Support from readers like you keeps The Journal open.
You are visiting us because we have something you value. Independent, unbiased news that tells the truth. Advertising revenue goes some way to support our mission, but this year it has not been enough.
If you've seen value in our reporting, please contribute what you can, so we can continue to produce accurate and meaningful journalism. For everyone who needs it.
THE OVERALL COST to the HSE following the recent cyber attack could amount to half a billion euro, an Oireachtas committee has heard.
Chief executive Paul Reid also warned that he can “never be confident” that the HSE has seen the worst of the cyber attack.
Reid said that while there are financial costs, there will be human costs as well, adding that it will take months before systems are fully restored.
He told the Oireachtas health committee that the immediate costs amounted to €100 million, but that will rise when other factors are included.
Fine Gael Senator Martin Conway said he expects it to amount to hundreds of millions of euro, “possibly half a billion”.
Reid said Conway was “correct”, adding that significant investment is needed to protect the systems.
The HSE boss said there are technical and infrastructure costs.
“There are particular costs in relation to capital costs, which would be the replacement of a number of devices across the networks,” he added.
“There is also capital costs in upgrading key systems to have them at a higher standard.
Advertisement
“Third party costs which relate to a number of technical expertise that we have engaged from a range of specialist providers. We have also engaged international expertise.
“There are costs we will incur in the future, and we need to put in place a security operation centre to monitor our network on a more comprehensive basis.”
He also said that a lot of the Microsoft applications will be updated, adding that immediate costs are “well over” €100 million.
“That is just to get us through this,” Reid warned.
“The other costs we have is clinical costs and local IT costs we have to put in place to strengthen resourcing.
“Looking back we would have invested €82 million in malware protection but we have a really old legacy network in the HSE. It needs investment for protection, it needs investment for security and protection of data, and we will have many lessons learned from this in reports we will get.”
He said that while he is not aware of any other sensitive data belonging to patients that have been illegally accessed.
However, Reid warned that the HSE may not have seen the worst of the cyber attack.
Maternity hospitals
Meanwhile, the HSE is to issue updated advice to all maternity hospitals and units on its visitation guidance.
It recently sent out advice asking maternity hospitals to review it approach and adopt a “least restrictive approach possible”.
Fianna Fail’s John Lahart, however said that TDs have been getting emails for months from expectant mothers and their partners.
Related Reads
Cyber attack will likely cost HSE over €100 million, Paul Reid says
He read an email he received from a pregnant woman who was in hospital and spoke of how she was “alone, lonely, vulnerable, anxious, angry and confused”.
“I don’t think the response has been strong enough in asking all maternity units to review their approach again,” Lahart added.
“Why, when the CMO has said there is no good reason why partners cannot accompany their partners either to prenatal appointments or in labour, how many hospitals are not complying with this?”
Reid said: “There is nobody more aware than ourselves in the HSE and the medical teams who provide compassionate care for mothers and babies.
“We have to do things very differently in terms of infection prevention and control.
“A lot of our 19 maternity hospitals are old and old hallways and old antenatal rooms and are not built for dealing with infection prevention.”
He said that 16 out of the 19 maternity hospitals were working through complying with the measures, but three were not, which included Wexford, Kilkenny and Tullamore maternity units.
The HSE chief clinical officer Colm Henry they are are amending the guidance this week for those attending early pregnancy assessment units.
“We are also planning to alter our visiting guidance and roll that out across all 19 units,” Henry added.
It also emerged during the hearing that young people aged 18-20 may have to wait until September or October to receive their Covid-19 vaccination.
Readers like you are keeping these stories free for everyone...
A mix of advertising and supporting contributions helps keep paywalls away from valuable information like this article.
Over 5,000 readers like you have already stepped up and support us with a monthly payment or a once-off donation.
To embed this post, copy the code below on your site
Close
39 Comments
This is YOUR comments community. Stay civil, stay constructive, stay on topic.
Please familiarise yourself with our comments policy
here
before taking part.
Let’s hope the appropriate security and constant refresh training is put in place now for all public sector employees, not just the ones working in the hse, about the dangers of clicking on dodgy links in emails and spotting suspected attempts at ransomware. There’s no point fixing everything and putting nice shiny security measures in place, if the people using the systems aren’t kept upto date and given training every 6 months to keep them vigilant about preventing this again
@Michael Healy: Chronic underinvestment in IT and cyber security for many years made this an inevitability for the HSE . Let’s not blame Anne from Accounts for clicking on the wrong link!
“Mary what’s my password again for the computer?”
“Its hse123 Declan, try it again”
“1 2 3 H S E”
“Not working Mary”
“Ring your man in IT, whats his name?”
“Hello son, im trying to enter my password number 123 but its not working”
What baffles me is that they are not recovering the servers from backups. Did they not have backups? What was their Disaster Recovery Plan? Who was running that show?
Any half aware small business in the land has multiple on site and offsite backups to recover from. Its so much faster to recover from backups than to decrypt servers.
