The Health Service Executive received warnings about IT “weaknesses” three years ago.
The problems identified included issues with “security controls” and “disaster recovery protocols” after internal audits which flagged the issues in HSE annual reports for two years in a row, according to The Irish Times.
The HSE is currently trying to deal with the impact of a cyberattack that has disrupted many services, while there are fears that patients' personal data has already been published online.
The criminal gang responsible for the attack is looking for a ransom payment, but the Government has insisted it will not give in to their demands.
Internal audits
The HSE’s 2018 annual report says: “Internal audits have identified vulnerabilities in the area of security controls across parts of the domain including application password protocols and the management of secure access.
“Weaknesses have been acknowledged in some of the areas audited in disaster recovery protocols, particularly in relation to older and legacy systems.”
The report adds the Office of the Chief Information Officer “is committed to improving controls in respect to cyber security”.
There are identical warnings in the HSE's 2019 annual report, while it also shows “cyber security” and “Information and Communications Technology (ICT) systems and infrastructure” listed in the organisation’s corporate risk register.
The report from 2018 notes that programmes were underway to “manage these weaknesses across our large domain”.
These programmes included infrastructure and application software upgrades along with a “single logon to domains and applications which ensures that all staff have unique and safe access”.
The report says that migration to the more secure “One ID” system “has commenced and will continue to be rolled out during 2019 across” community health organisations, hospital groups and other departments.
The 2019 report outlines the same security measures.
IT investment
Asked about the weaknesses identified in the audits, a HSE spokesman told The Irish Times: “We will have to wait for the outcome of the current assessment and restoration process and any subsequent investigation before knowing whether and to what extent, if any, the issues we listed in our annual reports contributed to this incident.”
The HSE also had “a very substantial investment in IT underway” of circa €300 millon capital and €180 million current expenditure in the last three years alone. “Spend on cybersecurity is embedded within that €300 million capital spending.”
Personal data
The spokesman added: “It is appropriate for any organisation of the scale of the HSE, which holds such a volume of sensitive personal data, would list cyber security as an item on its corporate risk register” and that the audits referenced in the annual reports were carried out by the HSE internal audit unit.”
Speaking at a Fianna Fáil parliamentary party meeting last night, Taoiseach Micheál Martin said the cyberattack on the HSE was extremely serious, while also denouncing the criminals involved in it.
He said hundreds of people, including external experts, are working on the issue.