HSE was in ‘uniquely vulnerable position’ at time of cyberattack – Smyth

Minister says two reports into HSE hack underway and will be published ‘shortly’

Minister of State at the Department of Public Expenditure and Reform Ossian Smyth told the committee that a new headquarters for the NCSC is likely to cost in the single-digit millions. File photograph: Tom Honan/The Irish Times

Minister of State at the Department of Public Expenditure and Reform Ossian Smyth told the committee that a new headquarters for the NCSC is likely to cost in the single-digit millions. File photograph: Tom Honan/The Irish Times

 

The HSE was in a “uniquely vulnerable position” at the time it was attacked by cyberhackers, Minister of State Ossian Smyth has said.

He told the Oireachtas communications committee that large healthcare systems, which are under the pressure of life and death situations, are often vulnerable to attack and the HSE had made improvements in its cybersecurity in the run-in to the attack.

However, the combined workloads associated with the pandemic and the vaccine rollout meant it was “in a uniquely vulnerable position at the time”.

He said two consultants reports are underway into the hack, and they will be published “shortly”. A Garda investigation, he said, has established when and how the network was compromised, he told Fianna Fáil senator Gerry Horkan.

Sinn Féin communications spokesman Darren O’Rourke said a capacity review of the National Cyber Security Centre (NCSC) – a redacted version of which was shared with the committee – was a “very damning indictment” of its capacities. Mr O’Rourke said it found it was “under resourced and overtasked”. Mr O’Rourke also questioned whether it could recruit 20 new staff in 18 months, with Mr Smyth conceding it would be challenging to compete against other states and organisations seeking similarly skilled workers.

Mr Smyth told the committee that a new headquarters for the NCSC is likely to cost in the single digit millions and will take over a full floor of the new Departmental headquarters in Dublin’s Beggar’s Bush but not until 2023. Before then, the team is set to move to a temporary facility identified by the Office of Public Works. An internship programme is also underway.

Stronger position

Smyth said the HSE is in a “much stronger” position when it was hacked compared to its previous readiness on cybersecurity, but that healthcare organisations are innately vulnerable to attack as they are large organisations encompassing multiple different bodies and groups, with people under life-and-death pressure whose attention is not always focused on things like password strength.

“You can’t say to someone who is trying to save a patients life, you need to have a better password to go and look up a patient’s file,” he said. Financial resourcing for cybersecurity, he said, is not an issue - dismissing it as a “red herring”. He argued that instead the cultural emphasis placed on it by organisations and the political support for it is key.

He also argued that the ongoing use of outdated software packages on HSE computers - such as Windows 7, which was still in use in the health service at the time of the attack - was not the reason the attack was successful. He said it “didn’t help” but “definitely” didn’t cause the hack to take place, and it “would not have been prevented if they had all been upgraded”. He said efforts had been made prior to the hack to keep machines running that system off other parts of the network as they weren’t receiving security patches, but that sometimes they were needed to run older pieces of medical hardware which did not work with newer systems.

“Windows 7 is one risk of many and it is not the sole reason this attack happened,” he said. Smyth said Ireland wasn’t particularly targeted for HSE hack, and that hospitals have been attacked around the world, even countries which have the best cyber defences

Mr Smyth said that new powers of the NCSC were unlikely to include “offensive capacity” - or the capacity to carry out cyber attacks, but rather having the ability to act defensively and disrupt attacks. He said that there had been a sixfold increase in cyber attacks during the pandemic and, rejecting the suggestion the NCSC was unfit for purpose, he accepted that any organization undergoing such an increase in workload “is going to be challenged”. However, new people to work in the NCSC could not be magicked out of thin air. Staff at the organization had not reported low morale to him, he said.

He also committed to giving the full capacity review of the NCSC to the committee in the coming weeks.

On budget, he said €7mn “is not an issue that is up for dispute”, money is “not a constraining factor... and I honestly think the money is a red herring”. He told the committee that comparisons to the UK’s GCHQ budget were not apt, as Ireland had no desire to run a similar scale operation, examining internet, call and email traffic at such a level.

On the hacking of Simon Coveney’s phone, he said that it was reported to the NCSC who took it “extremely seriously”. “In no regard was this treated as a trivial manner”, he says, and that all the correct statutory measures were taken. Regarding the European Court challenge taken by Graham Dwyer on data protection and retention regarding his original murder conviction, he said that the implications and the outcome are both unknown, but that “scenario planning is of course done”.

New legislation

Earlier, it was heard by

the Oireachtas committee that new legislation providing for “intelligence gathering” for the NCSC is to be brought forward.

The agency is at the centre of reforms which will involve significant extra resources and manpower being directed at it in the wake of the successful data hack of the HSE earlier this year.

Mr Smyth told the committee on Wednesday that an inter-departmental committee met to consider new legislation that might be needed to strengthen the NCSC.

“To empower the NCSC to carry out its necessary functions, it is inevitable that the proposed legislation will provide for intelligence gathering, which will bring with it certain governance requirements as well as requirements on the legislative process,” he told the committee.

Officials are working on a consultation over the process which will lead to heads of a Bill being drafted and legislation passing through the Oireachtas before the end of next year, Mr Smyth said.

Applications are to be sought for a new director of the State’s National Cyber Security Centre this week, with a bumped-up salary of €184,000 attached.

The higher salary, which was approved earlier this year following the HSE data hack, followed criticism over the State’s failure to fill the position prior to the most damaging cyberattack it ever experienced.

Mr Smyth gave evidence on Wednesday to the Oireachtas communications committee on the future of the NCSC. Committee members were also given access to a redacted version of a consultants report which identified significant shortcomings in the capacities and resources of the NCSC.

Mr Smyth told the committee “good progress” is being made adding to the headcount for the NCSC, which is set to rise by 20 full-time roles approved earlier this year. That is due to take place within the next 18 months, with headcount to rise to “at least” 70 within five years. In July, just 25 staff were employed full time at the NCSC.

The Government has approved an extra €2.5 million for this purpose in 2022. Open competitions are being run and civil servants are also being invited to redeploy from other positions into the NCSC, Mr Smyth told committee.