@Ger: Yes it was used. The slowdown is to make sure the servers are clean. I guess the only way to be sure it’s to completely rebuild the servers from the bottom up and add them back into the network one by one
why civil servants have any input in this is beyond me. We should have a separate dept of specialists like most countries have. All govt IT systems are 20 years behind other countries. Let me give you an example. How many times have people had to write a physical letter and post it into a govt department or fill out a form….
We need change and we need it now. A separate department that looks after all other govt departments in all IT areas be it infrastructure or software development. The PPARS project for the HSE was budgeted at 15 million and topped out at 220 million all of which went to accenture. WHY? Because the govt keeps outsourcing everything and it costs 10 to 20 times more doing things like this.
@Diarmuid O’Braonáin: Main hurdle is public sector staff and their inherent resistance to any change.
Strangely this disaster will enhance the HSE IT department immeasurably, achieving what otherwise would have been impossible.
Is the phishing cold calls/machine voice messages gone up in the last few weeks. I got plagued with multiple calls over a day from different vodafone numbers on home and work phones within a week of each other. How can it be worth the expense for these guys. There should be an option to report as spam caller in a menu.
@Watchful Axe:
what ‘expense’? the calls originate off VoiP numbers, a simple hack changes what number you see. Staffed by people where a days wage can be less than a couple of sms message between different networks here
Memories of the catastrophic PPARS HSE systems implementation here where another consultancy firm laughed all the way to the bank. Accenture are providing the consultancy to HSE to recover their IT infrastructure along with US cyber security consultants. My guess is that they have hit the HSE with an outrageous recovery plan over an extended timeline consuming thousands of consultancy days at a ludicrous daily rate. HSE are not in a position to contest the quotes as Accenture know that they have them over a barrel and there’s taxpayer money there to be milked. PAC need to be all over this and DPER need to be involved also. A thorough due diligence exercise on the quotes, overall cost and tendering process is required. Big announcement from Accenture today also.
Hmm I’d love to see an breakdown of the half a billion spend of taxpayers money in some detail – the random required was rumoured to be 20 million – so to retain the high moral ground and absolutely not solve the problem with negotiation they decided that we should spend half a billion repairing the damage – - how moch do we pay these guys to run our health service exactly? How embarrassing will it be when after spending the 500miklikn they get hit again – there is nothing more certain than that’s gonna happen – I love Ireland
If they just spent the money upgrading from Windows 7 to Windows 10 like everyone else had to, instead of paying Microsoft to support Windows 7 years after it was discontinued, I wonder would they be in the same boat?
This is a f#$king scandal of the highest proportion. They knew 2 years ago they had no security protection. Reckless decision. Then pay themselves 400k….. banana Republic…..
US and Russian officials begin talks in Saudi Arabia on resetting relations and Ukraine war
3 hrs ago
7.6k
96
Rich Peppiatt
Kneecap director laughs off Belfast News Letter claims of ‘Bafta blow’ for ‘only’ winning one award
5 mins ago
79
0
DWTS
Viewers call for change in Dancing with the Stars voting format after Kevin Dundon remains on show
17 hrs ago
67.6k
33
Your Cookies. Your Choice.
Cookies help provide our news service while also enabling the advertising needed to fund this work.
We categorise cookies as Necessary, Performance (used to analyse the site performance) and Targeting (used to target advertising which helps us keep this service free).
We and our 148 partners store and access personal data, like browsing data or unique identifiers, on your device. Selecting Accept All enables tracking technologies to support the purposes shown under we and our partners process data to provide. If trackers are disabled, some content and ads you see may not be as relevant to you. You can resurface this menu to change your choices or withdraw consent at any time by clicking the Cookie Preferences link on the bottom of the webpage .Your choices will have effect within our Website. For more details, refer to our Privacy Policy.
We and our vendors process data for the following purposes:
Use precise geolocation data. Actively scan device characteristics for identification. Store and/or access information on a device. Personalised advertising and content, advertising and content measurement, audience research and services development.
Cookies Preference Centre
We process your data to deliver content or advertisements and measure the delivery of such content or advertisements to extract insights about our website. We share this information with our partners on the basis of consent. You may exercise your right to consent, based on a specific purpose below or at a partner level in the link under each purpose. Some vendors may process your data based on their legitimate interests, which does not require your consent. You cannot object to tracking technologies placed to ensure security, prevent fraud, fix errors, or deliver and present advertising and content, and precise geolocation data and active scanning of device characteristics for identification may be used to support this purpose. This exception does not apply to targeted advertising. These choices will be signaled to our vendors participating in the Transparency and Consent Framework.
Manage Consent Preferences
Necessary Cookies
Always Active
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work.
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
Functional Cookies
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then these services may not function properly.
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not be able to monitor our performance.
Store and/or access information on a device 102 partners can use this purpose
Cookies, device or similar online identifiers (e.g. login-based identifiers, randomly assigned identifiers, network based identifiers) together with other information (e.g. browser type and information, language, screen size, supported technologies etc.) can be stored or read on your device to recognise it each time it connects to an app or to a website, for one or several of the purposes presented here.
