked all the time, but nothing on this scale, and nothing with this degree of sophistication.
‘So as a country we need to get serious about it. It will happen again, this is by no means the last cyberattack we will have, there will be bigger ones in the future.’
Many of the HSE’s computers are operating off software that is 20 years old. In 2019 the health authority admitted that 79% of its computers were running on Microsoft Windows 7 software.
Last year it replaced some of its computers, but despite this upgrade the HSE admitted more than 60% of its system was still using Windows 7.
This 12-year-old software is deemed so antiquated its own manufacturer, Microsoft, issued a warning not to use it.
And as recently as four months ago the computer giant told customers ‘technical assistance and software updates from Windows Update that help protect your PC are no longer available’.
A source with an intimate knowledge of the HSE’s computer network told the MoS: ‘What the HSE has is a massively mixed bag. They have some brand new Windows 10 but some of their systems only support Windows 7 and the PCs cannot be upgraded beyond that. Some of the servers are running on outdated Operating Systems and some of the computers are running off XP which is 20 years old.’
‘There will be bigger attacks in the future’