The HSE spent €55 million on cybersecurity last year, the largest amount ever invested in cybersecurity in the health service, and close to €10 million more than the 2022 spend.
The increase reflects the lessons learned from the 2021 cyberattack, which left the organisation crippled and resulted in sensitive data related to 520 individuals being published online, including hospital admission records and laboratory test results.
Speaking at the Smart Health Summit in Dublin this week, the HSE’s chief information officer Fran Thompson said the breach “was a point in time that changed the organisation totally”.
He said the attack highlighted shortfalls in the speed at which the HSE identified threats and its ability to recover from a breach.
It has since emerged that the 2021 attack began on March 16 2021 after a malicious email was sent to a workstation within the network. The email was opened on March 18 and a malicious Microsoft Excel file was downloaded.
The HSE antivirus software detected activity on March 31.
“There were things that we weren’t doing that we should have been doing, there’s no doubt about that,” Mr Thompson said.
“But we have shared the lessons learned with multiple other health services and multiple other organisations and most of them have said, there but for the grace of God go us.”
A new report published by the Health Information and Quality Authority (HIQA) last week revealed that cybersecurity is a key concern for the public and health and social care professionals in relation to the digitisation of HSE services.
The National Engagement on Digital Health and Social Care, conducted jointly by HIQA and the Department of Health, surveyed 2009 members of the public and 1020 people working in health and social care services, about their views on the availability of health records online.
Data privacy and security was the number one concern for members of the public. For many, this concern had been exacerbated by the 2021 attack.
“The public want to know where their information will be stored and will need assurances that their information will be kept confidential and secure before they feel comfortable with their data being shared in an online format,” the report states.
Professionals were also concerned about the safety and security of online records. The majority said they would be more comfortable interacting with the public digitally if they were aware of what measures are in place to keep services and information private, and knowing what measures are in place to keep services and information secure from cyberattacks.
The cyberattack had made professionals more aware of the risks associated with online health records. The general feeling was that there needs to be up-to-date systems with proper data security.
Significant progress has been made in fixing the problems of the past and preparing for the future, as much as possible, but Mr Thompson acknowledged that there is no way to make the system 100 per cent secure.
“Will we get hit again? Everybody will get hit at some point. There’s no doubt about it, but it’s about how we contain it, how we recover from it, and how we manage it,” he said.
