THE HSE CYBER attack would “not have been prevented” if health service computers were running more up-to-date software, Minister of State Ossian Smyth has said.

The Minister of State for Public Procurement and eGovernment told an Oireachtas Committee that the use of Windows 7 computers is “one risk of many, and it’s not the sole reason that this attack happened”.

The ransomware attack on the HSE, which occurred in May, caused major disruption to the health service.

HSE chief Paul Reid said in June that it had a “devastating impact” and cost the health service millions of euros.

The Irish Independent reported today that almost 30,000 computers running Windows 7 software are still in operation within the HSE. 

Smyth told members of the Joint Committee on Transport and Communications that systems should not use out of date software “where possible”.

He said all of the HSE Windows 7 machines will be upgraded at some point.

He said around half of the Windows 7 computers are connected to “very large” hardware such as MRI machines or X-ray devices which he said cannot support newer versions of Windows software. 

He said using up-to-date software is “one line of defence, you know, that’s part of what you should do”. 

“The HSE was not attacked because some computers were running Windows 7 and it would not have been prevented if they had all been upgraded, that wasn’t the problem alone,” he said. 

It didn’t help, but it certainly wouldn’t have prevented the attack from taking place.

“Certainly upgrading software across the network, including Windows, is one of the things that should be done, but there are many other things that have to be done.” 

Expenditure

Smyth said the State will spend around €7 million on cyber security in 2021 between capital and current expenditure. 

In terms of a fuller picture of the total expenditure overall, he said he “can’t give a clear answer” until more information is received from public sector bodies. 

He said a clearer estimate would result from “broader accounting of how much money is being spent in different sections of the State public sector bodies on cybersecurity rather than focusing all the time on the NCSC”. 

Smyth said that a capacity review of the National Cyber Security Centre (NCSC) has now been completed. This review was discussed at the committee meeting today. 

Related Reads

Defence Forces deployed 'ethical hackers' to fight back against massive HSE cyber attack

Cost of HSE cyber attack ‘could rise to half a billion euro’, Committee hears

It was reported earlier this month that gardaí carried out a major operation targeting the gang behind the cyber attack.

Smyth said Irish officials worked with Polish authorities during the HSE cyber attack as they had been attacked by the same group.

He said Poland shared “very useful information with us”. He also said Irish officials worked with New Zealand during the time of the HSE attack. 

Smyth said anyone who falls victim to a cyber attack should contact the NCSC for assistance. 

“Paying ransoms just creates more attacks. It is the business model,” he said. 

- Additional reporting by Niall O’Connor.