Almost €660m will need to be spent over seven years to bring HSE’s cyber security up to standard, according to the State’s auditor.
That’s on top of €58m spent in 2021 to deal with a cyberattack on HSE systems and a further €38m allocated to 2022 to beef up its cyber capabilities.
The Comptroller and Auditor General (C&AG) said the full cost of the cyberattack in 2021 has still not been quantified.
But the report outlines the costs that have been identified:
- €58m was spent dealing with the attack itself (excluding costs to voluntary health agencies);
- €43m extra has been secured this year for ICT expenditure — €38m for immediate and shorter-term actions to increase capabilities to deal with future threats.
The C&AG report said this is just the start: “The HSE has prepared an initial plan to implement PwC’s post-incident review recommendations and to cost the associated actions required.
“The HSE stated that initial estimates are that this will require almost €657m over seven years for implementation of cyber security improvements.”
The C&AG report says the Department of Health directly spent €650,000 relating to the cyber attack and a further €620,000 on boosting its cyber defences.
St James’s Hospital in Dublin has said it requires almost €5.5m for its cyber security, while Beaumont Hospital estimates it needs €512,000.
The HSE systems were attacked by the Russian-based Conti cyber gang in March 2021 and comprised and encrypted in May. It was not until September 21, 2021 that 100% of servers had been decrypted.
The C&AG said: “Following the cyber attack, the HSE incurred significant costs. In 2021, the HSE (excluding voluntary agencies) incurred revenue expenditure of €37m and capital expenditure of €14m.”
There were software costs of around €4.4m and legal costs of €2.6m.
“The full cost of the attack on the HSE has not been quantified,” the report said.
“Costs incurred by the voluntary agencies are not included in any of the figures. Staff time incurred in addressing the technical aspects of the cyber attack and the additional time required to resume normal services have not been costed.
“The HSE was also unable to provide the staff costs associated with the maintenance of hard copy records while systems were down, and for the subsequent updating of electronic records once system access was restored.”
The report said that internal HSE audits, in 2018 and 2019, identified computer vulnerabilities and cyber attack risks.
The HSE told the C&AG that it has submitted an “investment case” to the Department of Health and established a group to oversee the implementation of the PwC recommendations.
The C&AG said that given the "significant personal and confidential data" held by State bodies, there was "a high reliance by these bodies on properly supported and functioning IT systems".