Personalised advertising and content, advertising and content measurement, audience research and services development 133 partners can use this purpose
Use limited data to select advertising 103 partners can use this purpose
Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are (or have been) interacting with (for example, to limit the number of times an ad is presented to you).
Create profiles for personalised advertising 75 partners can use this purpose
Information about your activity on this service (such as forms you submit, content you look at) can be stored and combined with other information about you (for example, information from your previous activity on this service and other websites or apps) or similar users. This is then used to build or improve a profile about you (that might include possible interests and personal aspects). Your profile can be used (also later) to present advertising that appears more relevant based on your possible interests by this and other entities.
Use profiles to select personalised advertising 74 partners can use this purpose
Advertising presented to you on this service can be based on your advertising profiles, which can reflect your activity on this service or other websites or apps (like the forms you submit, content you look at), possible interests and personal aspects.
Create profiles to personalise content 36 partners can use this purpose
Information about your activity on this service (for instance, forms you submit, non-advertising content you look at) can be stored and combined with other information about you (such as your previous activity on this service or other websites or apps) or similar users. This is then used to build or improve a profile about you (which might for example include possible interests and personal aspects). Your profile can be used (also later) to present content that appears more relevant based on your possible interests, such as by adapting the order in which content is shown to you, so that it is even easier for you to find content that matches your interests.
Use profiles to select personalised content 32 partners can use this purpose
Content presented to you on this service can be based on your content personalisation profiles, which can reflect your activity on this or other services (for instance, the forms you submit, content you look at), possible interests and personal aspects. This can for example be used to adapt the order in which content is shown to you, so that it is even easier for you to find (non-advertising) content that matches your interests.
Measure advertising performance 124 partners can use this purpose
Information regarding which advertising is presented to you and how you interact with it can be used to determine how well an advert has worked for you or other users and whether the goals of the advertising were reached. For instance, whether you saw an ad, whether you clicked on it, whether it led you to buy a product or visit a website, etc. This is very helpful to understand the relevance of advertising campaigns.
Measure content performance 59 partners can use this purpose
Information regarding which content is presented to you and how you interact with it can be used to determine whether the (non-advertising) content e.g. reached its intended audience and matched your interests. For instance, whether you read an article, watch a video, listen to a podcast or look at a product description, how long you spent on this service and the web pages you visit etc. This is very helpful to understand the relevance of (non-advertising) content that is shown to you.
Understand audiences through statistics or combinations of data from different sources 72 partners can use this purpose
Reports can be generated based on the combination of data sets (like user profiles, statistics, market research, analytics data) regarding your interactions and those of other users with advertising or (non-advertising) content to identify common characteristics (for instance, to determine which target audiences are more receptive to an ad campaign or to certain contents).
Develop and improve services 79 partners can use this purpose
Information about your activity on this service, such as your interaction with ads or content, can be very helpful to improve products and services and to build new products and services based on user interactions, the type of audience, etc. This specific purpose does not include the development or improvement of user profiles and identifiers.
Use limited data to select content 37 partners can use this purpose
Content presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type, or which content you are (or have been) interacting with (for example, to limit the number of times a video or an article is presented to you).
Use precise geolocation data 42 partners can use this special feature
With your acceptance, your precise location (within a radius of less than 500 metres) may be used in support of the purposes explained in this notice.
Actively scan device characteristics for identification 24 partners can use this special feature
With your acceptance, certain characteristics specific to your device might be requested and used to distinguish it from other devices (such as the installed fonts or plugins, the resolution of your screen) in support of the purposes explained in this notice.
Ensure security, prevent and detect fraud, and fix errors 82 partners can use this special purpose
Always Active
Your data can be used to monitor for and prevent unusual and possibly fraudulent activity (for example, regarding advertising, ad clicks by bots), and ensure systems and processes work properly and securely. It can also be used to correct any problems you, the publisher or the advertiser may encounter in the delivery of content and ads and in your interaction with them.
Deliver and present advertising and content 92 partners can use this special purpose
Always Active
Certain information (like an IP address or device capabilities) is used to ensure the technical compatibility of the content or advertising, and to facilitate the transmission of the content or ad to your device.
Match and combine data from other data sources 65 partners can use this feature
Always Active
Information about your activity on this service may be matched and combined with other information relating to you and originating from various sources (for instance your activity on a separate online service, your use of a loyalty card in-store, or your answers to a survey), in support of the purposes explained in this notice.
Link different devices 48 partners can use this feature
Always Active
In support of the purposes explained in this notice, your device might be considered as likely linked to other devices that belong to you or your household (for instance because you are logged in to the same service on both your phone and your computer, or because you may use the same Internet connection on both devices).
Identify devices based on information transmitted automatically 81 partners can use this feature
Always Active
Your device might be distinguished from other devices based on information it automatically sends when accessing the Internet (for instance, the IP address of your Internet connection or the type of browser you are using) in support of the purposes exposed in this notice.
Save and communicate privacy choices 60 partners can use this special purpose
Always Active
The choices you make regarding the purposes and entities listed in this notice are saved and made available to those entities in the form of digital signals (such as a string of characters). This is necessary in order to enable both this service and those entities to respect such choices.
have your say