A tiny national budget for cyber security, together with up to 30,000 obsolete Windows 7 computers still in use at the HSE, has been labelled as “a joke” in today’s Transport and Communications Committee hearing.
30,000 obsolete Windows 7 computers in the HSE is only “one risk of many” facing Ireland’s health service, a government minister with responsibility for cybersecurity has told an Oireachtas Committee.
Minister of State Ossian Smyth was answering criticism from Committee members that Ireland’s cyber-security is “a joke” after new figures from the Irish Independent revealed that there are still 30,000 out-of-date PCs being used across the health service.
Mr Smyth said that the HSE had been in a “uniquely vulnerable position” when it faced the devastating ransomware attack this year. He said that the organisation was working through a plan to improve its cyber defences.
He said that using Windows 7 computers was not best practice, it would not have been a factor in the cyber-attacks experienced this year.
“The HSE was not attacked because some computers were using Windows 7,” he said, in response to a question from Fine Gael’s Limerick TD Kieran O’Donnell, chairman of the Joint Committee on Transport and Communications.
“You should have the most up to date operating system and, where possible, you should not be using software that is out of date. But that’s only one line of defence. None of these things on its own is enough to protect you.”
Asked by Mr O’Donnell whether he was satisfied that the Windows 7 PCs were “fit for purpose”, Mr Smyth replied that they would “need to be upgraded”, but that some could not because they are attached to specialist equipment such as X-ray machines that won’t work with more modern computers.
“I think there’s too much focus on this,” said Mr Smyth.
In the US, the FBI has warned that continued use of WIndows 7 can contribute to a greater risk of being hacked.
Earlier this year, a cyber-breach of a water plant in Florida was blamed on a combination of poor password security and “outdated” Windows 7 systems.
And the out-of-date PCs have been branded as “potentially vulnerable” by IT security experts.
“There's a higher risk of getting compromised with Windows 7 than using a modern operating system like Windows 10,” said Brian Honan, CEO of the cyber security firm BH Consulting.
HSE bosses say that the computers are gradually being swapped out for more modern machines.
They also say that the PCs are protected as part of a special security extended warranty arrangement with Microsoft.
A HSE spokesperson told the Irish Independent that 29,892 Windows 7 computers are still in operation across the health service, of which 12,000 “cannot be replaced or upgraded at this time” because they are associated with specialist machines such as X-ray or laboratory devices.
Of the remaining 17,892 Windows 7 machines, 11,563 are currently “subject to a Windows 10 refresh programme”, the spokesperson said.
Despite the assurances, cyber-security experts say that using Windows 7 is a problem.
“The kindest way you could describe it is suboptimal,” said Conor Flynn, CEO of the IT security firm Isas. “Older machines like that can also have other problems apart from their operating systems.”
Windows 7 computers do not get as many security updates as newer machines, even with extended warranties.
Speaking today at the Oireachtas Committee, independent Senator Gerard Craughwell said that Ireland’s cyber security is “a joke”.
“Malta, one of the smallest countries in the EU, is spending €1.8bn over the next six years on cyber-security,” he said.
“Here, a Cabinet Minister’s says that his phone was hacked and it just sort of breezes over everyone’s heads. It’s beyond belief.”